AppArmor - your "Application Armor"

apparmor module is loaded.		good news !
38 profiles are loaded.
21 profiles are in enforce mode.
					list of loaded profiles in enforce mode
17 profiles are in complain mode.
					list of loaded profiles in complain mode
7 processes have profiles defined.
0 processes are in enforce mode.
					list of processes in enforce mode
7 processes are in complain mode.
					list of processes in complain mode
0 processes are unconfined but have a profile defined.

• ps auxZ | grep -v '^unconfined'
  unconfined means : neither in enforce nor in complain mode

• sudo aa-complain /path/to/bin
• as root : aa-complain $(which smbd)

• sudo aa-enforce /path/to/bin
• as root : aa-enforce $(which smbd)

AppArmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, AppArmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.

AppArmor is a MAC system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. AppArmor has two types of profile modes :

complain mode

Profiles in complain mode don't enforce any profile rules, just log violation attempts.

enforce mode

Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd.

AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.

aa-status vs apparmor_status :

apparmor: /usr/sbin/aa-status
apparmor: /usr/sbin/apparmor_status

-rwxr-xr-x 1 root root 8839 Mar 30  2019 /usr/sbin/aa-status
lrwxrwxrwx 1 root root    9 Mar 30  2019 /usr/sbin/apparmor_status -> aa-status

install stuff :
	apt install apparmor apparmor-utils apparmor-profiles-extra apparmor-notify

enable AppArmor (not required on Debian 10 "Buster" since it's already enabled by default) :
	sudo mkdir -p /etc/default/grub.d
	echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' | sudo tee /etc/default/grub.d/apparmor.cfg
	sudo update-grub
		Generating grub configuration file ...
		Found background image: /usr/share/images/desktop-base/desktop-grub.png
		Found linux image: /boot/vmlinuz-4.19.0-5-amd64
		Found initrd image: /boot/initrd.img-4.19.0-5-amd64
		Found linux image: /boot/vmlinuz-4.19.0-0.bpo.5-amd64
		Found initrd image: /boot/initrd.img-4.19.0-0.bpo.5-amd64
		Found linux image: /boot/vmlinuz-4.17.0-0.bpo.1-amd64
		Found initrd image: /boot/initrd.img-4.17.0-0.bpo.1-amd64
		done
	sudo reboot

inspect the current state :
	sudo aa-status
		...
		...
		...

apt install apparmor-profiles
dpkg -L apparmor-profiles
	/etc/apparmor.d/apache2.d
	/etc/apparmor.d/apache2.d/phpsysinfo
	/etc/apparmor.d/bin.ping
	/etc/apparmor.d/local
	/etc/apparmor.d/sbin.klogd
	/etc/apparmor.d/sbin.syslog-ng
	/etc/apparmor.d/sbin.syslogd
	/etc/apparmor.d/usr.sbin.avahi-daemon
	/etc/apparmor.d/usr.sbin.dnsmasq
	/etc/apparmor.d/usr.sbin.identd
	/etc/apparmor.d/usr.sbin.mdnsd
	/etc/apparmor.d/usr.sbin.nmbd
	/etc/apparmor.d/usr.sbin.nscd
	/etc/apparmor.d/usr.sbin.smbd
	/etc/apparmor.d/usr.sbin.smbldap-useradd
	/etc/apparmor.d/usr.sbin.traceroute


add a Firefox profile :
-----------------------
emacs /etc/apparmor.d/usr.bin.firefox
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/firefox/vivid/view/head:/debian/usr.bin.firefox.apparmor.10.04

http://manpages.ubuntu.com/manpages/trusty/man8/apparmor_parser.8.html
apparmor_parser -p /etc/apparmor.d/usr.bin.firefox
apparmor_parser -a /etc/apparmor.d/usr.bin.firefox
	⇒ OK


Creating a new profile
----------------------
https://help.ubuntu.com/community/AppArmor#Creating_a_new_profile
https://la-samhna.de/library/apparmor.html