Ubuntu Open Week - AppArmor - JohnJohansen - Fri, Nov 6, 2009


AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

AppArmor is different from some other MAC systems on Linux in that it is path-based, allows for mixing of enforcement and complain mode profiles, uses include files to ease development and has a far lower barrier to entry than other popular MAC systems.

AppArmor is an established technology first seen in Immunix, and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Work is ongoing by AppArmor, Ubuntu and other developers to merge AppArmor into the official Linux kernel.

Example profile

From /etc/apparmor.d/usr.sbin.tcpdump on Ubuntu 9.04:

#include <tunables/global>

/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability net_raw,
  capability setuid,
  capability setgid,
  capability dac_override,
  network raw,
  network packet,

  # for -D
  capability sys_module,
  @{PROC}/bus/usb/ r,
  @{PROC}/bus/usb/** r,

  # for -F and -w
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** rw,

  /usr/sbin/tcpdump r,

The above profile for tcpdump demonstrates several properties of AppArmor:

  • profiles are simple text files
  • comments are supported in the profile
  • absolute paths as well as file globbing can be used when specifying file access
  • various access controls for files are present. From the profile we see 'r' (read), 'w' (write), 'm' (memory map as executable), 'k' (file locking), and 'l' (creation hard links). There are others not demonstrated in this profile, including (but not limited to) 'ix' (execute and inherit this profile), 'Px' (execute under another profile, after cleaning the environment), and 'Ux' (execute unconfined, after cleaning the environment)
  • access controls for capabilities are present
  • access controls for networking are present
  • specificity in rule matching, ie the most specific rule matches (eg access to @{HOME}/bin/ is denied with auditing due to 'audit deny @{HOME}/bin/** mrwkl,' even though general access to @{HOME} is permitted with '@{HOME}/** rw,')

  • include files are supported to ease development and simplify profiles (ie #include <abstractions/base>, #include <abstractions/nameservice>, #include <abstractions/user-tmp>)

  • variables can be defined and manipulated outside the profile (#include <tunables/global> with @{PROC} and @{HOME})

  • AppArmor profiles are easy to read and audit

Please see More information below for full details on updating and developing profiles as well as instructions using AppArmor.

AppArmor in Ubuntu

AppArmor support was first introduced in Ubuntu 7.04, and is turned on by default in Ubuntu 7.10 and later. AppArmor confinement in Ubuntu is application specific with profiles available for specific binaries. With each release, more and more profiles are shipped by default, with more planned.

If a profile is not available for an application, users may create a profile and add it to /etc/apparmor.d. If a profile is not defined for a particular binary, the binary is not confined. See More information for details.



