Can anyone explain and teach me how to use AppArmor in Linux Mint?

No, -v is not a smiley but an option used by many Linux commands (e.g., the cp command) referring to the verbose mode. Sorry for causing confusion

(I should add: Unfortunately it's not used as a standard. Sometimes -v also stands for "version" , and the verbose mode is triggered by other letters like -t.)

 

I've never used Applocker, and SRP can be implemented in various variants - but if implemented as suggested here (and discussed in this forum in many threads) it's definitely easier than AppArmor. Although I hasten to say that the effects of both approaches are not really comparable ...

I guess that these unwanted effects could be avoided to some extent if the profiles were properly maintained.

While I agree in general (although there are examples like this one that suggest that implementing AppArmor even on a desktop system might be beneficial), I'm a bit surprised as it seems to me that your statement is in contrast to the tenor of your posting #9 above.

 

I would say 'don't underestimate yourself'.

 

I'm not, just my sig is irrelevant
Mrk

 

It comes down to personal preferences really. For me running a single command in the terminal and going through the text based wizard is as easy as it gets. If that's still too much there are a lot of preconfigured profiles to be found on ubuntuforums and other places. If someone needed help I could write you a profile for any simple application in a few minutes and be confident that it works and share it with you. SRP/AL on the other hand have a few pitfalls like by default word write+executeable folders in C:\Windows that most often get missed as that how-to demonstrates and auditing NTFS permissions is definitely not so easy.
The other reason why I think it's easier is because it's so modular. You configure on program at a time without disturbing other users, system processes or other applications.

No. The problem is as so often the trade-off between usability and security.
You either make a profile that is compatible with everything a user might want to do but with lenient restrictions or a profile that fully protects user data but breaks some workflows.
The profiles in the repos *are* properly maintained and kept up-to-date and in sync with the programs.

..not in the wild...
Anyway, as long as there are usb drivers in the kernel using strcpy() there is not much of a point in protecting against that
https://www.wilderssecurity.com/showthread.php?t=294583
That's something AA is powerless against, though grsec and maybe SELinux can prevent it.

Read more closely, there is no contradiction.
Linux desktops aren't targeted by the widely used exploit kits at all. Browsing even the darker places of the Internet naked and unprotected won't get you infected.
On the other hand the default configuration in all mainstream distros is weak against attacks. If you get targeted for some reason the built in security mechanism will definitely fail. Therefore my point is that while there is no imminent threat for desktop users it's still a good idea to keep an eye on the threats and mitigations available. For a more future proof setup that also protects against some "unknown unknows" additional security like a MAC is absolutely necessary. Same goes for anyone with requirements beyond the typical desktop user, something I thought was more prevalent on this forum than elsewhere.

 

I use quite a few AppArmor profiles, some of which I created from scratch. I use a profile for Chromium (even though Chromium already has a sandbox), my IM client, my IRC client, my torrent client, as well as NTP and a few other services. Basically anything that is network facing has a profile.

I think it's overkill, but it should help any of those services resist 0-days if they happen to be attacked (which is unlikely but possible). If anyone wants some profiles I can post them.

 

Hi chronomatic,

can you please post some?

 

Which ones?

 

Oh...how about just a few of the most basic ones, something a noob to this stuff like myself might be able to follow, if you have?

 

bohdi zazen has a few http://bodhizazen.net/Tutorials/aa Also check out his tutorial if you want.

 

Thank you Ocky!

 

This guide is also very nice. Non-openSuse users can neglect the Yast portions.

 

Thank you as well, tlu! The Yast tutorial might work nicely for me since I'm using openSUSE, although I doubt I'll venture into this until a few weeks later, once I get my head wrapped around how things generally work in Linux KDE. So many options and ways of doing things

BTW, just saw this and love the way you worded things

 

Yeah, that's pretty much it, isn't it......

 

and how would i use it? its your sig.
O

 

Ok a few comments:

1) Someone compared AppArmor to AppLocker on Windows. They serve different functions entirely. AppLocker is essentially a way of keeping users from installing (or running) any software not approved of by the admin (it's a whitelist). AppArmor, on the other hand, is a MAC system that controls what already installed programs can do and what they can access. It's a sandbox for applications. SELinux is an inode based MAC (and is more powerful but also much more difficult). Just thought I'd throw that out there.

2) In ubuntu you can install extra profiles from the repos. Type this in the terminal:

Code:

sudo apt-get install apparmor-profiles

This will install a few basic profiles (I think NTP is one of them). To use them you still have to enable them.

3) To get even more profiles, you can grab some templates from bohdi zazen's link that someone already posted. Or, you can create your own from scratch. If you don't want to do that, I can offer some of my profiles. Here's the ones I have created that I find useful:

Pidgin
Transmission
KVIrc
Tor
Samba (nmbd and smbd)

Please note that profiles are not always one size fits all. Different people may have slightly different needs, so they may have to tweak the profiles accordingly. However, most of the profiles bodhi has (as well as the ones I have) should be pretty much functional out of the box.

 

Absolutely That's why I wrote that the two approaches are not really comparable.

An overview can be found here. (The NTP profile is now in main.)

 

Thank you for clearing up the confusion chronomatic. I know I thought AppArmor and AppLocker were comparable

 

I think AppLocker serves an important function on Windows, but the function it serves is not really a threat on Linux. For one, anyone with physical access can bypass it. Applocker, imo, is really only useful for single user machines so that one can stop malware from accidentally installing. Since malware is not an issue on Linux and since Linux does not install programs the way Windows does, an AppLocker utility would be useless.

AppArmor on Linux is more akin to the MIC (integrity levels) on Vista/7 except AppArmor is much more configurable.