Reglas Apparmor

Es un sistema MAC para controlar el acceso de los programas a las diferentes partes del sistema

(Edit)

Inspect the current state

AppArmor profiles can be set to different modes:

  • complain mode: violations to the policy will only be logged
  • enforce mode: operations that violate the policy will be blocked.

Note that deny rules in profiles are enforced/blocked even in complain mode.

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined)
sudo aa-status

List of processes with tcp or udp ports that do not have AppArmor profiles loaded:
sudo aa-unconfined

(Edit)

Enabling profiles

Debian packages that install profiles to /etc/apparmor.d/ automatically enable them (complain mode). Other profiles need to be copied to this directory and manually set to complain or enforce mode.

For example to install an "extra" profile from the /usr/share/apparmor/extra-profiles/ directory provided by apparmor-profiles and set it to complain mode:

List available profiles
ls /usr/share/apparmor/extra-profiles/

Install the profile
sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/

Set the profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example

'' Debug profiles

Look in these logs for:

  • ALLOWED (logged when a profile in complain mode violates the policy)
  • DENIED (logged when a profile in enforce mode actually blocks an operation)

Disable a profile temporarily
sudo aa-disable /etc/apparmor.d/usr.bin.example

After testing, re-enable it in complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example

Or in enforce mode
sudo aa-enforce /etc/apparmor.d/usr.bin.example