首頁 » 所有內容

apparmor

由 datahunter 在 日, 21/04/2013 - 20:29 發表

最後更新: 2022-01-18

介紹

 

Apparmor 是一個類似 SELinux 的 LSM (Linux Security Module) 來,

LSM 它是一個 Linux Kernel 內負責管理安全的 module,

我們可以用它是用來做 MAC (mandatory access controls)

而 Apparmor 是個以 name-based (path-based) 來實施 MAC 的工具

它透過 Path entries, Capability entries 去限制一個 application 的權限

早見於 Ubuntu 7 (turned on by default),

Debian 7 要加入 apparmor=1 security=apparmor 到 GRUB_CMDLINE_LINUX 上才 Enable

Home Page: http://wiki.apparmor.net

 * AppArmor normalizes path names. It resolves symlinks and considers each hard link as a different access path.

 * Deny rules cannot be overridden by an allow rule.

目錄

 

安裝

 

apt-get install apparmor

  • /usr/sbin/aa-status                    <--- 查看現在的 aa 情況
  • /sbin/apparmor_parser              <--- load a profile into the kernel

apt-get install apparmor-utils

  • /usr/sbin/aa-enforce
  • /usr/sbin/aa-update-browser
  • /usr/sbin/aa-genprof
  • /usr/sbin/aa-unconfined
  • /usr/sbin/aa-logprof
  • /usr/sbin/aa-exec
  • /usr/sbin/aa-decode
  • /usr/sbin/aa-disable
  • /usr/sbin/aa-audit
  • /usr/sbin/aa-autodep
  • /usr/sbin/aa-complain
  • /usr/bin/aa-easyprof

Profile

apt-get install apparmor-profiles                  # 常用的 profile

  • /etc/apparmor.d/bin.ping
  • /etc/apparmor.d/usr.sbin.dnsmasq
  • ...

apt-get install apparmor-profiles-extra         # 用圖不大

 

Usage

 

Enable Apparmor Onboot

vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT=" ... apparmor=1 security=apparmor"

update-grub

reboot

checking

aa-status

apparmor module is loaded.
72 profiles are loaded.
36 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/irssi
   /usr/bin/lxc-start
...

找出未有 Profile 看管的 Proccess

# status: enforced, complain, unconfined

ps xZ | less

LABEL                               PID TTY      STAT   TIME COMMAND
unconfined                            1 ?        Ss     0:05 /sbin/init
...
nmbd (complain)                    1318 ?        Ss     0:25 /usr/sbin/nmbd --foreground --no-process-group

Or

aa-unconfined

1 /lib/systemd/systemd (/sbin/init) not confined
862 /sbin/rpcbind not confined
1158 /usr/sbin/nmbd confined by 'nmbd (complain)'
1161 /usr/sbin/vsftpd not confined
1201 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'
...

Enable in Kernel config parameter

  • CONFIG_DEFAULT_SECURITY
  • CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE
  • CONFIG_DEFAULT_SECURITY_APPARMOR

Compiling the Kernel with Apparmor

CONFIG_SECURITY_APPARMOR=y
CONFIG_AUDIT=y

Apparmor as the default security module

grep CONFIG_DEFAULT_SECURITY= /boot/config-*

CONFIG_DEFAULT_SECURITY="apparmor"

OR

CONFIG_DEFAULT_SECURITY="selinux"

# AppArmor to be enabled or disabled at boot.

grep CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE /boot/config-*

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

grep CONFIG_DEFAULT_SECURITY_APPARMOR /boot/config-*

CONFIG_DEFAULT_SECURITY_APPARMOR=y

 

LSM

 

# A list of the active security modules
# The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then
# the one "major" module (e.g. SELinux) if there is one configured.

cat /sys/kernel/security/lsm

capability,yama,apparmor

 

Profile types

 

Standard profiles

attached to a program by its name
(so a profile name must match the path to the application)

/usr/bin/foo {
  ...
}

Unattached profiles

Unattached profiles are never used automatically

profile /usr/bin/foo {
  ...
}

Local profiles

/parent/profile {
   ...
   profile /local/profile {
      ...
   }
}

 

Profiles 的作用

 

Profile 定義了一個 application 可以存取那裡的 files 及它可以做什麼

而限制分為

  • Complaining/Learning
  • Enforced/Confined

 

