AppArmor 是一个类似于selinux 的东东,主要的作用是设置某个可执行程序的访问控制权限,可以限制程序 读/写某个目录/文件,打开/读/写网络端口等等。
Novell给出的Apparmor的解释:
AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
之所以选择Apparmor而不是SELinux,主要基于以下两点原因:
对于初学者来说,Apparmor比SELinux更简单,Ubuntu的粉丝,ubuntu选择了Apparmor,同理,如果你是Fedora的粉丝,很明显会选择SELinux。
实事求是的说,SELinux比Apparmor更安全,更灵活,同时配置起来也更复杂。SELinux与Apparmor最大的区别在于:Apparmor使用文件名(路径名)最为安全标签,而SELinux使用文件的inode作为安全标签,这就意味着,Apparmor机制可以通过修改文件名而被绕过,另外,在文件系统中,只有inode才具有唯一性。
由于ubuntu发行版已经自带了Apparmor的package,所以只需要在命令行中输入如下命令,就可以查询当前Apparmor的状态:
sudo apparmor_status
当前Apparmor包含了20个profile文件,而且都处于enforce状态,没有处于enforce状态的文件。
Apparmor的profile文件分为两类:enforce与complain mode,存在于/etc/apparmor.d/目录下,下面来看下官方给出的两种不同状态的profile的解释。
Enforcing: This means the profile is actively protecting the application. By default, Ubuntu already locks down the CUPS daemon for you, but you will see several other profiles listed that you can set to enforce mode at any time.
简单理解就是:如果某个程序不符合其profile文件的限制,程序行为将会失败。
Complain: This means a profile exists but is not yet actively protecting the application. Instead, it is sort of in "debug" mode and will put "complain" messages into /var/log/messages. What this means is that if the application wants to read, write, or execute something that isn't listed in the profile, it will complain. This is how you generally create a profile.
简单理解就是:如果某个程序不符合其profile文件的限制,改程序就会被apparmor“打小报告”,即将该程序的行为记录在系统日志中,但是程序访问行为会成功,比如本来没有让某个程序访问某个文件,但就是访问,仅仅报告一下,文件访问会成功,如果在enforce模式下,文件访问就会失败。
如果想把某个profile置为enforce状态,执行如下命令:
sudo enforce <application_name>
如果想把某个profile置为complain状态,执行如下命令:
sudo complain <application_name>
在修改了某个profile的状态后,执行如下命令使之生效:
sudo /etc/init.d/apparmor restart
在了解了Apparmor的基础知识后,估计你最想了解的就是如果构建profile,概括起来主要有以下几种方式可以得到profile。
(1)ubuntu发行版预定义了一些profile,可以通过如下命令安装:
sudo apt-get install apparmor-profiles
另外,也可以在该网站http://bodhizazen.net/下载,然后,放在/etc/apparmor.d/目录下即可,一旦程序启动的时候,profile将会被自动激活。
(2)通过工具来管理profile,比较著名是:apparmor-utils,通过如下命令进行安装:
sudo apt-get install apparmor-utils
此工具最常用的两个命令为:aa-genprof和aa-logprof,前者用来生成profile文件,后者用来查询处于apparmor的日志记录。
再看一个手工编写的profile,熟悉下其语法格式,如果想更详细的学习,参见具体的讲解profile语法格式的文档,如:http://ubuntuforums.org/showthread.php?t=1008906
#include <tunables/global>
/usr/bin/kopete { //需要限制的应用程序的名称
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
//限制其在对家目录下几个文件的读写权限
deny @{HOME}/.bash* rw,
deny @{HOME}/.cshrc rw,
deny @{HOME}/.profile rw,
deny @{HOME}/.ssh/* rw,
deny @{HOME}/.zshrc rw,
//对以下文件具有读、写、或可执行的权限
/etc/X11/cursors/oxy-white.theme r,
/etc/default/apport r,
/etc/kde4/* r,
/etc/kde4rc r,
/etc/kderc r,
/etc/security/* r,
/etc/ssl/certs/* r,
owner /home/*/ r,
/opt/firefox/firefox.sh Px,
/usr/bin/convert rix,
/usr/bin/kde4 rix,
/usr/bin/kopete r,
/usr/bin/kopete_latexconvert.sh rix,
/usr/bin/launchpad-integration ix,
/usr/bin/xdg-open mrix,
/usr/lib/firefox*/firefox.sh Px,
/usr/lib/kde4/**.so mr,
/usr/lib/kde4/libexec/drkonqi ix,
/usr/share/emoticons/ r,
/usr/share/emoticons/** r,
/usr/share/enchant/** r,
/usr/share/kde4/** r,
/usr/share/kubuntu-default-settings/** r,
/usr/share/locale-langpack/** r,
/usr/share/myspell/** r,
owner @{HOME}/.config/** rwk,
owner @{HOME}/.kde/** rwlk,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.thumbnails/** rw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
}
语法介绍:
r = read
w = write
l = link
k = lock
a = append
ix = inherit = Inherit the parent's profile.
px = requires a separate profile exists for the application, with environment scrubbing.
Px = requires a separate profile exists for the application, without environment scrubbing.
ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
m = allow executable mapping.