10:00:26 AM) jjohansen: My name is John Johansen and I am a Kernel Engineer for Canonical and a dev on the AppArmor project.
(10:00:36 AM) jjohansen:  For those of you expecting the "Ask Mark" section it has been moved to Fri at 17:00 UTC
(10:00:47 AM) jjohansen: For those not familiar with AppArmor it is a mandatory access control (MAC) style security system.  Basically it limits an application to a preset list of resources,
(10:00:47 AM) jjohansen: whether it is run as root or not.
(10:01:09 AM) jjohansen: Today I plan to walk through the basics of AppArmor, feel free to ask questions at anytime, though if they don't fit into the current discussion I may wait until later to answer them.
(10:01:30 AM) jjohansen: So MAC security means it always gets applied
(10:01:36 AM) jjohansen: the user doesn't get to change it
(10:02:06 AM) jjohansen: We are going to need a terminal open as AppArmor currently does not have
(10:02:06 AM) jjohansen: any GUI based tools.  Applications >> Accessories >> Terminal
(10:02:38 AM) jjohansen: First up we will look do some basic introspection of AppArmor
(10:03:10 AM) jjohansen: In a terminal you can do  aa-status
(10:03:23 AM) jjohansen: you should see
(10:03:24 AM) jjohansen: apparmor module is loaded.
(10:03:25 AM) jjohansen: You do not have enough privilege to read the profile set.
(10:03:42 AM) jjohansen: or even better sudo aa-status
(10:04:12 AM) jjohansen: which will ask you for your password and then provide a lot of information
(10:04:23 AM) jjohansen: apparmor module is loaded.
(10:04:23 AM) jjohansen: 12 profiles are loaded.
(10:04:23 AM) jjohansen: 12 profiles are in enforce mode.
(10:04:23 AM) jjohansen:    /usr/lib/connman/scripts/dhclient-script
(10:04:23 AM) jjohansen:    /usr/share/gdm/guest-session/Xsession
(10:04:27 AM) jjohansen: ...
(10:05:40 AM) jjohansen: The profiles reported here are the only things that AppArmor is going to confine (apply restrictions too)
(10:06:17 AM) jjohansen: Everything else on you system will run with standard unix DAC permissions
(10:07:25 AM) jjohansen: go under the hood a bit we can get the so of the same basic info that aa-status gives manually
(10:07:35 AM) jjohansen: sudo  ps ax -Z | grep -v '^unconfined'
(10:08:00 AM) jjohansen: will list which process are confined and with which profile
(10:08:27 AM) jjohansen: while sudo cat /sys/kernel/security/apparmor/profiles
(10:08:40 AM) jjohansen: will list the profiles that are loaded into the kernel
(10:09:01 AM) jjohansen: aa-status is just much nicer, and more convient
(10:09:54 AM) jjohansen: if you type aa- and then hit tab twice you will see most of the apparmor commands
(10:10:13 AM) jjohansen: its a nice way to find the command you are looking for
(10:10:23 AM) jjohansen: now lets look at an actual apparmor profile
(10:10:39 AM) jjohansen: AppArmor profiles are stored in /etc/apparmor.d/
(10:10:57 AM) jjohansen: if you do an ls /etc/apparmor.d/
(10:11:47 AM) jjohansen: you should see the several files some of them with names similar to the profiles that were reported by aa-status
(10:12:21 AM) jjohansen: by convention the files in this directory use . to replace the / that appear in profile names
(10:12:44 AM) jjohansen: so usr.bin.evince is the file for the /usr/bin/evince profile
(10:13:42 AM) jjohansen: if you do sudo cat /etc/apparmor.d/usr.sbin.tcpdump
(10:13:58 AM) jjohansen: you can see what a basic profile looks like
(10:14:44 AM) jjohansen: which is mostly just a listing of files and there access permissions
(10:15:03 AM) jjohansen:  @{PROC}/bus/usb/ r,
(10:15:22 AM) akgraner: <sebsebseb>  QUESTIONS:   Do most Ubuntu users  really need to know about  AppArmor?  I mean  it's on by default and doing whatever it does in the background keeping later versions of Ubuntu a bit more secure, right?
(10:15:38 AM) jjohansen: for example is a rule granting read access to some proc files
(10:15:54 AM) jjohansen: good question, in general no
(10:16:10 AM) jjohansen: but some people are interested, so we aim to please
(10:16:29 AM) akgraner: <erUSUL> QUESTION; Heard that ubuntu will make SELinux (mainstream) first class citizen too. How this will affect AppArmor (which is not mainstream) in the future. Will both be supported and maantained in pararell ??
(10:17:12 AM) jjohansen: well I am not sure what you mean by first class citizen
(10:17:24 AM) jjohansen: selinux is certainly supported
(10:17:53 AM) jjohansen: as for apparmor not being upstream, well there are efforts underway to correct that
(10:19:04 AM) jjohansen: all right, that seems it for questions atm
(10:19:54 AM) akgraner: <erUSUL> jjohansen: i mean that selinux was not the official supported MAC system it was (and is) AppArmor. Now SeLinux and AppArmor will be supported equally; or i am mistaken ?