查看現在情況

 

aa-status

apparmor module is loaded.
35 profiles are loaded.
12 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/chromium-browser/chromium-browser//browser_java
   ..............
23 profiles are in complain mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
97 processes have profiles defined.
97 processes are in enforce mode.
   /usr/bin/lxc-start (2826)
   /usr/bin/lxc-start (3528)
   /usr/bin/lxc-start (30836)
   /usr/sbin/libvirtd (13285)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

 

套用限制到一個 program

 

complain:

將一個 application (i.e. ping) 的 profile 設定成 complain mode

aa-complain /path/to/bin

把所有 profile 設定成 complain mode

aa-complain /etc/apparmor.d/*

enforce:

aa-enforce /path/to/bin

 

File permission access modes

 

combinations of the following modes

  • r     Read mode
  • w    Write mode
  • px    Discrete profile execute mode
  • Px    Discrete profile execute mode—clean exec
  • ux   Unconstrained execute mode
  • Ux   Unconstrained execute mode—clean exec
  • ix    Inherit execute mode
  • m    Allow PROT_EXEC with mmap(2) calls (memory map as executable)
  • l      Link mode
  • k     file locking

Link mode

The link mode mediates access to hard links.

When a link is created, the target file must have the same access permissions as the link created

 

Profile

 

所有 profile 都存放在 /etc/apparmor.d 內, 並且會自動載入

而被限制的 application 的路徑會以 "."  取代 "/" 表示

/etc/apparmor.d/bin.ping 相當於 /bin/ping

apparmor_parser

apparmor_parser - loads AppArmor profiles into the kernel

add a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

-a, --add              <-- default action

To reload a profile:

cat /etc/apparmor.d/profile.name | apparmor_parser -r

OR

apparmor_parser -r /etc/apparmor.d/lxc-containers

-r, --replace

全部 reload: <-- 非必要時勿用

service apparmor reload

Disable a profile:

[方式1] aa-disable

aa-disable <executable>

aa-disable /path/to/profiles

[方式2]

Step1 - Remove the AppArmor profile from the kernel (Temporarily)

# -R, --remove

apparmor_parser -R /etc/apparmor.d/profile.name

Step2 - Disable the profile file (Permanent)

ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/

i.e.

# 停用 smbd 的 profile

aa-status | grep smbd                   # smbd 有被 apparmor 保護

   smbd

ls /etc/apparmor.d/ | grep smbd    # 找出 profile 名稱

usr.sbin.smbd

apparmor_parser -R /etc/apparmor.d/usr.sbin.smbd

ln /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/

測試

aa-status | grep smbd

apparmor_parser -r /etc/apparmor.d/usr.sbin.smbd

Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbd

 

Profile Example

 

/etc/apparmor.d/bin.ping

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,

  /bin/ping mixr,                           <--- read and execute access
  /etc/modules.conf r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/bin.ping>
}

Syntax:

Comment

"#" introduces a comment, "#include" will include

Include

#include "ABS PATH" | <MAGIC PATH>

"MAGIC PATH" relative to /etc/apparmor.d/

Variables

any variable assignments must be made before the start of the profile

i.e.

@{TFTP_DIR}=/var/tftp /srv/tftpboot

Build-in variable

@{PROC}    /proc
@{sys}     /sys

Rules

  • Capability Rules (ie. capability sys_nice)
  • Network Rules (ie. network tcp)
  • Mount Rules (ie. mount options in (ro,noatime) /dev/foo -> /mnt/)
  • Signal rules
  • DBus rules
  • Link rules
  • Unix socket rules
  • change_profile rules
  • rlimit rules (ie. set rlimit nproc <= 10,)

Globbing

*         # can substitute for any number of characters, excepting '/'
**       # can substitute for any number of characters, including '/'
?         # can substitute for any single character excepting '/'
[abc]
[a-c]
[^a-c]
{ab,cd}

directory the pathname being looked up will end with a slash

    /tmp/*           Files directly in /tmp.
    /tmp/*/          Directories directly in /tmp.
    /tmp/**          Files and directories anywhere underneath /tmp.
    /tmp/**/         Directories anywhere underneath /tmp.

