LinuxMint 18: Mandatory Access Control with AppArmor

Table of Contents

1 Install AppArmor

AppArmor is installed by default but utls and profile are not installed yet. Install utils and profile for AppArmor.

$ sudo apt install -y apparmor-utils apparmor-profiles apparmor-profiles-extra$ sudo aa-enforce /etc/apparmor.d/*$ sudo systemctl enable apparmor$ sudo systemctl restart apparmor

2 Show AppArmor status

The aa-status shows AppArmor status. Enforce mode blocks unallowed operation. Complain mode does not unallowed operation but reports to log file. For example, /sbin/dhclient’s behavior is limited by AppArmor (AppArmor is path based MAC). And not listed path here are not limited by AppArmor.

$ sudo aa-statusapparmor module is loaded.77 profiles are loaded.77 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/irssi /usr/bin/pidgin /usr/bin/pidgin//launchpad_integration /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox /usr/lib/chromium-browser/chromium-browser//lsb_release /usr/lib/chromium-browser/chromium-browser//sanitized_helper /usr/lib/chromium-browser/chromium-browser//xdgsettings<snip>

2.1 Change profile status

Change to enforce mode with aa-enforce.

$ sudo aa-enforce /etc/apparmor.d/<profile>

Change to complain mode with aa-complain.

$ sudo aa-complain /etc/apparmor.d/<profile>

2.2 Enable and disable profile

Disable profile with apparmor_parser -R. Creating symbolic link to “disable directory” disables profiles on AppArmor boot.

$ sudo apparmor_parser -R /etc/apparmor.d/<profile>$ sudo ln -s /etc/apparmor.d/<profile> /etc/apparmor.d/disable/

Disable profile with apparmor_parser -r. Deleting symbolic link from “disable directory” enables profiles on AppArmor boot.

$ sudo apparmor_parser -r /etc/apparmor.d/<profile>$ sudo rm -f /etc/apparmor.d/disable/<profile>

3 Create profile

This article will use /bin/mycat which is /bin/cat copy. And create profile for /bin/mycat.

$ sudo cp /bin/cat /bin/mycat

Create base profile with aa-genprof. And terminate aa-genprof with pressing F key.

After running aa-genprof, run /bin/mycat on the other terminal and output log to /var/log/syslog. Pressing S key to aa-genprof will read /var/log/syslog and suggest profile.

$ sudo aa-genprof /bin/mycat<snip>Profiling: /bin/mycat[(S)can system log for AppArmor events] / (F)inish<snip>

The base profile is the following.

$ sudo cat /etc/apparmor.d/bin.mycat# Last Modified: Tue Jun 13 16:38:23 2017#include <tunables/global>/bin/mycat { #include <abstractions/base> /bin/mycat mr,}

Change this base profile to the following. Note that for is treated as a file and /bar is treated as a directory.

$ sudo cat /etc/apparmor.d/bin.mycat# Last Modified: Tue Jun 13 16:38:23 2017#include <tunables/global>/bin/mycat { #include <abstractions/base> /bin/mycat mr, # /foo is file and /bar/ is directory. /etc/hostname r, # /etc/hostname can be read. /etc/dpkg/* r, # Files in /etc/dpkg can be read but directory cannot. /etc/apt/** r, # All file and directory in /etc/apt can be read.}

Enable profile with aa-enforce.

$ sudo aa-enforce /etc/apparmor.d/bin.mycatSetting /etc/apparmor.d/bin.mycat to enforce mode.

Running /bin/mycat is the following.

$ mycat /etc/passwd > /dev/nullmycat: /etc/passwd: Permission denied$ mycat /etc/hostname > /dev/null$ mycat /etc/dpkg/dpkg.cfg > /dev/null$ mycat /etc/dpkg/dpkg.cfg.d/pkg-config-hook-config > /dev/nullmycat: /etc/dpkg/dpkg.cfg.d/pkg-config-hook-config: Permission denied$ mycat /etc/apt/apt.conf.d/00aptitude > /dev/null$

Android | Linux | SDL - Narrow Escape