AppArmor - your "Application Armor"


AppArmor : how to customize / update a profile ?


AppArmor : how to get a status on blocked accesses (aka enforced rules) ?

Use the built-in tool :

As root :
apparmor module is loaded.		good news !
38 profiles are loaded.
21 profiles are in enforce mode.
					list of loaded profiles in enforce mode
17 profiles are in complain mode.
					list of loaded profiles in complain mode
7 processes have profiles defined.
0 processes are in enforce mode.
					list of processes in enforce mode
7 processes are in complain mode.
					list of processes in complain mode
0 processes are unconfined but have a profile defined.

Other methods :

  • ps auxZ | grep -v '^unconfined'
    unconfined means : neither in enforce nor in complain mode

AppArmor : how to toggle a profile into complain / enforce mode ?

Into complain mode :

  • sudo aa-complain /path/to/bin
  • as root : aa-complain $(which smbd)

Into enforce mode :

  • sudo aa-enforce /path/to/bin
  • as root : aa-enforce $(which smbd)


Description (sources : 1, 2) :

AppArmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, AppArmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.

AppArmor is a MAC system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. AppArmor has two types of profile modes :

complain mode
Profiles in complain mode don't enforce any profile rules, just log violation attempts.
enforce mode
Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd.

AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.

Setup (source) :

aa-status vs apparmor_status :

dpkg -S $(which aa-status) $(which apparmor_status)
apparmor: /usr/sbin/aa-status
apparmor: /usr/sbin/apparmor_status
ls -l /usr/sbin/aa-status /usr/sbin/apparmor_status
-rwxr-xr-x 1 root root 8839 Mar 30  2019 /usr/sbin/aa-status
lrwxrwxrwx 1 root root    9 Mar 30  2019 /usr/sbin/apparmor_status -> aa-status
install stuff :
	apt install apparmor apparmor-utils apparmor-profiles-extra apparmor-notify

enable AppArmor (not required on Debian 10 "Buster" since it's already enabled by default) :
	sudo mkdir -p /etc/default/grub.d
	echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' | sudo tee /etc/default/grub.d/apparmor.cfg
	sudo update-grub
		Generating grub configuration file ...
		Found background image: /usr/share/images/desktop-base/desktop-grub.png
		Found linux image: /boot/vmlinuz-4.19.0-5-amd64
		Found initrd image: /boot/initrd.img-4.19.0-5-amd64
		Found linux image: /boot/vmlinuz-4.19.0-0.bpo.5-amd64
		Found initrd image: /boot/initrd.img-4.19.0-0.bpo.5-amd64
		Found linux image: /boot/vmlinuz-4.17.0-0.bpo.1-amd64
		Found initrd image: /boot/initrd.img-4.17.0-0.bpo.1-amd64
	sudo reboot

inspect the current state :
	sudo aa-status

Extra profiles :

apt install apparmor-profiles
dpkg -L apparmor-profiles

add a Firefox profile :
emacs /etc/apparmor.d/usr.bin.firefox
apparmor_parser -p /etc/apparmor.d/usr.bin.firefox
apparmor_parser -a /etc/apparmor.d/usr.bin.firefox
	⇒ OK

Creating a new profile