What is AppArmor?
AppArmor is a Linux security feature that allows system administrators to restrict the capabilities of individual applications. AppArmor is based on the principle of least privilege, which means that each application should only have access to the resources that it needs to function properly and nothing more. This way, even if an application is compromised by a malicious attacker, the damage is limited to the scope of the application and does not affect the rest of the system.
AppArmor works by enforcing mandatory access control (MAC) policies on applications. MAC policies are rules that specify what actions an application can or cannot perform, such as reading or writing files, accessing network sockets, executing commands, etc. AppArmor policies are defined in plain text files that are stored in /etc/apparmor.d/ directory. Each policy file corresponds to an application and has a name that matches the application’s executable path. For example, the policy file for Firefox browser is /etc/apparmor.d/usr.bin.firefox.
AppArmor policies consist of two main sections: a header and a body. The header defines the name and the mode of the policy. The mode can be either enforce or complain. Enforce mode means that AppArmor will block any actions that violate the policy and log them to the system audit. Complain mode means that AppArmor will only log the violations but not block them. This is useful for testing and debugging purposes. The body of the policy defines the rules for the application. The rules are grouped into different categories, such as file rules, network rules, capability rules, etc. Each rule has a syntax that specifies the resource, the permissions, and the conditions for the rule. For example, the following rule allows Firefox to read any file in the user’s home directory:
owner @{HOME}/** r,
The owner keyword means that the rule only applies to files that are owned by the user who runs the application. The @{HOME} variable is a predefined alias for the user’s home directory. The ** wildcard means any file or directory under the home directory. The r permission means read-only access. The comma indicates the end of the rule.
AppArmor policies can also include other policy files using the #include directive. This allows for modularity and reuse of common rules. For example, the Firefox policy file includes the abstractions/base file, which contains some basic rules that are common to most applications, such as allowing access to /proc and /sys directories.
AppArmor is enabled by default on some Linux distributions, such as Ubuntu and openSUSE. To check the status of AppArmor, one can use the apparmor_status command, which shows the number of processes and profiles that are loaded and their modes. To change the mode of a profile, one can use the aa-enforce or aa-complain commands, followed by the profile name. To reload a profile after modifying it, one can use the apparmor_parser command with the -r option. To disable AppArmor completely, one can use the apparmor=0 kernel parameter at boot time.
Sounds a lot like SELinux. What's the difference?
AppArmor and SELinux are two Linux security modules that aim to enhance the security of Linux systems by enforcing mandatory access control (MAC) policies on applications. MAC policies are rules that specify what actions an application can or cannot perform, such as reading or writing files, accessing network sockets, executing commands, etc. However, AppArmor and SELinux have some differences in terms of their design, implementation, and features. Here are some of the main points of comparison between them:
- Access control mechanism: AppArmor uses security profiles based on paths, while SELinux uses security policies based on file labels. This means that AppArmor identifies applications by their executable paths, while SELinux identifies applications by their file system labels. For example, the policy file for Firefox browser in AppArmor is
/etc/apparmor.d/usr.bin.firefox, while the policy file for Firefox browser in SELinux is/etc/selinux/targeted/contexts/files/file_contexts.bin. - Availability and compatibility: AppArmor is available for any Linux distribution, but it is mainly used on SUSE and Ubuntu systems. SELinux is also available for any Linux distribution, but it is primarily used on Red Hat Enterprise Linux (RHEL) and Fedora systems. AppArmor is implemented in the Linux kernel and is thus more efficient than SELinux, which is implemented as a loadable kernel module. However, SELinux is more compatible with other Linux security features, such as namespaces, cgroups, and seccomp.
- Difficulty and flexibility: AppArmor is generally considered easier to learn, set up, and administer than SELinux, as it has a simpler and more intuitive syntax and commands. AppArmor also has a shorter learning curve, as it allows users to create and modify policies in complain mode, which logs violations but does not block them. SELinux, on the other hand, is more complex and less user-friendly, as it requires users to understand the concepts of contexts, types, roles, and domains. SELinux also has a stricter enforcement mode, which blocks violations by default. However, SELinux is more powerful and flexible than AppArmor, as it provides more granular and fine-grained control over applications and resources. SELinux also supports multi-level security (MLS) and multi-category security (MCS), which allow users to assign different levels and categories of sensitivity to files and processes.
- Level of protection: Both AppArmor and SELinux provide a high level of protection for Linux systems, as they can prevent or limit the damage caused by malicious attacks or compromised applications. However, the level of protection depends on the quality and accuracy of the policies that are defined for the applications. AppArmor and SELinux both have default policies for common applications, such as web servers, databases, and browsers, but they may not cover all the possible scenarios and use cases. Therefore, users need to customize and update their policies according to their specific needs and preferences. AppArmor and SELinux also have different approaches to policy enforcement: AppArmor works on the principle of granting access first, then applying restrictions, while SELinux works on the principle of denying access by default, then granting exceptions. This means that AppArmor is more permissive and less secure than SELinux, but also more flexible and less intrusive.
Read the similar overview of SELinux here to have a a better understanding of both!
Markus
Conclusion
AppArmor is a powerful and flexible security feature that can help protect Linux systems from malicious attacks. However, it is not a silver bullet and it does not eliminate the need for other security measures, such as keeping the system and the applications updated, using strong passwords, avoiding untrusted sources, etc.
AppArmor is only as effective as the policies that are defined for the applications. Therefore, it is important to understand the functionality and the requirements of the applications and to write policies that are appropriate and accurate.
Markus