(10:20:38 AM) jjohansen: I am not actual sure what selinux support level will be
(10:22:00 AM) jjohansen: so now that we have poked at the basics a bit lets turn to why people might want to know a little more about apparmor
(10:22:29 AM) jjohansen: since apparmor is a mac system it can stop applications from doing things
(10:22:40 AM) jjohansen: which can cause frustration
(10:22:46 AM) jjohansen: or confusion
(10:22:52 AM) jjohansen: or more likely both
(10:23:12 AM) jjohansen: so how do we check if apparmor is causing something to fail
(10:23:23 AM) jjohansen: well you need to look in the logs
(10:23:59 AM) jjohansen: if you are use a stock ubuntu install you can do either of
(10:24:01 AM) jjohansen: dmesg
(10:24:04 AM) jjohansen: or
(10:24:16 AM) jjohansen: sudo tail /var/log/messages
(10:24:30 AM) jjohansen: and check for apparmor reject messages
(10:24:53 AM) jjohansen: which look like
(10:24:54 AM) jjohansen: [42970.714105] type=1503 audit(1256931563.236:27): operation="open" pid=6640 parent=1887 profile="/bin/example" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/tmp/testfile"
(10:25:29 AM) jjohansen: if you have auditd installed you are going to need to look in /var/log/audit/audit.log
(10:25:50 AM) jjohansen: the messages look pretty much the same
(10:25:50 AM) jjohansen: type=APPARMOR_DENIED msg=audit(1257334524.729:273753): operation="file_perm" pid=15819 parent=15713 profile="/bin/example" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/tmp/testfile"
(10:26:31 AM) jjohansen: in the first example apparmor is block a read access to the file /tmp/file
(10:26:43 AM) jjohansen: err make that /tmp/testfile
(10:27:01 AM) jjohansen: in the second example it is block a write access
(10:27:37 AM) jjohansen: the profile in both is /bin/example
(10:28:01 AM) jjohansen: and you could open up the profile file in /etc/apparmor.d/
(10:28:11 AM) jjohansen: and add a line like
(10:28:25 AM) jjohansen:    /tmp/testfile rw,
(10:28:29 AM) akgraner left the room (quit: Read error: 104 (Connection reset by peer)).
(10:28:43 AM) mode (+v akgraner_ ) by jcastro
(10:29:06 AM) jjohansen: to give that profile read and write permissions for that file or you could run the aa-logprof tool
(10:29:17 AM) akgraner_ is now known as akgraner
(10:30:02 AM) jjohansen: aa-logprof will read the system logs looking for apparmor reject messages and try to update the profile
(10:30:14 AM) akgraner: <SevenMachines> QUESTION: Is there a way for an the responsible running application to be notified of an apparmor rejection?
(10:30:57 AM) jjohansen: no.  to the application it looks like a DAC permission reject
(10:31:18 AM) jjohansen: that is to say the application receives an EACCESS error code
(10:31:43 AM) jjohansen: which could come from a file having the wrong permissions set or from apparmor
(10:32:25 AM) akgraner: <erUSUL> QUESTION: both done by /bin/example ? or by pid=somenunber ?
(10:32:52 AM) jjohansen: ah, both ;)
(10:33:18 AM) jjohansen: in the two example log are from different program invocations
(10:33:28 AM) jjohansen: so they have different pids recorded
(10:33:51 AM) jjohansen: they were both being confined by the same profile
(10:34:08 AM) jjohansen: jjohansen: i was confused by the name of the profile ... /bin/example? is it not bin.example ?
(10:34:18 AM) jjohansen: Ah good question, no
(10:34:51 AM) jjohansen: the file in /etc/apparmor.d/ would likely be called bin.example but the profile would be /bin/example
(10:35:34 AM) jjohansen: the name of the file actually is unimportant and can be anything like in the case of gdm-guest-session
(10:35:58 AM) jjohansen: if you look in the profile file you will the actual name of the profile
(10:36:34 AM) jjohansen: eg. for gdm-guest-session  the actual profile is /usr/share/gdm/guest-session/Xsession
(10:37:07 AM) jjohansen: AppArmor uses the profile name to help determine when to attach a profile to an application
(10:37:27 AM) jjohansen: so the profile name will match an actual binary on disk
(10:38:16 AM) akgraner: <duanedesign> QUESTION: what would the name of the profile for /bin/example be in etc/apparmor
(10:38:41 AM) akgraner: duanedesign> QUESTION: what would the name of the profile for /bin/example be in etc/apparmor.d
(10:38:54 AM) jjohansen: by convention it would be /etc/apparmor.d/bin.example
(10:39:30 AM) akgraner: <ezzieyguywuf> <Question> Why is it so easy to get into "Passwords and Encryptions" and see all the passwords that have been stored on a keyring. Shouldn't this app be password protected or something?
(10:39:35 AM) jjohansen: but if there is a reason to use a different more descriptive name for the file use that
(10:40:10 AM) jjohansen: ezzieyguywuf: which app do you mean?
(10:40:48 AM) jjohansen: in general different apps have different requirements
