AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behaviour and preventing even unknown application flaws from being exploited. AppArmor security policies, called “profiles”, completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours.
To defend against potentially mis-behaving software, we want to apply the principle of least privilege to applications. Whenever the application runs, restrict it to only access the resources it needs to get its job done. Thus if it ever is exploited, the amount of damage is minimized. However, we also need the privilege confinement to be secure, transparent, and fast.
- Secure – the application cannot escape or bypass the confinement.
- Fast – performance overhead is negligible.
- Transparent – software and users can do things the way they did before, with as few changes as possible.
Secure is vital so that the security is upheld. Transparent and Fast are vital because the very worst security is that which is turned off because it was too troublesome or expensive to use. This is how AppArmor achieves security, performance and transparency.
AppArmor consists of:
– a kernel module which enforces the security profiles
– a set of AppArmor profiles for numerous programs
– tools to create and manage new and existing AppArmor profiles
AppArmor tools and profiles for you to use to secure your applications and create new profiles.
AppArmor uses the kernel standard securityfs mechanism to load policy and report information to system administrators. The usual mountpoint for securityfs is /sys/kernel/security.
If not mounted it can be mounted with:
mount securityfs -t securityfs /sys/kernel/security
Once securityfs has been mounted and AppArmor loaded,
/sys/kernel/security/apparmor/profile will list the profiles loaded into the kernel, as well as mark if the profiles are in enforcement mode or in learning mode:
$ sudo cat /sys/kernel/security/apparmor/profiles
/sys/kernel/security/apparmor/control/ control seldom-used features of AppArmor:
audit if ‘1’, audit all actions by confined processes
complain if ‘1’, allow all actions by confined processes, report accesses not granted by policy
debug if ‘1’, emit copius debugging
logsyscall if ‘1’, use audit framework’s syscall debugging, if audit has been instructed to create per-task contexts.
Application Security and System Security
An individual application can be secured using an individual profile, but how to secure a system? A vital question in securing any system is “against what threats?” We could profile all of the programs on the system, but that would be a lot of effort, and in most cases unnecessary. For instance, consider the network threat model: we want to prevent remote network attackers from gaining control of the system. To prevent such an attack, we need to ensure that all programs that communicate with the network have an AppArmor profile. If we profile all applications that connect to the network, then the AppArmor profiles completely control everything that a network attacker could do to the system.
Anatomy of a Profile
AppArmor profiles are a simple declarative language; fully described in the apparmor.d manpage. Profiles are stored by convention in /etc/apparmor.d/. The AppArmor parser supports a simple “cpp-style include mechanism” to allow sharing pieces of policy.