AppArmor

From Void Linux Wiki
Jump to: navigation, search

Introduction

From Wikipedia:

"AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths."

AppArmor comes with profiles for several programs. You can read more about AppArmor on the Debian Wiki or the ArchWiki.

Installation

To install AppArmor, run the command

# xbps-install -S apparmor

AppArmor is now installed, but it isn't turned on yet.

Set up AppArmor

1. Edit GRUB config

First, you'll need to edit your GRUB config:

# nano /etc/default/grub

Add "apparmor=1 security=apparmor" to the GRUB_CMDLINE_LINUX_DEFAULT string. For example, your GRUB_CMDLINE_LINUX_DEFAULT string may end up looking like this:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 slub_debug=P page_poison=1 rd.auto=1 apparmor=1 security=apparmor"

Then you must remake the GRUB config:

# grub-mkconfig -o /boot/grub/grub.cfg

If you use hashboot (hashboot guide here), you may want to regenerate hashboot checksums and backups:

# hashboot index

2. Change AppArmor configuration

You'll need to put AppArmor into one of its 2 "on" states (complain and enforce):

# nano /etc/default/apparmor 

Change "#APPARMOR=disable" to either "APPARMOR=complain" or "APPARMOR=enable". Make sure to remove the leading #.

3. Reboot

After rebooting, AppArmor should load all profiles in /etc/apparmor.d and set AppArmor to the state you set in /etc/default/apparmor. Run the command

# aa-status

to verify AppArmor is working.