AppArmor gives us granular control over what resources particular programs and processes are allowed to access.
- [Instructor] AppArmor is a security package that allows administrators to set particular security-related constraints on programs and processes. While access control on a Linux system is usually granted through user accounts, AppArmor allows us to restrict individual program's access to files and resources regardless of what user runs them, even the super user. AppArmor is enabled by default on Ubuntu and some other distros. And while it really shouldn't get in your way, I want to take a few minutes to show you some of the basics in case you need to interact with it.
We limit processes' privileges by creating profiles which detail what each process is allowed to do and in what way. These profiles are like programs or configuration files and can include bundles of predefined capabilities and specify individual parameters to allow or deny access to specific things as well. These profiles are stored in etc/apparmor.d and are named for the program they pertain to with dots replacing the slashes in the path to the program.
Let's take a quick look at the configuration for Firefox here. I'm not going to dig into the syntax of AppArmor profiles here, but it is interesting to take a look at them to get a sense of how they work. If you need to write profiles, be sure to study existing ones as you learn. Here we have a variable declaration and here we're including a bunch of global definitions for convenience.
Then we have the opening of a block pertaining to a specific filename, the Firefox binary itself, but not the firefox.sh script in the same folder. For this particular file, we're including a lot more stuff. And further down, we're setting how the program can interact with dbus and what ways it's allowed to interact with a network. And further down, we can see other particular restrictions, denying access to specific resources or setting read, write and other capabilities on certain files. That's the r, w and other letters that you see at the end of particular lines.
I'll scroll down a bit to the folders and we can see that the program is being granted read access to the process owner's home directory and some subfolders there and it can read and write files inside the downloads folder. That big block of settings that apply to the Firefox binary ends down here at the bottom of the file. But before it does, it brings in some more profile information defined generally for browsers on Ubuntu that aren't specific to Firefox. And then it brings in some local modifications for Firefox as well. So, there's a few places to look for policies that are being applied.
I'll close this for now. AppArmor profiles can operate in two modes, enforcement mode which enforces the policy and complain mode which doesn't enforce restrictions but only logs what would be enforced as a program runs. This is helpful for catching things that might have been missed as you're designing or editing a profile. We can switch a particular profile between modes with the aa-complain and aa-enforce programs that are available in the apparmor-utils package. To switch the modes, we'd just use each app and the name of the file to change.
The aa-status command tells us some overall information about the AppArmor system. AA-status will give a list of profiles and running processes that AppArmor is managing, what mode they're in and so on. And adding --help will show a few other things that the command can do. Again, I'm not going to get into the details of writing profiles here, but I do encourage you to experiment with profiles to get a little bit more understanding. An interesting task might be to deny Firefox the ability to save downloaded files.
It looks obvious in the user/bin/firefox file, but remember that file calls in some others after most of the app-specific settings. Modify the file, save it, relaunch Firefox and you're good to go. Writing AppArmor policies is somewhat less common of a task for system administrators, but it's good to know that AppArmor exists, how it works and how to interact with it.
