Learn the difference between SELinux and AppArmor to secure your Linux system.
What Is AppArmor?
AppArmor is a Mandatory Access Control (MAC) system that confines programs to a limited set of resources. It restricts programs to a set of files, attributes and capabilities so that it does not go deep into the system and wreak havoc (unless it is given permission to). Instead of Windows’s User Account Control (UAC) model that gives control to users, AppArmor binds the access control attributes to the program itself.
How AppArmor Works
AppArmor works at the kernel level (check out these tips if you are compiling your own kernel) and loads during the initial bootup. AppArmor handles the permission via Profiles: a set of rules that determines what the program can and cannot do. There are two modes that the Profiles can run: Enforcement and Complain. The Enforcement mode is a strict enforcement of the policy, which is defined in the profile, and reports policy violation attempts. Complain mode will only report the policy violation attempts and does not enforce the policy. Most profiles are loaded in Enforcement mode, though there can be a good number of third-partiy profiles loaded in the Complain mode as well.
Checking Out Your AppArmor Status
If you are using Ubuntu 7.04 or above, AppArmor is installed by default and loads when you boot up your computer. To check the AppArmor status, type the following command into the terminal: The image below shows what you will see. In my system, you can see that there are 36 profiles loaded in Enforcement mode.
Finding Disabled AppArmor Profiles
AppArmor has several preloaded profiles, some of which are disabled by default. You can check these out in the “/etc/apparmor.d/disable” folder. In the latest version of AppArmor, you can see that the rsyslogd profile is not enabled. This profile is disabled by default, as users often make configuration changes to rsyslogd that make it incompatible with AppArmor. Tip: learn how you can manage your Ubuntu machine remotely with Webmin.
Enabling and Disabling AppArmor Profiles
While you can have multiple profiles loaded on your system, each profile can either be enabled or disabled individually. For instance, you can enable the rsyslogd profile mentioned earlier. Follow the instructions below to learn how. Open a terminal and enter: That will install the tools needed to run subsequent commands in this tutorial. To enable the profile, enter: To disable it again:
What Does an AppArmor Profile Look Like?
While the AppArmor profiles sound like complicated software, they are actually a simple text file with file paths stating which folders and directories the application can access. You can easily double-click on any profile in the “/etc/apparmor.d” folder to open it in your text editor. The Rsyslogd profile will look like the below image.
Creating Your Own Profiles to Lock Down Applications
Ubuntu already does a pretty good job to protect you, but if you want to restrict a custom application that is not protected by Ubuntu, you can create your own AppArmor profile to lock down the application. This is particularly useful in a server where applications may be running in the background. Note: before you create your own profiles, it is best to first look into the existing AppArmor profiles library to check whether the profile for your application is available. You can also install apparmor-profiles to get an extra list of profiles. Run the following command to start the profiling: /path/to/application is the file path to the application that you want to profile. The default application folder is “/usr/bin,” but it could be different depending on the application and install method, such as “/snap/bin.” Leaving the terminal running, start the application you are going to Profile. For this example, I am using Krita. Use the application as you normally would. For every action you perform on the application, return to the terminal and press Shift + S to get it to scan for changes. From here, you can see the path that the application is accessing and the severity of the action. Choose to “Allow (A)” or “Deny (D)” the action. Keep doing this for the rest of the actions performed on the application. To get the best result, it is best that you plan out your list of actions before you start profiling. Lastly, when you are done, press Shift + F to finish the profiling and Shift + S to save the profile. Once created, the profile will be saved in the “/etc/apparmor.d” folder and will be loaded in Enforcement mode.
Edit Profiles
To edit your newly created profile, use the following command:
In this case,
Stopping and Restarting AppArmor
If, for some reason, you need to stop AppArmor, you can easily do it with: You can confirm it was stopped by checking the status with this command: And to start AppArmor again: If you check the status again, you will see a green light indicating that AppArmor is running. If you are running your own server, check out these tips to secure your Linux server. What are binary blobs and why are they a security risk? Learn the answer and how Linux-Libre can offer your better protection than plain Linux. According to Canonical engineer Jamie Strandboge, this happens because rsyslog is so highly configurable that the profile may not always work properly. All screenshots by Brandon Li.
