Mandatory Access Control (MAC)¶
Table of Contents
AppArmor¶
Install¶
Install the
apparmor
package.Add AppArmor to the Linux secuirty modules that will be used on boot along with the dependencies that should be loaded beforehand. This is normally done through GRUB.
lsm=landlock,lockdown,yama,apparmor,bpf
Enable the service.
$ sudo systemctl enable apparmor
Reboot the computer to complete the installation.
Verify that it is enabled and running.
$ sudo aa-enabled $ sudo aa-status
[1]
Profiles¶
View loaded profiles:
$ sudo aa-status
Add a new profile:
$ sudo apparmor_enforce -r /etc/apparmor.d/<PROFILE>
Find the actual name of a profile (it is not always the file name):
$ grep -P ^profile /etc/apparmor.d/<PROFILE>
Enable a profile:
$ sudo aa-enforce <PROFILE>
Disable a profile but keep logging enabled:
$ sudo aa-complain <PROFILE>
Disable a profile completely:
$ sudo ln -s /etc/apparmor.d/<PROFILE> /etc/apparmor.d/disable/ $ sudo apparmor_parser -R /etc/apparmor.d/<PROFILE>
[2]
Delete a profile [3]:
$ sudo rm -f /etc/apparmor.d/<PROFILE> $ sudo systemctl reload apparmor
Bibliography¶
“AppArmor.” Arch Wiki. September 15, 2021. Accessed October 3, 2021. https://wiki.archlinux.org/title/AppArmor
“AppArmor.” Ubuntu Community Help Wiki. July 5, 2020. https://help.ubuntu.com/community/AppArmor
“Building Profiles from the Command Line.” openSUSE Security Guide. 2018. Accessed October 3, 2021. https://doc.opensuse.org/documentation/leap/archive/42.3/security/html/book.security/cha.apparmor.commandline.html