====== Модуль AppArmor ======

  * [[https://help.ubuntu.com/16.04/serverguide/apparmor.html|AppArmor Ubuntu 16.04]]
  * [[http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/data/bx5bmls.html|Apparmor File Permission Access Modes]]
  * [[http://www.ibm.com/developerworks/ru/library/l-apparmor-1/index.html|Безопасный Linux : Часть первая. AppArmor – песочница для приложений]]

  * [[https://wiki.debian.org/AppArmor/HowToUse|debian AppArmor HowToUse]]
  * [[https://help.ubuntu.com/community/AppArmor|ubuntu AppArmor]]

===== Включение/Выключение =====

  * В Debian/Ubuntu включен по умолчанию

<code>
# ###apt install apparmor

# aa-status
</code>

=== Включение ===
<code>
# mkdir /etc/default/grub.d

# cat /etc/default/grub.d/apparmor.cfg
</code><code>
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
</code>

=== Выключение ===
<code>
# cat /etc/default/grub
</code><code>
...
GRUB_CMDLINE_LINUX="... apparmor=0"
...
</code><code>
# update-grub

# init 6
</code>


===== Определение наличия и правка профилей для служб =====

  * [[Сервис Clamav]]

<code>
# ps axZ #| grep [c]lam

# find /etc/apparmor.d/

# cat /etc/apparmor.d/usr.sbin.clamd
</code><code>
...
  /disk2/ rw,
  /disk2/** krw,
  
  /var/CommuniGate/ rw,
  /var/CommuniGate/** krw,
...
</code><code>
# cat /etc/apparmor.d/local/usr.sbin.dhcpd
</code><code>
/**/dhcpd.conf r,
</code>
или
<code>
# rm /etc/apparmor.d/usr.sbin.dhcpd
</code><code>
# init 6

# apt install apparmor-utils

# aa-unconfined

# apt install apparmor-profiles

# less /usr/share/apparmor/extra-profiles/README

# find /etc/apparmor.d/
</code>




===== Создание профиля "вручную" =====

<code>
# ldd /bin/bash

# ldd /bin/cat

# ldd /usr/bin/file

# man file

# cat /etc/apparmor.d/usr.local.sbin.webd
</code><code>
/usr/local/sbin/webd {

  network inet stream,

  /usr/local/sbin/webd r,
#  /usr/bin/bash ix,
  /usr/bin/cat ix,
  /usr/bin/file ix,
  /etc/magic r,
  /usr/share/file/magic.mgc r,
  /usr/lib/file/magic.mgc r,

  /var/www/** r,

  /usr/lib/x86_64-linux-gnu/libtinfo* mr,
  /usr/lib/x86_64-linux-gnu/libdl* mr,
  /usr/lib/x86_64-linux-gnu/libc* mr,
  /usr/lib/x86_64-linux-gnu/libz* mr,
  /usr/lib/x86_64-linux-gnu/libmagic* mr,

}

</code>

===== Включение/выключение профиля =====
<code>
# aa-complain /usr/local/sbin/webd

# aa-status

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-enforce /usr/local/sbin/webd

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-disable /usr/local/sbin/webd
</code>

===== Создание и включение профиля утилитой aa-genprof =====

  * [[http://wiki.apparmor.net/index.php/Profiling_with_tools|Profiling with tools]]

<code>
# aa-genprof /usr/local/sbin/webd
...
#https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160
debian10# touch /etc/apparmor.d/local/...dovecot...
...

# cat /etc/apparmor.d/usr.local.sbin.webd
...
  /var/www/* r,
}
</code><code>
# service apparmor restart
</code>