Basic Setup of AppArmor on Arch Linux

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

Introduction

Apparmor is an LSM (Linux Security Module) that allows us to restrict applications’ capabilities with per-program profiles. It supplements the traditional Unix Discretionary Access Control (DAC) model by providing Mandatory Access Control (MAC). It can be seen as an easier alternative to NSA’s SELinux.
In this article, I go over the basic setup of apparmor. The credits for the documentation go to the Arch Wiki.

Enabling AppArmor

Apparmor is compiled in by default on most Linux distributions’ kernel. To enable it on every boot, we need to add it to our kernel boot parameters. SInce I’m using GRUB, I should modify the GRUB_CMDLINE_LINUX parameter in the /etc/default/grub file. The following screenshot shows my GRUB configuration with the required change highlighted:

GRUB config

Now run the following command:

# grub-mkconfig -o /boot/grub/grub.cfg

The userspace utilities to interact with this module are available via the apparmor package. So run:

# pacman -Syu apparmor


We can also enable the corresponding service so that profiles are loaded on boot.

# systemctl enable apparmor

Now reboot.

Then, we can check if apparmor was successfully loaded by running the aa-enabled command which should output “Yes”.

Loading AppArmor Profiles

Just enabling the module will serve no purpose. We need to define profiles according to the restrictions we want to place on our programs. Although creating profiles is well documented on the Internet. However, it is rather a tedious task considering the number of applications we usually have on our systems. Fortunately, the installed package comes with a few default profiles.

Default profiles for AppArmor

As can be seen with the screenshot, the profiles are located at /usr/share/apparmor/extra-profiles/ directory. However, these profiles need to be parsed, which will then be placed in the /etc/apparmor.d/ directory. This directory contains the profiles that will be loaded into the kernel.

We can use the apparmor_parser(8) utility to parse the profiles under the extra-profiles directory.

Parse Profiles

In my case, I had already run the command. So, it displays the obvious message i.e. “Profile already exists”. Nonetheless, when that command finishes, we should now have a few profiles loaded. Use aa-status to view the loaded profiles.

aa-status

One of the profiles comes for the Chromium web browser. One of the restrictions apparmor enforces is that the browser won’t be able to access anything besides the Downloades folder in the user’s home directory.

Chromium can’t read $HOME except $HOME/Downloads/

There are also tons of other profiles out in the internet. I will link them down in the references below.

All in all, that should cover the basic usage. I will probably write about generating profiles after a bit more research. Stay tuned!

References

  1. AppArmor – Arch Wiki
  2. Creating an AppArmor Profile
  3. Additional AppArmor Profiles (1)
  4. Additional AppArmor Profiles (2)
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Pratik Devkota
Pratik Devkota
Software engineering student interested in UNIX (GNU/Linux, *BSD, etc.), security as well as free and open-source software.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook