====== Модуль AppArmor ======

  * [[https://help.ubuntu.com/16.04/serverguide/apparmor.html|AppArmor Ubuntu 16.04]]
  * [[http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/data/bx5bmls.html|Apparmor File Permission Access Modes]]
  * [[http://www.ibm.com/developerworks/ru/library/l-apparmor-1/index.html|Безопасный Linux : Часть первая. AppArmor – песочница для приложений]]

===== Установка =====

==== Включение/Выключение ====

  * В Debian/Ubuntu включен по умолчанию
  * [[https://wiki.debian.org/AppArmor/HowToUse|debian AppArmor HowToUse]]
  * [[https://help.ubuntu.com/community/AppArmor|ubuntu AppArmor]]

=== Debian 11 (enable) ===
<code>
# mkdir /etc/default/grub.d

# cat /etc/default/grub.d/apparmor.cfg
</code><code>
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
</code>

=== Ubuntu 20/22 (disable) ===
<code>
# cat /etc/default/grub
</code><code>
...
GRUB_CMDLINE_LINUX="... apparmor=0"
...
</code><code>
# update-grub

# init 6
</code>
==== Debian/Ubuntu ====
<code>
# apt install apparmor

# aa-status
</code>

===== Определение наличия и правка профилей для служб =====
<code>
# ps axZ      # apt install clamav-daemon

# find /etc/apparmor.d/

# cat /etc/apparmor.d/usr.sbin.clamd
</code><code>
...
  /disk2/ rw,
  /disk2/** krw,
  
  /var/CommuniGate/ rw,
  /var/CommuniGate/** krw,
...
</code><code>
# cat /etc/apparmor.d/local/usr.sbin.dhcpd
</code><code>
  /**/dhcp/ r,
  /**/dhcp/** r,
</code>
или
<code>
# rm /etc/apparmor.d/usr.sbin.dhcpd
</code><code>
# init 6

# apt install apparmor-utils

# aa-unconfined

# apt install apparmor-profiles

# less /usr/share/apparmor/extra-profiles/README

# find /etc/apparmor.d/
</code>




===== Создание профиля "вручную" =====

<code>
# ldd /bin/bash

# ldd /bin/cat

# ldd /usr/bin/file

# man file

# cat /etc/apparmor.d/usr.local.sbin.webd
</code><code>
/usr/local/sbin/webd {

  network inet stream,

  /usr/local/sbin/webd r,
#  /usr/bin/bash ix,
  /usr/bin/cat ix,
  /usr/bin/file ix,
  /etc/magic r,
  /usr/share/file/magic.mgc r,
  /usr/lib/file/magic.mgc r,

  /var/www/** r,

  /usr/lib/x86_64-linux-gnu/libtinfo* mr,
  /usr/lib/x86_64-linux-gnu/libdl* mr,
  /usr/lib/x86_64-linux-gnu/libc* mr,
  /usr/lib/x86_64-linux-gnu/libz* mr,
  /usr/lib/x86_64-linux-gnu/libmagic* mr,

}

</code>

===== Включение/выключение профиля =====
<code>
# aa-complain /usr/local/sbin/webd

# aa-status

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-enforce /usr/local/sbin/webd

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-disable /usr/local/sbin/webd
</code>

===== Создание и включение профиля утилитой aa-genprof =====

  * [[http://wiki.apparmor.net/index.php/Profiling_with_tools|Profiling with tools]]

<code>
# aa-genprof /usr/local/sbin/webd
...
#https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160
debian10# touch /etc/apparmor.d/local/...dovecot...
...

# cat /etc/apparmor.d/usr.local.sbin.webd
...
  /var/www/* r,
}
</code><code>
# service apparmor restart
</code>