其他可用的 profile:

http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files

Application 的支援情況:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

 

Logs

 

If the userland auditd is not running, the kernel will send audit events to klogd;
klogd will send the messages to syslog which will log the messages with the KERN facility

AppArmor audit logs can be found in /var/log/kern.log

complain mode:

  • PERMITTING
  • REJECTING

enforcement:

  • no log

受限制的 application

ps auxZ

LABEL                     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME C  OMMAND
unconfined                root         1  0.0  0.0  24468  1940 ?        Ss   Feb25   0:02 /  sbin/init
lxc-container-default     root      3643  0.0  0.0   1688   252 pts/10   Ss+  Feb25   0:00 /  sbin/mingetty tty4
  • unconfined = 沒有被 apparmor 限制

 

建立 Profile

 

aa-genprof executable

 

原理

 

Profiles are applied to a process at exec(3) time (an already running process cannot be confined)
[once a profile is loaded for a program, that program will be confined on the next exec]

Linux kernel's securityfs filesystem:

mount -tsecurityfs securityfs /sys/kernel/security

none on /sys/kernel/security type securityfs (rw)

cat /sys/kernel/security/apparmor/profiles

/usr/{sbin/traceroute,bin/traceroute.db} (complain)
/usr/sbin/tcpdump (enforce)
/usr/lib/chromium-browser/chromium-browser (complain)
..........

AppArmor also restricts what privileged operations a confined process
may execute, even if the process is running as root. A confined process
cannot call the following system calls:

create_module(2) delete_module(2) init_module(2) ioperm(2) iopl(2) mount(2) umount(2)

ptrace(2) reboot(2) setdomainname(2) sethostname(2) swapoff(2) swapon(2) sysctl(2)

A confined process can not call mknod(2) to create character or block devices.

 

Ubuntu loads policy in two stages

 

first via upstart jobs for binaries that are started in early boot,
and then via a SysV initscript that starts in S37 for all remaining policy.

If the confined application has an Upstart job, adjust the job to call
/lib/init/apparmor-profile-load with the filename of the policy file
(relative to /etc/apparmor.d/). For example:

pre-start script
    /lib/init/apparmor-profile-load usr.bin.foo
end script

The network-interface-security Upstart job will load all the symlinked
policy files in /etc/apparmor/init/network-interface-security/ before
any network interfaces come up.

 

aa-exec

 

To launch a program confined by the specified profile and or namespace

Usage

# -p PROFILE

aa-exec -p profile1 date

aa-exec -p profile1 -- ls -l

i.e.

cat /etc/apparmor.d/libvirt-rocky8

#include <tunables/global>

profile libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b flags=(attach_disconnected) {
  "/mnt/raid/rockylinux/data[1-3].raw" rwk,
}

apparmor_parser -r libvirt-rocky8

aa-status | grep 4b39ebacb72b

   libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b

aa-exec -p libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b -- cat /mnt/raid/rockylinux/data4.raw

cat: /mnt/raid/rockylinux/data4.raw: Permission denied

 

aa-audit

 

Set an AppArmor security profile to audit mode.

In this mode security policy is enforced and all access (successes and failures) are logged to the system log.

--remove              To remove the audit mode for the profile

Usage

aa-audit /path/to/profiles

 

Libvirt 上的 apparmor

 

自動(Default)

XML

<seclabel type='dynamic' model='apparmor'/>

當 VM start 後, 會在 /etc/apparmor.d/libvirt 內建立兩個 file

i.e.

libvirt-0a697737-800f-45c9-fb66-0663f9b1a5e8
libvirt-0a697737-800f-45c9-fb66-0663f9b1a5e8.files

0a697737-800f-45c9-fb66-0663f9b1a5e8 是 VM 的 UUID   # virsh domuuid rocky8

當 VM Stop 後, 那兩個 file 都會被 Delete

人手定義 profile 先

XML

  <seclabel type='static' model='apparmor'>
    <label>No Meaning</label>
  </seclabel>

當 VM Start 時, libvirt 會 load 與 VM UUID 名稱的 profile. 如果 profile 不存在就會 fail

 

學習

  • man apparmor.d
  • man apparmor
  • novell

 

 

附加檔案大小
apparmor201_sp10_admin.pdf1.79 MB
»
  • 瀏覽次數: 5402

Creative Commons license icon Creative Commons license icon