最後更新: 2022-01-18
介紹
Apparmor 是一個類似 SELinux 的 LSM (Linux Security Module) 來,
LSM 它是一個 Linux Kernel 內負責管理安全的 module,
我們可以用它是用來做 MAC (mandatory access controls)
而 Apparmor 是個以 name-based (path-based) 來實施 MAC 的工具
它透過 Path entries, Capability entries 去限制一個 application 的權限
早見於 Ubuntu 7 (turned on by default),
Debian 7 要加入 apparmor=1 security=apparmor 到 GRUB_CMDLINE_LINUX 上才 Enable
Home Page: http://wiki.apparmor.net
* AppArmor normalizes path names. It resolves symlinks and considers each hard link as a different access path.
* Deny rules cannot be overridden by an allow rule.
目錄
安裝
apt-get install apparmor
- /usr/sbin/aa-status <--- 查看現在的 aa 情況
- /sbin/apparmor_parser <--- load a profile into the kernel
apt-get install apparmor-utils
- /usr/sbin/aa-enforce
- /usr/sbin/aa-update-browser
- /usr/sbin/aa-genprof
- /usr/sbin/aa-unconfined
- /usr/sbin/aa-logprof
- /usr/sbin/aa-exec
- /usr/sbin/aa-decode
- /usr/sbin/aa-disable
- /usr/sbin/aa-audit
- /usr/sbin/aa-autodep
- /usr/sbin/aa-complain
- /usr/bin/aa-easyprof
Profile
apt-get install apparmor-profiles # 常用的 profile
- /etc/apparmor.d/bin.ping
- /etc/apparmor.d/usr.sbin.dnsmasq
- ...
apt-get install apparmor-profiles-extra # 用圖不大
Usage
Enable Apparmor Onboot
vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=" ... apparmor=1 security=apparmor"
update-grub
reboot
checking
aa-status
apparmor module is loaded. 72 profiles are loaded. 36 profiles are in enforce mode. /sbin/dhclient /usr/bin/irssi /usr/bin/lxc-start ...
找出未有 Profile 看管的 Proccess
# status: enforced, complain, unconfined
ps xZ | less
LABEL PID TTY STAT TIME COMMAND
unconfined 1 ? Ss 0:05 /sbin/init
...
nmbd (complain) 1318 ? Ss 0:25 /usr/sbin/nmbd --foreground --no-process-group
Or
aa-unconfined
1 /lib/systemd/systemd (/sbin/init) not confined 862 /sbin/rpcbind not confined 1158 /usr/sbin/nmbd confined by 'nmbd (complain)' 1161 /usr/sbin/vsftpd not confined 1201 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)' ...
Enable in Kernel config parameter
- CONFIG_DEFAULT_SECURITY
- CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE
- CONFIG_DEFAULT_SECURITY_APPARMOR
Compiling the Kernel with Apparmor
CONFIG_SECURITY_APPARMOR=y CONFIG_AUDIT=y
Apparmor as the default security module
grep CONFIG_DEFAULT_SECURITY= /boot/config-*
CONFIG_DEFAULT_SECURITY="apparmor"
OR
CONFIG_DEFAULT_SECURITY="selinux"
