Table of Contents

Модуль AppArmor

Включение/Выключение

# ###apt install apparmor

# aa-status

Включение

# mkdir /etc/default/grub.d

# cat /etc/default/grub.d/apparmor.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"

Выключение

# cat /etc/default/grub
...
GRUB_CMDLINE_LINUX="... apparmor=0"
...
# update-grub

# init 6

Определение наличия и правка профилей для служб

# ps axZ #| grep [c]lam

# find /etc/apparmor.d/

# cat /etc/apparmor.d/usr.sbin.clamd
...
  /disk2/ rw,
  /disk2/** krw,
  
  /var/CommuniGate/ rw,
  /var/CommuniGate/** krw,
...
# cat /etc/apparmor.d/local/usr.sbin.dhcpd
/**/dhcpd.conf r,

или 

# rm /etc/apparmor.d/usr.sbin.dhcpd
# init 6

# apt install apparmor-utils

# aa-unconfined

# apt install apparmor-profiles

# less /usr/share/apparmor/extra-profiles/README

# find /etc/apparmor.d/

Создание профиля "вручную"

# ldd /bin/bash

# ldd /bin/cat

# ldd /usr/bin/file

# man file

# cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd {

  network inet stream,

  /usr/local/sbin/webd r,
#  /usr/bin/bash ix,
  /usr/bin/cat ix,
  /usr/bin/file ix,
  /etc/magic r,
  /usr/share/file/magic.mgc r,
  /usr/lib/file/magic.mgc r,

  /var/www/** r,

  /usr/lib/x86_64-linux-gnu/libtinfo* mr,
  /usr/lib/x86_64-linux-gnu/libdl* mr,
  /usr/lib/x86_64-linux-gnu/libc* mr,
  /usr/lib/x86_64-linux-gnu/libz* mr,
  /usr/lib/x86_64-linux-gnu/libmagic* mr,

}

Включение/выключение профиля

# aa-complain /usr/local/sbin/webd

# aa-status

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-enforce /usr/local/sbin/webd

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-disable /usr/local/sbin/webd

Создание и включение профиля утилитой aa-genprof

# aa-genprof /usr/local/sbin/webd
...
#https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160
debian10# touch /etc/apparmor.d/local/...dovecot...
...

# cat /etc/apparmor.d/usr.local.sbin.webd
...
  /var/www/* r,
}
# service apparmor restart