diff options
Diffstat (limited to 'html/apparmor.html')
-rw-r--r-- | html/apparmor.html | 222 |
1 files changed, 222 insertions, 0 deletions
diff --git a/html/apparmor.html b/html/apparmor.html new file mode 100644 index 0000000..291adb9 --- /dev/null +++ b/html/apparmor.html @@ -0,0 +1,222 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo AppArmor Guide</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b> + This document is a work in progress and should not be considered official yet. + </p></td></tr></table> +<br><h1>Gentoo AppArmor Guide</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Initial setup</option> +<option value="#doc_chap3">3. Working with profiles</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> +AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. +</p> +<p> +For each file path you specify, AppArmor will permit it only the permissions you grant. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample profile</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# ------------------------------------------------------------------ +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# ------------------------------------------------------------------ + +#include <tunables/global> + +/sbin/klogd { + #include <abstractions/base> + + capability sys_admin, # for backward compatibility with kernel <= 2.6.37 + capability syslog, + + network inet stream, + + /boot/System.map* r, + @{PROC}/kmsg r, + @{PROC}/kallsyms r, + /dev/tty rw, + + /sbin/klogd rmix, + /var/log/boot.msg rwl, + /{,var/}run/klogd.pid krwl, + /{,var/}run/klogd/klogd.pid krwl, + /{,var/}run/klogd/kmsg r, +} +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Initial setup</p> +<p class="secthead"><a name="doc_chap2_sect1">Kernel patching</a></p> +<p> +From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, +it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate +profiles - deactivation, listing, init script etc. will not work. +</p> +<p> +The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <span class="code" dir="ltr">hardened-sources</span>, +the patches will not cleanly apply. For convenience, a rebased version of the patches is +<a href="https://github.com/kensington/apparmor-grsec/tarball/master">available</a>. +</p> +<p class="secthead"><a name="doc_chap2_sect2">Install utilities</a></p> +<p> +The AppArmor userspace utilities currently live in the +<a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</a>. +You should install layman, and then add the <span class="code" dir="ltr">hardened-dev</span> overlay: + +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install userspace utilities</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">layman -a hardened-dev</span> +# <span class="code-input">emerge apparmor-utils</span> +<span class="code-comment">You will probably also wish to install some profiles to get started:</span> +# <span class="code-input">emerge apparmor-profiles</span> +</pre></td></tr> +</table> + +</p> +<p class="secthead"><a name="doc_chap2_sect3">Further configuration</a></p> +<p> +You may wish to edit the configuation files located in <span class="code" dir="ltr">/etc/apparmor</span>, however +the default values will suit most users. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Working with profiles</p> +<p> +Profiles are stored as simple text files in <span class="code" dir="ltr">/etc/apparmor.d</span>. They may take any name, and may be stored +in subdirectories - you may organise them however it suits you. +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Sample profile directory listing</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +/etc/apparmor.d $ <span class="code-input">ls</span> +abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd +apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd +bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd +disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd +local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute +</pre></td></tr> +</table> +<p> +Profiles are referred to by name, including any parent subdirectories if present. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Manual control</a></p> +<p> +To activate a profile, simply set it to enforce mode. +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile activation</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">aa-enforce usr.sbin.dnsmasq</span> +Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. +</pre></td></tr> +</table> +</p> +<p> +Similarly, to deactive a profile, simply set it to complain mode. +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile deactivation</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">aa-complain usr.sbin.dnsmasq</span> +Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. +</pre></td></tr> +</table> +</p> +<p> +The current status of your profiles may be viewed using <span class="code" dir="ltr">aa-status</span>. +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Profile status listing</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">aa-status</span> +apparmor module is loaded. +6 profiles are loaded. +5 profiles are in enforce mode. + /bin/ping + /sbin/klogd + /sbin/syslog-ng + /usr/sbin/dnsmasq + /usr/sbin/identd +1 profiles are in complain mode. + /usr/sbin/lspci +1 processes have profiles defined. +1 processes are in enforce mode. + /usr/sbin/dnsmasq (12905) +0 processes are in complain mode. +0 processes are unconfined but have a profile defined. +</pre></td></tr> +</table> +</p> +<p class="secthead"><a name="doc_chap3_sect3">Automatic control</a></p> +<p> +The provided init script will automatically load all profiles located in your profile directory. +Unless specifically specified otherwise, each profile will be loaded in enforce mode. +</p> +<br><p class="copyright"> + The contents of this document, unless otherwise expressly stated, are + licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + + <License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/"> + + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="apparmor.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Page updated July 10, 2012</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This guide provides a brief overview of AppArmor, and gives information +on how to install and configure it on Gentoo. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:kensington@gentoo.org" class="altlink"><b>Michael Palimaka</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> |