manipulatecrontab格式
crontab格式 时间:2021-01-16 阅读:()
AppArmorNovellAppArmorAdministrationGuideCopyright2006-2007Novell,Inc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.
2oranylaterversionpublishedbytheFreeSoftwareFoun-dation;withtheInvariantSectionbeingthiscopyrightnoticeandlicense.
Acopyofthelicenseisin-cludedinthesectionentitled"GNUFreeDocumentationLicense".
SUSE,openSUSE,theopenSUSElogo,Novell,theNovelllogo,theNlogo,areregisteredtrademarksofNovell,Inc.
intheUnitedStatesandothercountries.
Linux*isaregisteredtrademarkofLinusTorvalds.
Allotherthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Atrademarksymbol(,,etc.
)denotesaNovelltrademark;anasterisk(*)denotesathird-partytrademark.
Allinformationfoundinthisbookhasbeencompiledwithutmostattentiontodetail.
However,thisdoesnotguaranteecompleteaccuracy.
NeitherNovell,Inc.
,SUSELINUXProductsGmbH,theauthors,northetranslatorsshallbeheldliableforpossibleerrorsortheconsequencesthereof.
ContentsAboutThisGuidev1ImmunizingPrograms11.
1IntroducingtheAppArmorFramework21.
2DeterminingProgramstoImmunize41.
3ImmunizingcronJobs51.
4ImmunizingNetworkApplications52ProfileComponentsandSyntax112.
1BreakingaNovellAppArmorProfileintoItsParts122.
2#includeStatements212.
3CapabilityEntries(POSIX.
1e)222.
4UsingtheLocalAppArmorProfileRepository222.
5UsingtheExternalAppArmorProfileRepository232.
6ImportantFilenamesandDirectories253BuildingandManagingProfileswithYaST273.
1AddingaProfileUsingtheWizard293.
2ManuallyAddingaProfile373.
3EditingProfiles383.
4DeletingaProfile433.
5UpdatingProfilesfromLogEntries443.
6ManagingNovellAppArmorandSecurityEventStatus454BuildingProfilesfromtheCommandLine494.
1CheckingtheAppArmorModuleStatus494.
2BuildingAppArmorProfiles514.
3AddingorCreatinganAppArmorProfile524.
4EditinganAppArmorProfile524.
5DeletinganAppArmorProfile524.
6TwoMethodsofProfiling535ProfilingYourWebApplicationsUsingChangeHat755.
1ApacheChangeHat765.
2ConfiguringApacheformod_apparmor836ManagingProfiledApplications876.
1MonitoringYourSecuredApplications876.
2ConfiguringSecurityEventNotification886.
3ConfiguringReports916.
4ConfiguringandUsingtheAppArmorDesktopMonitorApplet1116.
5ReactingtoSecurityEventRejections1126.
6MaintainingYourSecurityProfiles1127Support1157.
1UpdatingNovellAppArmorOnline1157.
2UsingtheManPages1157.
3ForMoreInformation1177.
4Troubleshooting1187.
5ReportingBugsforAppArmor124ABackgroundInformationonAppArmorProfiling127BGNULicenses129B.
1GNUGeneralPublicLicense129B.
2GNUFreeDocumentationLicense132Glossary137AboutThisGuideNovellAppArmorisdesignedtoprovideeasy-to-useapplicationsecurityforbothserversandworkstations.
NovellAppArmorisanaccesscontrolsystemthatletsyouspecifyperprogramwhichfilestheprogrammayread,write,andexecute.
AppArmorsecuresapplicationsbyenforcinggoodapplicationbehaviorwithoutrelyingonattacksignatures,soitcanpreventattackseveniftheyareexploitingpreviouslyunknownvulnerabilities.
NovellAppArmorconsistsof:AlibraryofAppArmorprofilesforcommonLinux*applicationsdescribingwhatfilestheprogramneedstoaccess.
AlibraryofAppArmorprofilefoundationclasses(profilebuildingblocks)neededforcommonapplicationactivities,suchasDNSlookupanduserauthentication.
AtoolsuitefordevelopingandenhancingAppArmorprofiles,sothatyoucanchangetheexistingprofilestosuityourneedsandcreatenewprofilesforyourownlocalandcustomapplications.
SeveralspeciallymodifiedapplicationsthatareAppArmorenabledtoprovideen-hancedsecurityintheformofuniquesubprocessconfinement,includingApacheandTomcat.
TheNovellAppArmor–loadablekernelmoduleandassociatedcontrolscriptstoenforceAppArmorpoliciesonyouropenSUSEsystem.
Thisguidecoversthefollowingtopics:ImmunizingProgramsDescribestheoperationofNovellAppArmoranddescribesthetypesofprogramsthatshouldhaveNovellAppArmorprofilescreatedforthem.
ProfileComponentsandSyntaxIntroducestheprofilecomponentsandsyntax.
BuildingandManagingProfileswithYaSTDescribeshowtousetheAppArmorYaSTmodulestobuild,maintainandupdateprofiles.
BuildingProfilesfromtheCommandLineDescribeshowtousetheAppArmorcommandlinetoolstobuild,maintainandupdateprofiles.
ProfilingYourWebApplicationsUsingChangeHatEnablesyoutocreatesubprofilesfortheApacheWebserverthatallowyoutotightlyconfinesmallsectionsofWebapplicationprocessing.
ManagingProfiledApplicationsDescribeshowtoperformNovellAppArmorprofilemaintenance,whichinvolvestrackingcommonissuesandconcerns.
SupportIndicatessupportoptionsforthisproduct.
GlossaryProvidesalistoftermsandtheirdefinitions.
1FeedbackWewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdoc-umentationincludedwiththisproduct.
PleaseusetheUserCommentsfeatureatthebottomofeachpageoftheonlinedocumentationandenteryourcommentsthere.
2DocumentationConventionsThefollowingtypographicalconventionsareusedinthismanual:/etc/passwd:filenamesanddirectorynamesplaceholder:replaceplaceholderwiththeactualvaluePATH:theenvironmentvariablePATHls,--help:commands,options,andparametersuser:usersorgroupsviNovellAppArmorAdministrationGuideAlt,Alt+F1:akeytopressorakeycombination;keysareshowninuppercaseasonakeyboardFile,File>SaveAs:menuitems,buttonsDancingPenguins(ChapterPenguins,↑AnotherManual):Thisisareferencetoachapterinanothermanual.
3SourceCodeThesourcecodeofopenSUSEispubliclyavailable.
Todownloadthesourcecode,proceedasoutlinedunderhttp://www.
novell.
com/products/suselinux/source_code.
html.
IfrequestedwesendyouthesourcecodeonaDVD.
Weneedtochargea$15or15feeforcreation,handlingandpostage.
TorequestaDVDofthesourcecode,sendane-mailtosourcedvd@suse.
de[mailto:sourcedvd@suse.
de]ormailtherequestto:SUSELinuxProductsGmbHProductManagementopenSUSEMaxfeldstr.
5D-90409NürnbergGermanyAboutThisGuidevii1ImmunizingProgramsNovellAppArmorprovidesimmunizationtechnologiesthatprotectapplicationsfromtheinherentvulnerabilitiestheypossess.
AfterinstallingNovellAppArmor,settingupNovellAppArmorprofiles,andrebootingthecomputer,yoursystembecomesimmu-nizedbecauseitbeginstoenforcetheNovellAppArmorsecuritypolicies.
ProtectingprogramswithNovellAppArmorisreferredtoasimmunizing.
NovellAppArmorsetsupacollectionofdefaultapplicationprofilestoprotectstandardLinuxservices.
Toprotectotherapplications,usetheNovellAppArmortoolstocreateprofilesfortheapplicationsthatyouwantprotected.
Thischapterintroducesthephilos-ophyofimmunizingprograms.
ProceedtoChapter2,ProfileComponentsandSyntax(page11),Chapter3,BuildingandManagingProfileswithYaST(page27),orChap-ter4,BuildingProfilesfromtheCommandLine(page49)ifyouarereadytobuildandmanageNovellAppArmorprofiles.
NovellAppArmorprovidesstreamlinedaccesscontrolfornetworkservicesbyspecifyingwhichfileseachprogramisallowedtoread,write,andexecute,andwhichtypeofnetworkitisallowedtoaccess.
