path: root/xml/apparmor.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header$ -->

<guide disclaimer="draft" link="apparmor.xml" lang="en">
<title>Gentoo AppArmor Guide</title>

<author title="Author">
    <mail link="kensington@gentoo.org">Michael Palimaka</mail>
</author>

<abstract>
This guide provides a brief overview of AppArmor, and gives information
on how to install and configure it on Gentoo.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0"/>

<version>1</version>
<date>2012-07-10</date>

<chapter>
<title>Introduction</title>

<section>
<body>
<p>
AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
</p>
<p>
For each file path you specify, AppArmor will permit it only the permissions you grant.
</p>
<pre caption="Sample profile">
# ------------------------------------------------------------------
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
# ------------------------------------------------------------------

#include &lt;tunables/global&gt;

/sbin/klogd {
  #include &lt;abstractions/base&gt;

  capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
  capability syslog,

  network inet stream,

  /boot/System.map*     r,
  @{PROC}/kmsg          r,
  @{PROC}/kallsyms      r,
  /dev/tty              rw,

  /sbin/klogd           rmix,
  /var/log/boot.msg     rwl,
  /{,var/}run/klogd.pid    krwl,
  /{,var/}run/klogd/klogd.pid krwl,
  /{,var/}run/klogd/kmsg   r,
}
</pre>
</body>
</section>

</chapter>

<chapter>
<title>Initial setup</title>

<section>
<title>Kernel patching</title>
<body>
<p>
From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
profiles - deactivation, listing, init script etc. will not work.
</p>
<p>
The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>,
the patches will not cleanly apply. For convenience, a rebased version of the patches is
<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>.
</p>
</body>
</section>

<section>
<title>Install utilities</title>
<body>
<p>
The AppArmor userspace utilities currently live in the
<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>.
You should install layman, and then add the <c>hardened-dev</c> overlay:

<pre caption="Install userspace utilities">
# <i>layman -a hardened-dev</i>
# <i>emerge apparmor-utils</i>
<comment>You will probably also wish to install some profiles to get started:</comment>
# <i>emerge apparmor-profiles</i>
</pre>

</p>
</body>
</section>

<section>
<title>Further configuration</title>
<body>
<p>
You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however
the default values will suit most users.
</p>
</body>
</section>

</chapter>

<chapter>
<title>Working with profiles</title>

<section>
<body>
<p>
Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored
in subdirectories - you may organise them however it suits you.
</p>

<pre caption="Sample profile directory listing">
/etc/apparmor.d $ <i>ls</i>
abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd
bin.ping      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute
</pre>

<p>
Profiles are referred to by name, including any parent subdirectories if present.
</p>
</body>
</section>

<section>
<title>Manual control</title>
<body>

<p>
To activate a profile, simply set it to enforce mode.
<pre caption="Manual profile activation">
# <i>aa-enforce usr.sbin.dnsmasq</i>
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
</pre>
</p>

<p>
Similarly, to deactive a profile, simply set it to complain mode.
<pre caption="Manual profile deactivation">
# <i>aa-complain usr.sbin.dnsmasq</i>
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
</pre>
</p>

<p>
The current status of your profiles may be viewed using <c>aa-status</c>.
<pre caption="Profile status listing">
# <i>aa-status</i>
apparmor module is loaded.
6 profiles are loaded.
5 profiles are in enforce mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
   /usr/sbin/dnsmasq
   /usr/sbin/identd
1 profiles are in complain mode.
   /usr/sbin/lspci
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/dnsmasq (12905)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
</pre>
</p>

</body>
</section>

<section>
<title>Automatic control</title>
<body>
<p>
The provided init script will automatically load all profiles located in your profile directory.
Unless specifically specified otherwise, each profile will be loaded in enforce mode.
</p>
</body>
</section>

</chapter>

</guide>