From 7cb0a52930fe11c06cd3cbea392d3ce5748916f0 Mon Sep 17 00:00:00 2001 From: Michael Palimaka Date: Wed, 11 Jul 2012 05:44:40 +1000 Subject: Update previews. --- html/apparmor.html | 222 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 222 insertions(+) create mode 100644 html/apparmor.html diff --git a/html/apparmor.html b/html/apparmor.html new file mode 100644 index 0000000..291adb9 --- /dev/null +++ b/html/apparmor.html @@ -0,0 +1,222 @@ + + + + + + + + + + + +Gentoo Linux Documentation +-- + Gentoo AppArmor Guide + + + + + +
Gentoo Logo
+ + +
+

Disclaimer : + This document is a work in progress and should not be considered official yet. +

+

Gentoo AppArmor Guide

+
+Content: + +
+

1. + Introduction

+

+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. +

+

+For each file path you specify, AppArmor will permit it only the permissions you grant. +

+ + + +

Code Listing1.1: Sample profile

+# ------------------------------------------------------------------
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/klogd {
+  #include <abstractions/base>
+
+  capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+  capability syslog,
+
+  network inet stream,
+
+  /boot/System.map*     r,
+  @{PROC}/kmsg          r,
+  @{PROC}/kallsyms      r,
+  /dev/tty              rw,
+
+  /sbin/klogd           rmix,
+  /var/log/boot.msg     rwl,
+  /{,var/}run/klogd.pid    krwl,
+  /{,var/}run/klogd/klogd.pid krwl,
+  /{,var/}run/klogd/kmsg   r,
+}
+
+

2. + Initial setup

+

Kernel patching

+

+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, +it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate +profiles - deactivation, listing, init script etc. will not work. +

+

+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as hardened-sources, +the patches will not cleanly apply. For convenience, a rebased version of the patches is +available. +

+

Install utilities

+

+The AppArmor userspace utilities currently live in the +Hardened development overlay. +You should install layman, and then add the hardened-dev overlay: + + + + +

Code Listing1.1: Install userspace utilities

+# layman -a hardened-dev
+# emerge apparmor-utils
+You will probably also wish to install some profiles to get started:
+# emerge apparmor-profiles
+
+ +

+

Further configuration

+

+You may wish to edit the configuation files located in /etc/apparmor, however +the default values will suit most users. +

+

3. + Working with profiles

+

+Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored +in subdirectories - you may organise them however it suits you. +

+ + + +

Code Listing3.1: Sample profile directory listing

+/etc/apparmor.d $ ls
+abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
+apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd
+bin.ping      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
+disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
+local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute
+
+

+Profiles are referred to by name, including any parent subdirectories if present. +

+

Manual control

+

+To activate a profile, simply set it to enforce mode. + + + +

Code Listing1.1: Manual profile activation

+# aa-enforce usr.sbin.dnsmasq
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+
+

+

+Similarly, to deactive a profile, simply set it to complain mode. + + + +

Code Listing1.1: Manual profile deactivation

+# aa-complain usr.sbin.dnsmasq
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+
+

+

+The current status of your profiles may be viewed using aa-status. + + + +

Code Listing1.1: Profile status listing

+# aa-status
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+   /bin/ping
+   /sbin/klogd
+   /sbin/syslog-ng
+   /usr/sbin/dnsmasq
+   /usr/sbin/identd
+1 profiles are in complain mode.
+   /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+
+

+

Automatic control

+

+The provided init script will automatically load all profiles located in your profile directory. +Unless specifically specified otherwise, each profile will be loaded in enforce mode. +

+

+ The contents of this document, unless otherwise expressly stated, are + licensed under the CC-BY-SA-3.0 license. The Gentoo Name and Logo Usage Guidelines apply. +

+
+		 + + + + + + +

Print

Page updated July 10, 2012

Summary: +This guide provides a brief overview of AppArmor, and gives information +on how to install and configure it on Gentoo. +

+ Michael Palimaka +
Author

+

Donate to support our development efforts. +

+
+ +
+
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? Contact us. +
+ -- cgit v1.2.3-65-gdbad