Thisensuresthateachprogramdoeswhatitissupposedtodoandnothingelse.
NovellAppArmorquarantinesprogramstoprotecttherestofthesystemfrombeingdamagedbyacompromisedprocess.
NovellAppArmorisahostintrusionpreventionormandatoryaccesscontrolscheme.
Previously,accesscontrolschemeswerecenteredaroundusersbecausetheywerebuiltforlargetimesharesystems.
Alternatively,modernnetworkserverslargelydonotpermituserstologin,butinsteadprovideavarietyofnetworkservicesforusers,suchasWeb,mail,file,andprintservers.
NovellAppArmorcontrolstheaccessgiventonetworkservicesandotherprogramstopreventweaknessesfrombeingexploited.
ImmunizingPrograms1TIP:BackgroundInformationforNovellAppArmorTogetamorein-depthoverviewofAppArmorandtheoverallconceptbehindit,refertoAppendixA,BackgroundInformationonAppArmorProfiling(page127).
1.
1IntroducingtheAppArmorFrameworkThissectionprovidesaverybasicunderstandingofwhatishappening"behindthescenes"(andunderthehoodoftheYaSTinterface)whenyourunAppArmor.
AnAppArmorprofileisaplaintextfilecontainingpathentriesandaccesspermissions.
SeeSection2.
1,"BreakingaNovellAppArmorProfileintoItsParts"(page12)foradetailedreferenceprofile.
ThedirectivescontainedinthistextfilearethenenforcedbytheAppArmorroutinestoquarantinetheprocessorprogram.
ThefollowingtoolsinteractinthebuildingandenforcementofAppArmorprofilesandpolicies:aa-unconfinedaa-unconfineddetectsanyapplicationrunningonyoursystemthatlistensfornet-workconnectionsandisnotprotectedbyanAppArmorprofile.
RefertoSection"aa-unconfined—IdentifyingUnprotectedProcesses"(page73)fordetailedinfor-mationaboutthistool.
aa-autodepaa-autodepcreatesabasicskeletonofaprofilethatneedstobefleshedoutbeforeitisputtoproductiveuse.
Theresultingprofileisloadedandputintocomplainmode,reportinganybehavioroftheapplicationthatisnot(yet)coveredbyApp-Armorrules.
RefertoSection"aa-autodep—CreatingApproximateProfiles"(page56)fordetailedinformationaboutthistool.
aa-genprofaa-genprofgeneratesabasicprofileandasksyoutorefinethisprofilebyexecutingtheapplication,generatinglogeventsthatneedtobetakencareofbyAppArmorpolicies.
Youareguidedthroughaseriesofquestionstodealwiththelogevents2NovellAppArmorAdministrationGuidethathavebeentriggeredduringtheapplication'sexecution.
Aftertheprofilehasbeengenerated,itisloadedandputintoenforcemode.
RefertoSection"aa-gen-prof—GeneratingProfiles"(page59)fordetailedinformationaboutthistool.
aa-logprofaa-logprofinteractivelyscansandreviewsthelogentriesgeneratedbyanapplicationthatisconfinedbyanAppArmorprofileincomplainmode.
Itassistsyouingener-atingnewentriesintheprofileconcerned.
RefertoSection"aa-logprof—ScanningtheSystemLog"(page67)fordetailedinformationaboutthistool.
aa-complainaa-complaintogglesthemodeofanAppArmorprofilefromenforcetocomplain.
Exceptionstorulessetinaprofilearelogged,buttheprofileisnotenforced.
RefertoSection"aa-complain—EnteringComplainorLearningMode"(page57)fordetailedinformationaboutthistool.
aa-enforceaa-enforcetogglesthemodeofanAppArmorprofilefromcomplaintoenforce.
Exceptionstorulessetinaprofilearelogged,butnotpermitted—theprofileisenforced.
RefertoSection"aa-enforce—EnteringEnforceMode"(page58)fordetailedinformationaboutthistool.