# AppArmor to be enabled or disabled at boot.
grep CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE /boot/config-*
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
grep CONFIG_DEFAULT_SECURITY_APPARMOR /boot/config-*
CONFIG_DEFAULT_SECURITY_APPARMOR=y
LSM
# A list of the active security modules
# The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then
# the one "major" module (e.g. SELinux) if there is one configured.
cat /sys/kernel/security/lsm
capability,yama,apparmor
Profile types
Standard profiles
attached to a program by its name
(so a profile name must match the path to the application)
/usr/bin/foo { ... }
Unattached profiles
Unattached profiles are never used automatically
profile /usr/bin/foo { ... }
Local profiles
/parent/profile { ... profile /local/profile { ... } }
Profiles 的作用
Profile 定義了一個 application 可以存取那裡的 files 及它可以做什麼
而限制分為
- Complaining/Learning
- Enforced/Confined
查看現在情況
aa-status
apparmor module is loaded. 35 profiles are loaded. 12 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/chromium-browser/chromium-browser//browser_java .............. 23 profiles are in complain mode. /bin/ping /sbin/klogd /sbin/syslog-ng 97 processes have profiles defined. 97 processes are in enforce mode. /usr/bin/lxc-start (2826) /usr/bin/lxc-start (3528) /usr/bin/lxc-start (30836) /usr/sbin/libvirtd (13285) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
套用限制到一個 program
complain:
將一個 application (i.e. ping) 的 profile 設定成 complain mode
aa-complain /path/to/bin
把所有 profile 設定成 complain mode
aa-complain /etc/apparmor.d/*
enforce:
aa-enforce /path/to/bin
File permission access modes
combinations of the following modes
- r Read mode
- w Write mode
- px Discrete profile execute mode
- Px Discrete profile execute mode—clean exec
- ux Unconstrained execute mode
- Ux Unconstrained execute mode—clean exec
- ix Inherit execute mode
- m Allow PROT_EXEC with mmap(2) calls (memory map as executable)
- l Link mode
- k file locking
Link mode
The link mode mediates access to hard links.
When a link is created, the target file must have the same access permissions as the link created
Profile
所有 profile 都存放在 /etc/apparmor.d 內, 並且會自動載入
而被限制的 application 的路徑會以 "." 取代 "/" 表示
/etc/apparmor.d/bin.ping 相當於 /bin/ping
apparmor_parser
apparmor_parser - loads AppArmor profiles into the kernel
add a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
-a, --add <-- default action
To reload a profile:
cat /etc/apparmor.d/profile.name | apparmor_parser -r
OR
apparmor_parser -r /etc/apparmor.d/lxc-containers
-r, --replace
全部 reload: <-- 非必要時勿用
service apparmor reload
Disable a profile:
[方式1] aa-disable
aa-disable <executable>
aa-disable /path/to/profiles
[方式2]
Step1 - Remove the AppArmor profile from the kernel (Temporarily)
# -R, --remove
apparmor_parser -R /etc/apparmor.d/profile.name
Step2 - Disable the profile file (Permanent)
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
i.e.
# 停用 smbd 的 profile
aa-status | grep smbd # smbd 有被 apparmor 保護
smbd
ls /etc/apparmor.d/ | grep smbd # 找出 profile 名稱
usr.sbin.smbd
apparmor_parser -R /etc/apparmor.d/usr.sbin.smbd
ln /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/
測試
aa-status | grep smbd
apparmor_parser -r /etc/apparmor.d/usr.sbin.smbd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbd
Profile Example
/etc/apparmor.d/bin.ping
#include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, <--- read and execute access /etc/modules.conf r, # Site-specific additions and overrides. See local/README for details. #include <local/bin.ping> }
Syntax:
Comment
"#" introduces a comment, "#include" will include
Include
#include "ABS PATH" | <MAGIC PATH>
"MAGIC PATH" relative to /etc/apparmor.d/
Variables
any variable assignments must be made before the start of the profile
i.e.
@{TFTP_DIR}=/var/tftp /srv/tftpboot
Build-in variable
@{PROC} /proc @{sys} /sys
Rules
- Capability Rules (ie. capability sys_nice)
- Network Rules (ie. network tcp)
- Mount Rules (ie. mount options in (ro,noatime) /dev/foo -> /mnt/)
- Signal rules
- DBus rules
- Link rules
- Unix socket rules
- change_profile rules
- rlimit rules (ie. set rlimit nproc <= 10,)
Globbing
* # can substitute for any number of characters, excepting '/'
** # can substitute for any number of characters, including '/'
? # can substitute for any single character excepting '/'
[abc]
[a-c]
[^a-c]
{ab,cd}
directory the pathname being looked up will end with a slash
/tmp/* Files directly in /tmp. /tmp/*/ Directories directly in /tmp. /tmp/** Files and directories anywhere underneath /tmp. /tmp/**/ Directories anywhere underneath /tmp.
