| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 1 | ======== |
| 2 | AppArmor |
| 3 | ======== |
| 4 | |
| 5 | What is AppArmor? |
| 6 | ================= |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 7 | |
| 8 | AppArmor is MAC style security extension for the Linux kernel. It implements |
| 9 | a task centered policy, with task "profiles" being created and loaded |
| 10 | from user space. Tasks on the system that do not have a profile defined for |
| 11 | them run in an unconfined state which is equivalent to standard Linux DAC |
| 12 | permissions. |
| 13 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 14 | How to enable/disable |
| 15 | ===================== |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 16 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 17 | set ``CONFIG_SECURITY_APPARMOR=y`` |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 18 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 19 | If AppArmor should be selected as the default security module then set:: |
| 20 | |
| 21 | CONFIG_DEFAULT_SECURITY="apparmor" |
| 22 | CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 23 | |
| 24 | Build the kernel |
| 25 | |
| 26 | If AppArmor is not the default security module it can be enabled by passing |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 27 | ``security=apparmor`` on the kernel's command line. |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 28 | |
| 29 | If AppArmor is the default security module it can be disabled by passing |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 30 | ``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the |
| 31 | kernel's command line. |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 32 | |
| 33 | For AppArmor to enforce any restrictions beyond standard Linux DAC permissions |
| 34 | policy must be loaded into the kernel from user space (see the Documentation |
| 35 | and tools links). |
| 36 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 37 | Documentation |
| 38 | ============= |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 39 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 40 | Documentation can be found on the wiki, linked below. |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 41 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 42 | Links |
| 43 | ===== |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 44 | |
| 45 | Mailing List - apparmor@lists.ubuntu.com |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 46 | |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 47 | Wiki - http://apparmor.wiki.kernel.org/ |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 48 | |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 49 | User space tools - https://launchpad.net/apparmor |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 50 | |
| John Johansen | c1c124e | 2010-07-29 14:48:09 -0700 | [diff] [blame] | 51 | Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git |