Author
Updated
2/16/2021Released
10/3/2017Skill Level Intermediate
Duration
Views
Related Courses
-
Linux: Bash Shell and Scripts
with Kevin Dankwardt2h 46m Intermediate -
Linux: Files and Permissions
with Grant McWilliams1h 49m Intermediate -
Linux: Multitasking at the Command Line
with Scott Simpson39m 1s Intermediate
-
New this Week:
-
Docker on Linux5m 24s
-
-
Introduction
-
Welcome1m 4s
-
-
Foundations
-
Foundations: What's Linux?5m 26s
-
Foundations: Distros10m 50s
-
Foundations: USB installer7m 46s
-
Linux on Azure7m 21s
-
Google Cloud Platform3m 37s
-
Linux on DigitalOcean6m 39s
-
-
System Basics
-
Bash operators6m 55s
-
Logs5m 4s
-
Grub3m 19s
-
SysV init4m 43s
-
Systemd5m 29s
-
Cron8m 7s
-
Understanding chroot3m 16s
-
Backing up data with rsync5m 35s
-
Working with dotfiles1m 43s
-
Exploring the PATH variable3m 51s
-
Finding or locating files3m 52s
-
Working with swap4m 29s
-
Read and write caches3m 5s
-
Filesystem Basics
-
Files on Linux4m 10s
-
File system basics: Archives6m 22s
-
Loop devices4m 35s
-
Overlay file systems4m 17s
-
Bind mounts2m
-
-
Working with Text
-
Working with text: Vim 1015m 15s
-
Working with text: Emacs 1015m 42s
-
Working with text: nano 1015m 29s
-
Working with text: grep4m 23s
-
Working with text: sed7m 24s
-
Working with text: AWK2m 51s
-
Working with text: ed 1016m 17s
-
-
Package Management
-
Package management: Basics6m 59s
-
aptitude5m 43s
-
dpkg2m 20s
-
yum and DNF4m 58s
-
RPM3m 24s
-
Creating your own packages3m 12s
-
Zypper4m 17s
-
Using Flatpak4m 11s
-
Using snaps3m 15s
-
-
Working Remotely
-
Remote files: curl and wget4m 42s
-
SSH: Secure access8m 8s
-
SSH: Tunnels3m 46s
-
X11 forwarding2m 52s
-
Using a SOCKS proxy4m 53s
-
Using a Squid proxy8m 43s
-
-
Process Management
-
Process management: ps4m 30s
-
Process management: top4m 53s
-
Process management: htop6m 11s
-
Customizing tmux3m 32s
-
-
Security
-
Firewall basics4m 5s
-
Understanding iptables6m 41s
-
File checksums3m 48s
-
Encrypting files7m 14s
-
Encrypted filesystems6m 58s
-
AppArmor4m 2s
-
Security systems: SELinux4m 33s
-
-
System Administration
-
Disks and partitions6m 42s
-
Logical volume management9m 59s
-
Create a RAID array9m 10s
-
Repairing a RAID array4m 44s
-
Local IP address5m 15s
-
DNS5m 40s
-
VPN1m 43s
-
Drivers and modules4m 16s
-
Understanding QEMU and KVM2m 49s
-
Private networking6m 37s
-
Routing and forwarding4m 26s
-
DHCP4m 55s
-
Network troubleshooting7m 42s
-
Wi-Fi on Linux4m 14s
-
-
Desktops and Displays
-
Desktops: Basics3m 8s
-
Desktops: GNOME4m 41s
-
Desktops: Xfce4m 5s
-
Desktops: KDE Plasma Desktop2m 28s
-
Desktops: LXQt3m 42s
-
-
Exploration Topics
-
Windows Subsystem for Linux7m 20s
-
Exploring virtualization5m 28s
-
Exploring containers5m 19s
-
Exploring Fedora3m 8s
-
Changing the default shell3m 30s
-
Exploring other shells2m 5s
-
Exploring CentOS2m 6s
-
Exploring Zsh5m 41s
-
Osquery4m 28s
-
Exploring fish5m 21s
-
Exploring csh and tcsh2m 34s
-
Using diff to compare files3m 54s
-
Using xargs3m 41s
-
Job control3m 59s
-
Using watch and time3m 5s
-
Recording a terminal session3m 14s
-
Exploring Debian1m 49s
-
Exploring SUSE Linux7m 33s
-
Exploring Arch Linux16m 44s
-
Exploring Alpine Linux6m 18s
-
Exploring Linux Mint5m 14s
-
Exploring Amazon Linux5m 8s
-
Terminal on the go5m 1s
-
FUSE and SSHFS3m 54s
-
Removing Linux4m 44s
-
WSL distros on Windows 103m 13s
-
Embedded Linux4m 25s
-
Exploring Netboot2m 43s
-
Exploring ZFS3m 53s
-
Troubleshooting Topics
-
Projects
-
Linux on an old PC6m 7s
-
Hosting email services3m 7s
-
Create a network PDF printer4m 37s
-
Remote logging with Rsyslog7m 12s
-
Set up a Git server4m 16s
-
NGINX web server4m 11s
-
Set up an NFS server3m 58s
-
Monitoring your server2m 49s
-
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.
CancelTake notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: AppArmor