Understanding AppArmor in Ubuntu [Linux]

You have probably heard of the AppArmor while you are installing Ubuntu, but since it is not an application that shows up in the Application Menu and it doesn’t appear in any graphical form, most of you have probably no idea what it does and why it is essential for your system. In short, AppArmor is a security module that confines individual programs to a set of listed files and capabilities so they don’t wreak havoc on your system.

AppArmor is a Mandatory Access Control (MAC) system that confines programs to a limited set of resources. It restricts programs to a set of files, attributes and capabilities so it is not able to go deep into the system and wreak havoc (unless it is given the permission). Instead of the Windows’s UAC model that give control to the users, AppArmor bind the access control attributes to the program itself.

AppArmor works at the kernel level and it loads during the bootup. The way AppArmor handle the permission is via Profiles. Profiles is a set of rules that determines what the program can and cannot do. There are two modes that the Profiles can run: Enforcement and Complain. The Enforcement mode is a strict enforcement of the policy defined in the profile as well as reporting policy violation attempts. Complain mode will only report the policy violation attempts, but does not enforce the policy. Most profiles are loaded in the Enforcement mode, though there can be a good number of third parties profiles that are loaded in the Complain mode as well.

If you are using Ubuntu 7.04 or above, AppArmor is installed by default and loads when you boot up your computer. To check the AppArmor status, type the following command in the terminal:

sudo apparmor_status

This is what you will see:

apparmor-status

In my system, you can see that there are 17 profiles loaded in Enforcement mode and 4 currently running processes are enforced by AppArmor.

Finding disabled AppArmor profiles

In addition to those profiles that run on bootup, there are several profiles that are available but disabled by default. You can check them out at the “/etc/apparmor.d/disable” folder. From here, you can see that the Firefox and the Rsyslogd profiles are not enabled.

apparmor-disabled

The Firefox profile was probably disabled because it leads to a performance drop in Firefox, but if you like the turn the Profile on so you can surf the web in more peace, here’s how you can do so.

Open a terminal and type:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

To disable it again:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

While the Profiles sound like a complicated software module, it is actually a simple text file with included file paths stating which folders and directories the application can access. This is how the eVince profile look like (you can easily click on any profile in the “/etc/apparmor.d” folder to open it in your text editor).

apparmor-profile

Ubuntu has done a pretty good job to protect you, but if you want to restrict a custom application that is not protected by Ubuntu, you can create your own profile to lock down the application. This is particularly useful in a server condition where many applications are running in the background where you can’t see it.

Note: Before you create your own profiles, it is best to first look into the existing AppArmor profiles library to check whether the profile for your application is available. You can also install “apparmor-profiles” to get an extra list of profiles.

To create your own AppArmor profiles, you have to first install “apparmor-utils”.

sudo apt-get install apparmor-utils

Once installed, run the following command to start the profiling:

sudo aa-genprof /path/to/application

where the “/path/to/application” is the file path to the application that you want to profile. The default application folder is “/usr/bin”, but it could be different depending on the application.

apparmor-profiling-krita

Next, (leaving the terminal running) start the application that you are going to Profile. For this example, I am using Krita. Use the application as you usually do on any other day.

For every action you perform on the application, return to the terminal and press “Shift + s” to get it to scan for changes.

apparmor-profile-scan-update

From here, you can see the path that the application is accessing and the severity of the action. You can then “Allow (A)” or “Deny (D)” the action.

Keep doing this for the rest of the actions performed on the application. To get the best result, it is best that you plan out your list of actions before you start the profiling.

Lastly, when you are done, press “Shift + F” to Finish the profiling and “Shift + s” to save the Profile.

apparmor-save-profile

Once created, the profile will be saved in the “/etc/apparmor.d” folder and will be loaded in Enforcement mode.

Edit Profiles

To edit your newly created profile, use the following command:

sudo aa-logprof /path/to/application

AppArmor will then scan the log entries and allow you to make changes to the profile.

For some reasons that you need to stop or restart AppArmor, you can easily do it with

sudo service apparmor stop   #stop apparmor

and

sudo service apparmor restart   #restart apparmor

For more information on AppArmor, check out the Ubuntu AppArmor page.

Image credit: Knight in Shining Armor