其他可用的 profile:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files
Application 的支援情況:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
Logs
If the userland auditd is not running, the kernel will send audit events to klogd;
klogd will send the messages to syslog which will log the messages with the KERN facility
AppArmor audit logs can be found in /var/log/kern.log
complain mode:
- PERMITTING
- REJECTING
enforcement:
- no log
受限制的 application
ps auxZ
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME C OMMAND unconfined root 1 0.0 0.0 24468 1940 ? Ss Feb25 0:02 / sbin/init lxc-container-default root 3643 0.0 0.0 1688 252 pts/10 Ss+ Feb25 0:00 / sbin/mingetty tty4
- unconfined = 沒有被 apparmor 限制
建立 Profile
aa-genprof executable
原理
Profiles are applied to a process at exec(3) time (an already running process cannot be confined)
[once a profile is loaded for a program, that program will be confined on the next exec]
Linux kernel's securityfs filesystem:
mount -tsecurityfs securityfs /sys/kernel/security
none on /sys/kernel/security type securityfs (rw)
cat /sys/kernel/security/apparmor/profiles
/usr/{sbin/traceroute,bin/traceroute.db} (complain) /usr/sbin/tcpdump (enforce) /usr/lib/chromium-browser/chromium-browser (complain) ..........
AppArmor also restricts what privileged operations a confined process
may execute, even if the process is running as root. A confined process
cannot call the following system calls:
create_module(2) delete_module(2) init_module(2) ioperm(2) iopl(2) mount(2) umount(2)
ptrace(2) reboot(2) setdomainname(2) sethostname(2) swapoff(2) swapon(2) sysctl(2)
A confined process can not call mknod(2) to create character or block devices.
Ubuntu loads policy in two stages
first via upstart jobs for binaries that are started in early boot,
and then via a SysV initscript that starts in S37 for all remaining policy.
If the confined application has an Upstart job, adjust the job to call
/lib/init/apparmor-profile-load with the filename of the policy file
(relative to /etc/apparmor.d/). For example:
pre-start script /lib/init/apparmor-profile-load usr.bin.foo end script
The network-interface-security Upstart job will load all the symlinked
policy files in /etc/apparmor/init/network-interface-security/ before
any network interfaces come up.
aa-exec
To launch a program confined by the specified profile and or namespace
Usage
# -p PROFILE
aa-exec -p profile1 date
aa-exec -p profile1 -- ls -l
i.e.
cat /etc/apparmor.d/libvirt-rocky8
#include <tunables/global>
profile libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b flags=(attach_disconnected) {
"/mnt/raid/rockylinux/data[1-3].raw" rwk,
}
apparmor_parser -r libvirt-rocky8
aa-status | grep 4b39ebacb72b
libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b
aa-exec -p libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b -- cat /mnt/raid/rockylinux/data4.raw
cat: /mnt/raid/rockylinux/data4.raw: Permission denied
aa-audit
Set an AppArmor security profile to audit mode.
In this mode security policy is enforced and all access (successes and failures) are logged to the system log.
--remove To remove the audit mode for the profile
Usage
aa-audit /path/to/profiles
Libvirt 上的 apparmor
自動(Default)
XML
<seclabel type='dynamic' model='apparmor'/>
當 VM start 後, 會在 /etc/apparmor.d/libvirt 內建立兩個 file
i.e.
libvirt-0a697737-800f-45c9-fb66-0663f9b1a5e8 libvirt-0a697737-800f-45c9-fb66-0663f9b1a5e8.files
0a697737-800f-45c9-fb66-0663f9b1a5e8 是 VM 的 UUID # virsh domuuid rocky8
當 VM Stop 後, 那兩個 file 都會被 Delete
人手定義 profile 先
XML
<seclabel type='static' model='apparmor'> <label>No Meaning</label> </seclabel>
當 VM Start 時, libvirt 會 load 與 VM UUID 名稱的 profile. 如果 profile 不存在就會 fail
學習
- man apparmor.d
- man apparmor
- novell
附加檔案 | 大小 |
---|---|
apparmor201_sp10_admin.pdf | 1.79 MB |