Linux Security 101 : AppArmor - Managing an application's access to resources -
AppArmor is a Linux security module which is used to restrict access to resources for programs.
To check if AppArmor is running on our system, we use the command:
We also might need to check if its modules are loaded on the host by looking into the file:
We can apply AppArmor rules to an application through a profile that is loaded into the kernel.
We can check the loaded AppArmor profiles by looking into the file "/sys/kernel/security/apparmor/profiles".
AppArmor profiles are files that define the resources than can be accessed and used by an application.
Below is a simple AppArmor profile example that denies "write" access to all files on the filesystem:
We can see the above rules:
- file : allows complete access to the filesystem
- deny /usr/* w : deny access to all files under the "/usr" filesystem
Below is another example of an AppArmor profile that does not allow the re-mounting of the root filesystem as read-only:
We can check the loaded AppArmor modules and profiles using the below command:
Below are the modes in which AppArmor could operate:
- enforce mode: AppArmor rules are enforced
- complain mode: the rules are not enforced but the actions are logged.
- unconfined: AppArmor is not active
We could change the AppArmor mode for each process using the below commands.
To set AppArmor's mode to "enforce" for "application_1" we use:
To set AppArmor's mode to "complain" for "application_1" we use: