Sunday, August 23, 2009

AppArmor on Ubuntu

In SUSE’s and Ubuntu’s AppArmor implementations, AppArmor comes with an assortment of pretested profiles for popular server and client applications and with simple tools for creating your own AppArmor profiles. On Ubuntu systems, most of the pretested profiles are enabled by default. There’s nothing you need to do to install or enable them. Other Ubuntu AppArmor profiles are installed, but set to run in complain mode, in which AppArmor only logs unexpected application behavior to /var/log/messages rather than both blocking and logging it. You either can leave them that way, if you’re satisfied with just using AppArmor as a watchdog for those applications (in which case, you should keep an eye on /var/log/messages), or you can switch them to enforce mode yourself, although, of course, you should test thoroughly first.

Still other profiles are provided by Ubuntu’s optional apparmor-profiles package. Whereas ideally a given AppArmor profile should be incorporated into its target application’s package, for now at least, apparmor-profiles is sort of a catchall for emerging and not-quite-stable profiles that, for whatever reason, aren’t appropriate to bundle with their corresponding packages. Active AppArmor profiles reside in /etc/apparmor.d. The files at the root of this directory are parsed and loaded at boot time automatically. The apparmor-profiles package installs some of its profiles there, but puts experimental profiles in /usr/share/doc/apparmor-profiles/extras.

The Ubuntu 9.04 packages put corresponding profiles into /etc/apparmor.d. If you install the package apparmor-profiles, you’ll additionally get default protection for the packages shown. The lists in Tables 1 and 2 are perhaps as notable for what they lack as for what they include. Although such high-profile server applications as BIND, MySQL, Samba, NTPD and CUPS are represented, very notably absent are Apache, Postfix, Sendmail, Squid and SSHD. And, what about important client-side network tools like Firefox, Skype, Evolution, Acrobat and Opera? Profiles for those applications and many more are provided by apparmor-profiles in /usr/share/doc/apparmor-profiles/extras, but because they reside there rather than /etc/apparmor.d, they’re effectively disabled. These profiles are disabled either because they haven’t yet been updated to work with the latest version of whatever package they protect or because they don’t yet provide enough protection relative to the Ubuntu AppArmor team’s concerns about their stability. Testing and tweaking such profiles is beyond the scope of this article, but suffice it to say, it involves the logprof command.

Source of Information : Linux Journal 185 September 2009

No comments: