This document is obsolete and is no longer updated, and is kept for historical
purposes only. An updated version is available on
AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
For each file path you specify, AppArmor will permit it only the permissions you grant.
# ------------------------------------------------------------------ # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # ------------------------------------------------------------------ #include <tunables/global> /sbin/klogd { #include <abstractions/base> capability sys_admin, # for backward compatibility with kernel <= 2.6.37 capability syslog, network inet stream, /boot/System.map* r, @{PROC}/kmsg r, @{PROC}/kallsyms r, /dev/tty rw, /sbin/klogd rmix, /var/log/boot.msg rwl, /{,var/}run/klogd.pid krwl, /{,var/}run/klogd/klogd.pid krwl, /{,var/}run/klogd/kmsg r, }
From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate profiles - deactivation, listing, init script etc. will not work.
The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as
The AppArmor userspace utilities currently live in the
# layman -a hardened-dev # emerge apparmor-utilsYou will probably also wish to install some profiles to get started: # emerge apparmor-profiles
You may wish to edit the configuation files located in
Profiles are stored as simple text files in
/etc/apparmor.d $ ls abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
Profiles are referred to by name, including any parent subdirectories if present.
To activate a profile, simply set it to enforce mode.
# aa-enforce usr.sbin.dnsmasq Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
Similarly, to deactivate a profile, simply set it to complain mode.
# aa-complain usr.sbin.dnsmasq Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
The current status of your profiles may be viewed using
# aa-status apparmor module is loaded. 6 profiles are loaded. 5 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /usr/sbin/dnsmasq /usr/sbin/identd 1 profiles are in complain mode. /usr/sbin/lspci 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dnsmasq (12905) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
The provided init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.