AppArmor

- [Instructor] AppArmor is a security package that allows administrators to set particular security-related constraints on programs and processes. While access control on a Linux system is usually granted through user accounts, AppArmor allows us to restrict individual program's access to files and resources regardless of what user runs them, even the super user. AppArmor is enabled by default on Ubuntu and some other distros. And while it really shouldn't get in your way, I want to take a few minutes to show you some of the basics in case you need to interact with it.

We limit processes' privileges by creating profiles which detail what each process is allowed to do and in what way. These profiles are like programs or configuration files and can include bundles of predefined capabilities and specify individual parameters to allow or deny access to specific things as well. These profiles are stored in etc/apparmor.d and are named for the program they pertain to with dots replacing the slashes in the path to the program.

Let's take a quick look at the configuration for Firefox here. I'm not going to dig into the syntax of AppArmor profiles here, but it is interesting to take a look at them to get a sense of how they work. If you need to write profiles, be sure to study existing ones as you learn. Here we have a variable declaration and here we're including a bunch of global definitions for convenience.

Then we have the opening of a block pertaining to a specific filename, the Firefox binary itself, but not the firefox.sh script in the same folder. For this particular file, we're including a lot more stuff. And further down, we're setting how the program can interact with dbus and what ways it's allowed to interact with a network. And further down, we can see other particular restrictions, denying access to specific resources or setting read, write and other capabilities on certain files. That's the r, w and other letters that you see at the end of particular lines.

I'll scroll down a bit to the folders and we can see that the program is being granted read access to the process owner's home directory and some subfolders there and it can read and write files inside the downloads folder. That big block of settings that apply to the Firefox binary ends down here at the bottom of the file. But before it does, it brings in some more profile information defined generally for browsers on Ubuntu that aren't specific to Firefox. And then it brings in some local modifications for Firefox as well. So, there's a few places to look for policies that are being applied.

I'll close this for now. AppArmor profiles can operate in two modes, enforcement mode which enforces the policy and complain mode which doesn't enforce restrictions but only logs what would be enforced as a program runs. This is helpful for catching things that might have been missed as you're designing or editing a profile. We can switch a particular profile between modes with the aa-complain and aa-enforce programs that are available in the apparmor-utils package. To switch the modes, we'd just use each app and the name of the file to change.

The aa-status command tells us some overall information about the AppArmor system. AA-status will give a list of profiles and running processes that AppArmor is managing, what mode they're in and so on. And adding --help will show a few other things that the command can do. Again, I'm not going to get into the details of writing profiles here, but I do encourage you to experiment with profiles to get a little bit more understanding. An interesting task might be to deny Firefox the ability to save downloaded files.

It looks obvious in the user/bin/firefox file, but remember that file calls in some others after most of the app-specific settings. Modify the file, save it, relaunch Firefox and you're good to go. Writing AppArmor policies is somewhat less common of a task for system administrators, but it's good to know that AppArmor exists, how it works and how to interact with it.