Contents
This chapter explains how to build and manage Novell® AppArmor profiles. You are ready to build Novell AppArmor profiles after you select the programs to profile. For help with this, refer to Chapter 2, Selecting Programs to Immunize.
This section details the syntax and makeup of Novell AppArmor profiles. An example illustrating this syntax is presented in Section 3.1.1, “Breaking a Novell AppArmor Profile into Its Parts”.
Novell AppArmor profile components are called Novell AppArmor rules. Currently there are two main types of Novell AppArmor rules, path entries and capability entries. Path entries specify what the process can access in the file system and capability entries provide a more fine-grained control over what a confined process is allowed to do through other system calls that require privileges. Includes are a type of meta rule or directives that pull in path and capability entries from other files.
The easiest way of explaining what a profile consists of and how to
create one is to show the details of a sample profile. Consider, for
example, the following shortened profile for the program
/usr/lib/postfix/flush
(for the complete version,
refer to /etc/apparmor.d/usr.lib.postfix.flush
):
# profile to confine postfix/flush#include <tunables/global>
/usr/lib/postfix/flush
{
#include <abstractions/base>
... capability setgid
, ... /usr/lib/postfix/flush rix, /{var/spool/postfix/,}
deferred r, ... /{var/spool/postfix/,}flush rwl, ... /{var/spool/postfix/,}incoming r, ... /{var/spool/postfix/,}public/qmgr w, /etc/mtab
r, /etc/postfix/main.cf r, /etc/postfix/virtual.db r, @{HOME}
/.forward r, /proc/stat r, /proc/sys/kernel/ngroups_max r, /var/spool/postfix/pid/unix.flush rw, }
![]() | Using Variables in Profiles |
---|---|
With the current AppArmor tools, variables as presented in the above example can only be used when manually editing and maintaining a profile. A typical example when variables come in handy are network scenarios
in which user home directories are not mounted in the standard location
|
When a profile is created for a program, the program can access only the files, modes, and POSIX capabilities specified in the profile. These restrictions are in addition to the native Linux access controls.
Example: .
To gain the capability CAP_CHOWN
, the program
must have both access to CAP_CHOWN
under
conventional Linux access controls (typically, be a root
-owned
process)
and have the capability chown in its profile. Similarly, to be able to write
to the file /foo/bar
the program must have both the
correct user ID and mode bits set in the files attributes (see the
chmod
and chown
man
pages) and have /foo/bar w
in its profile.
Attempts to violate Novell AppArmor rules are recorded in
/var/log/audit/audit.log
if the audit
package is installed or otherwise in
/var/log/messages
. In many cases, Novell AppArmor rules prevent
an attack from working because necessary files are not accessible and, in
all cases, Novell AppArmor confinement restricts the damage that the attacker can do
to the set of files permitted by Novell AppArmor.
#include
statements are directives that pull in
components of other Novell AppArmor profiles to simplify profiles.
Include files fetch access permissions for programs. By using an
include, you can give the program access to directory paths or files that
are also required by other programs. Using includes can reduce the size of
a profile.
By default, AppArmor adds /etc/apparmor.d
to the path
in the #include
statement. AppArmor expects the include
files to be located in /etc/apparmor.d
. Unlike
other profile statements (but similar to C programs),
#include
lines do not end with a comma.
To assist you in profiling your applications, Novell AppArmor provides two classes of
#include
s: abstractions and program chunks.
Abstractions are #include
s that are grouped by common
application tasks. These tasks include access to authentication
mechanisms, access to name service routines, common graphics requirements,
and system accounting. Files listed in these abstractions are specific to
the named task. Programs that require one of these files usually require
some of the other files listed in the abstraction file (depending on the
local configuration as well as the specific requirements of the program).
Find abstractions in /etc/apparmor.d/abstractions
.
The program-chunks directory
(/etc/apparmor.d/program-chunks
) contains some chunks
of profiles that are specific to program suites and not generally useful
outside of the suite, thus are never suggested for use in profiles by the
profile wizards (aa-logprof and aa-genprof). Currently program chunks are
only available for the postfix program suite.