Paranoid Penguin - An Introduction to Novell AppArmor

Who says “easy-to-use mandatory access controls” is a contradiction in terms?
Getting Started with AppArmor

Although AppArmor's open-source license hopefully will lead to ports on other Linux distributions, for the time being AppArmor is available only for SUSE Linux and SUSE Linux Enterprise. The rest of this article, therefore, is necessarily specific to SUSE. I'm scratching only the surface here. For detailed information on how to configure and use AppArmor, see the AppArmor Admin Guide Using Yast, whose path is /usr/share/doc/packages/subdomain-docs/ug_apparmor.pdf, provided you've installed SUSE's subdomain-docs package.

Note: prior to being acquired by Novell, AppArmor previously was called Immunix SubDomain. Many of AppArmor's filenames and package names still include the word subdomain.

AppArmor has its own YaST module, called Novell AppArmor (Figure 1). As you can see, most of the applets in this module deal with creating and managing AppArmor Profiles. Each application protected (confined) by AppArmor must have its own AppArmor profile. Profiles can be created manually or by using the Add Profile and Update Profile Wizards or with the Manually Add Profile applet.

Figure 1. YaST's Novell AppArmor Module

The AppArmor control panel is used to enable and disable AppArmor and to enable, configure and disable AppArmor security event notification. Important note: any time you enable AppArmor manually, you must restart every AppArmor-protected application (simply rebooting is your safest bet). An application must start while AppArmor is already running in order to benefit from its protection. Obviously, if AppArmor is enabled at boot time, you don't need to worry about this.

Two types of applications are particularly important to protect: programs that run setuid root (that is, run with root's privileges) and network applications. AppArmor comes preconfigured with profiles for a variety of setuid-root programs and network applications, including Apache, ping, Firefox, Opera, Evolution, sshd, ld, Postfix, Squid and Ethereal.

Figure 2 shows the ping default profiles. As you can see, it consists of #include statements that reference the contents of other profiles, access controls on POSIX capabilities (setuid, kill, sys_boot and so forth) and file access controls.

Figure 2. AppArmor Profile for ping

There's actually a fourth element that Web server profiles may contain—hat definitions. Figure 3 shows part of the profile for httpd2 (Apache 2). The entries at the top of the profile that begin [+] are hats. A hat is simply an embedded profile, a sub-profile, if you will. Only profiles for hat-aware applications can have hats, and even at that, you must have SUSE's libimmunix and mod-change-hat packages installed for hats to work.

Figure 3. AppArmor Profile for httpd2

The most common use of hats is for Web applications that are run without actually being part of httpd dæmons. Figure 4 shows the contents of just such a hat, corresponding to a guestbook application on my Web server. The index.php script referenced in Figure 4 mainly needs read access to some files, but it also needs to both read and write to the guestbook file itself ( and also Apache's access log (access_log).

Figure 4. Contents of gb Hat

If this seems confusing, don't worry. It's seldom necessary to create profiles (let alone hats) manually. On many systems, you won't need to create new profiles at all—periodically running the AppArmor Update Profile Wizard when things don't work as expected may suffice. This wizard scans /var/log/messages for AppArmor-generated error messages and allows you to update the corresponding AppArmor profiles accordingly (either to allow or continue to disallow the event that triggered each error). Where appropriate/applicable, Update Profile Wizard even will create new hats, again assuming you've installed the libimmunix and mod-change-hat packages.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great Article

Linux User's picture

Thanks for the great information on apparmor.

help me now

help me now's picture

I've posted the series over on my education blog, so commenting is open.