This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
AppArmor
AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
Installation
Kernel
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use >=sys-kernel/hardened-sources-3.10 or any other kernel >=3.12.
Activate the following kernel options:
'"`UNIQ--pre-00000000-QINU`"'
Note that the Enable AppArmor 2.4 compatability option is only required with hardened-sources before 3.12
Emerge
Install the userspace tools. It contains the profile parser and init script:
root #emerge --ask sys-apps/apparmorEmerging the following package is recommended, but not required. This package contains additional userspace utilities to assist with profile management:
root #emerge --ask sys-apps/apparmor-utilsAdditional software
- sys-libs/libapparmor - The core library to support the userspace utilities
- sec-policy/apparmor-profiles - A collection of pre-built profiles contributed by the AppArmor community
Configuration
Enabling AppArmor
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.
GRUB
/boot/grub/grub.confExample GRUB config for AppArmor with simple kerneltitle=Gentoo with AppArmor root (hd0,0) kernel /vmlinuz root=/dev/sda2 apparmor=1 security=apparmor
GRUB 2
/etc/default/grubEnabling AppArmor with GRUB 2GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 security=apparmor"
Apply changes by running:
root #grub2-mkconfig -o /boot/grub2/grub.cfgsecurityfs
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but some may prefer to do it manually:
/etc/fstabsecurityfs entry for fstabnone /sys/kernel/security securityfs defaults 0 0
Services
OpenRC
Adding it to boot runlevel:
root #rc-update add apparmor bootWorking with profiles
Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - you may organised them however it suits you.
root #ls /etc/apparmor.dabstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
Profiles are referred to by name, including any parent subdirectories if present.
Automatic control
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.
Manual control
To activate a profile, simply set it to enforce mode:
root #aa-enforce usr.sbin.dnsmasqSetting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
Similarly, to deactivate a profile, simply set it to complain mode.
root #aa-complain usr.sbin.dnsmasqSetting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
The current status of your profiles may be viewed using aa-status:
root #aa-status# aa-status apparmor module is loaded. 6 profiles are loaded. 5 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /usr/sbin/dnsmasq /usr/sbin/identd 1 profiles are in complain mode. /usr/sbin/lspci 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dnsmasq (12905) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.