(10:41:12 AM) jjohansen: if you mean the seahorse stuff going around
(10:41:37 AM) akgraner: ezzieyguywuf> jjohansen: Application >> Accesories >> Passwords and Encryption Keys
(10:42:05 AM) jjohansen: mdeslaur has a very good blog post about it
(10:42:34 AM) jjohansen: ah just a sec I will dig up the post, it goes into a much better explanation than I can heere
(10:43:00 AM) jjohansen:
(10:43:33 AM) akgraner: <erUSUL> QUESTION: so is just a convention ? no script depends on the files be named like that?
(10:44:04 AM) jjohansen: correct it is just a convention, it is the name inside the profile file that is important
(10:44:22 AM) jjohansen: the firefox profile could just as easily be called firefox
(10:45:17 AM) jjohansen: however when using apparmor profiling tools they do tend to use the convention, so you need to manually create a profile first if you want to use a different file name
(10:45:27 AM) jjohansen: or you could rename the file afterwards
(10:45:28 AM) akgraner: <erUSUL> jjohansen: but the name inside the file and the actual binary in the filesystem *do* have to match; do not they?
(10:45:54 AM) jjohansen: yes, they do, sort of :)
(10:46:11 AM) jjohansen: the name in the file can contain apparmor pattern matching
(10:46:22 AM) jjohansen: eg.  /usr/bin/**
(10:46:41 AM) jjohansen: will match all files in and below /usr/bin/
(10:47:00 AM) jjohansen: however another profile with a more specific name will take precedence
(10:47:11 AM) jjohansen: eg /usr/bin/ls
(10:47:24 AM) jjohansen: would be used over /usr/bin/** if it existed
(10:47:50 AM) jjohansen: the other case where they do not have to match comes from with in the profile it self
(10:48:18 AM) jjohansen: if a profile allow executing a binary it will have a transition rule
(10:48:32 AM) jjohansen: eg.  /usr/bin/ls  ix,
(10:49:09 AM) jjohansen: the x is short for execute permission, the i prefix is a modifier telling how to handle profiles
(10:49:27 AM) jjohansen: in this case there ix means inherit the current profile
(10:50:06 AM) akgraner: <duanedesign> QUESTION: you mentioned aa-logprof, how does that work?
(10:50:11 AM) jjohansen: This would be how you would create a large profile covering many different program like a confined shell
(10:50:33 AM) jjohansen: at the terminal type
(10:50:37 AM) jjohansen: aa-logprof
(10:50:58 AM) jjohansen: err better make that sudo aa-logprof
(10:51:09 AM) jjohansen: that will kick off the update program
(10:51:23 AM) jjohansen: it then scans the system logs looking for apparmor messages
(10:51:45 AM) jjohansen: if it finds some it will try to correlate them to profiles that are defined on the system
(10:52:15 AM) jjohansen: if it can do that it will begin prompting for user input, on what to do
(10:53:27 AM) jjohansen: an example would be
(10:53:35 AM) jjohansen: Profile:  /bin/foobash
(10:53:35 AM) jjohansen: Path:     /dev/tty
(10:53:35 AM) jjohansen: Mode:     rw
(10:53:35 AM) jjohansen: Severity: 9
(10:53:35 AM) jjohansen:   1 - #include <abstractions/consoles>
(10:53:35 AM) jjohansen:   2 - #include <abstractions/libvirt-qemu>
(10:53:37 AM) jjohansen:   3 - #include <abstractions/ubuntu-konsole>
(10:53:39 AM) jjohansen:   4 - #include <abstractions/ubuntu-xterm>
(10:53:41 AM) jjohansen:  [5 - /dev/tty]
(10:53:43 AM) jjohansen: [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
(10:54:04 AM) jjohansen: the user can then select from the presented options
(10:54:16 AM) jjohansen: eg. just allowing /dev/tty
(10:54:27 AM) jjohansen: by pressing 5
(10:54:34 AM) jjohansen: and then a for allow
(10:54:48 AM) jjohansen: or the user can deny the access by pressing d
(10:55:10 AM) jjohansen: pressing n will let the user enter any path they want
(10:55:36 AM) jjohansen: g will add a globbing suggestion,
(10:55:46 AM) jjohansen: in this case /dev/*
(10:56:11 AM) jjohansen: logprof will do this for each log entry and then ask if you want to save your changes
(10:56:32 AM) jjohansen: at that point your profiles should be updated
(10:57:26 AM) jjohansen: aa-logprof, does more than just save the profile, it also makes sure the profiles are reloaded into the system so applications are confined by the most recent version
(10:58:11 AM) jjohansen: aa-log prof is probably the single most useful tool for the user, as it lets them update profile for their configurations
(10:58:26 AM) jjohansen: since we are running out of time do we have anymore questions?
(10:58:31 AM) mode (+v jono ) by jcastro
(10:59:24 AM) jjohansen: another couple tips
(10:59:31 AM) jjohansen: you can use aa-complain
(10:59:43 AM) jjohansen: to set profiles to learning mode
(11:00:04 AM) jjohansen: this will cause messages to go to the logs with out causing applications to fail

More information

MeetingLogs/openweekKarmic/AppArmor (last edited 2009-11-04 19:09:40 by pool-71-182-105-84)