AppArmor is a Linux security module which is used to restrict access to resources for programs.

To check if AppArmor is running on our system, we use the command:


We also might need to check if its modules are loaded on the host by looking into the file:


We can apply AppArmor rules to an application through a profile that is loaded into the kernel.

We can check the loaded AppArmor profiles by looking into the file "/sys/kernel/security/apparmor/profiles".

AppArmor profiles:

AppArmor profiles are files that define the resources than can be accessed and used by an application.

Below is a simple AppArmor profile example that denies "write" access to all files on the filesystem:


We can see the above rules:
  •  file : allows complete access to the filesystem
  •  deny /usr/* w : deny access to all files under the "/usr" filesystem

Below is another example of an AppArmor profile that does not allow the re-mounting of the root filesystem as read-only:

 
We can check the loaded AppArmor modules and profiles using the below command:


AppArmor modes:

Below are the modes in which AppArmor could operate:
  • enforce mode: AppArmor rules are enforced
  • complain mode: the rules are not enforced but the actions are logged.
  • unconfined: AppArmor is not active

We could change the AppArmor mode for each process using the below commands.

To set AppArmor's mode to "enforce" for "application_1" we use:


To set AppArmor's mode to "complain" for "application_1" we use:


Brando Sabatini and Ikbal C ©. Powered by Blogger.