The AppArmor tips thread

Discussion in 'all things UNIX' started by Gullible Jones, Jun 9, 2014.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Will post these as I discover them...

    Tip 1: You can modify AppArmor profiles on the fly, without restarting an application. Just rerun aa-enforce on the program's profile, and changes will be applied immediately.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Tip 2: aa-logprof lets you tweak profiles on the fly even more easily.

    Tip 3: take a look at AppArmor DENIED messages in your system log. You may find your programs doing some surprising stuff...
     
  3. guest

    guest Guest

    just to be sure, what does Apparmor is exactly and how it works? also if you have to compare it to a Windows softs , which one is the closest to Apparmor ?
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    There's a nice Introduction to Apparmor that may help answer your first question, at least. As for how a Windows application might compare to it, i'm not really sure of one, but there's a Wilders thread on ReHips that seems to have some Apparmor-like traits to it; check out post #22 on that.
     
  5. guest

    guest Guest

    anyone knows how to setup Apparmor with the latest FF v30 and load the profile?
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Here is what you need to know:
    - AppArmor access control is based mostly on filesystem paths, plus a few other things. You want to give a program the minimum permissions it needs to do what you want (i.e. principle of least privilege).
    - Firefox needs to write to a bunch of hidden configuration paths in your home folder. Specifically it needs recursive rwk (read/write/lock) permissions on those folders and everything in them. The apparmor.d man page will show you how to do this.
    - Take a look at the logs for AppArmor "DENIED" messages.
    - When in doubt, refer to the apparmor.d man page.

    Note that Ubuntu 14.04 has a bug where automatic profile generation with aa-genprof does not work. This is minor though; aa-genprof and aa-logprof are rather crude tools. If you know how a Linux filesystem is layed out, and what parts a program should need (or not), it's quite easy to write minimal a profile by hand.
     
  7. tlu

    tlu Guest

    I think you should go to the documentation page of wiki.apparmor.net (that guide mentioned above by wat0114 is not bad but outdated). Start by reading this introduction and the FAQ. Proceed with this guide. And if that's not enough for you, go to this this detailed reference. ;)
     
  8. guest

    guest Guest

    thanks all for the explanations & links
     
  9. tlu

    tlu Guest

    This may be true for you. But a user unfamiliar with AppArmor (and seemingly with Linux) is guaranteed to fail if he/she tries to write a profile without the help of aa-autodep (which I prefer over aa-genprof because the latter ultimately saves the profile in enforce mode - which is simply too early in most cases as this breaks nearly every profiled application) and aa-logprof.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @tlu: I assumed that @guest was pretty familiar with Linux, or at least enough of the basics to write an AppArmor profile for a desktop app.

    @guest: sorry if I got the wrong impression, I don't really keep track of people's posts here...
     
  11. guest

    guest Guest

    For a 2 weeks Linux user , i think i am not so bad since i can understand the various posts and links here but not so good enough to write a profile by hands ^^

    For now i am just gathering resourceful infos about Apparmor until i get acustomed enough to it ;)
     
  12. tlu

    tlu Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.