Onceaprofilehasbeenbuiltandisloaded,therearetwowaysinwhichitcangetpro-cessed:complainIncomplainmode,violationsofAppArmorprofilerules,suchastheprofiledpro-gramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsarepermitted,butalsologged.
Toimprovetheprofile,turncomplainmodeon,runtheprogramthroughasuiteofteststogeneratelogeventsthatcharacterizetheprogram'saccessneeds,thenpostprocessthelogwiththeAppArmortools(YaSToraa-log-prof)totransformlogeventsintoimprovedprofiles.
enforceInenforcemode,violationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsareloggedandnotpermitted.
Thedefaultisforenforcemodetobeenabled.
Tologtheviola-tionsonly,butstillpermitthem,usecomplainmode.
Enforcetoggleswithcomplainmode.
ImmunizingPrograms31.
2DeterminingProgramstoImmunizeNowthatyouhavefamiliarizedyourselfwithAppArmor,startselectingtheapplicationsforwhichtobuildprofiles.
Programsthatneedprofilingarethosethatmediateprivilege.
Thefollowingprogramshaveaccesstoresourcesthatthepersonusingtheprogramdoesnothave,sotheygranttheprivilegetotheuserwhenused:cronJobsProgramsthatarerunperiodicallybycron.
Suchprogramsreadinputfromavarietyofsourcesandcanrunwithspecialprivileges,sometimeswithasmuchasrootprivilege.
Forexample,croncanrun/usr/sbin/logrotatedailytorotate,compress,orevenmailsystemlogs.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
3,"ImmunizingcronJobs"(page5).
WebApplicationsProgramsthatcanbeinvokedthroughaWebbrowser,includingCGIPerlscripts,PHPpages,andmorecomplexWebapplications.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
4.
1,"ImmunizingWebApplications"(page7).
NetworkAgentsPrograms(serversandclients)thathaveopennetworkports.
Userclients,suchasmailclientsandWebbrowsersmediateprivilege.
Theseprogramsrunwiththeprivilegetowritetotheuser'shomedirectoryandtheyprocessinputfrompoten-tiallyhostileremotesources,suchashostileWebsitesande-mailedmaliciouscode.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
4.
2,"ImmunizingNetworkAgents"(page9).
Conversely,unprivilegedprogramsdonotneedtobeprofiled.
Forinstance,ashellscriptmightinvokethecpprogramtocopyafile.
Becausecpdoesnothaveitsownprofile,itinheritstheprofileoftheparentshellscript,socancopyanyfilesthattheparentshellscript'sprofilecanreadandwrite.
4NovellAppArmorAdministrationGuide1.
3ImmunizingcronJobsTofindprogramsthatarerunbycron,inspectyourlocalcronconfiguration.
Unfortu-nately,cronconfigurationisrathercomplex,sotherearenumerousfilestoinspect.
Periodiccronjobsarerunfromthesefiles:/etc/crontab/etc/cron.
d/*/etc/cron.
daily/*/etc/cron.
hourly/*/etc/cron.
monthly/*/etc/cron.
weekly/*Forroot'scronjobs,editthetaskswithcrontab-eandlistroot'scrontaskswithcrontab-l.
Youmustberootforthesetowork.
Onceyoufindtheseprograms,youcanusetheAddProfileWizardtocreateprofilesforthem.
RefertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
1.
4ImmunizingNetworkApplicationsAnautomatedmethodforfindingnetworkserverdaemonsthatshouldbeprofiledistousetheaa-unconfinedtool.
YoucanalsosimplyviewareportofthisinformationintheYaSTmodule(refertoSection"ApplicationAuditReport"(page97)forinstruc-tions).
Theaa-unconfinedtoolusesthecommandnetstat-nlptoinspectyouropenportsfrominsideyourcomputer,detecttheprogramsassociatedwiththoseports,andinspectthesetofNovellAppArmorprofilesthatyouhaveloaded.
aa-unconfinedthenreportstheseprogramsalongwiththeNovellAppArmorprofileassociatedwitheachprogramorreports"none"iftheprogramisnotconfined.
NOTEIfyoucreateanewprofile,youmustrestarttheprogramthathasbeenprofiledtohaveitbeeffectivelyconfinedbyAppArmor.
ImmunizingPrograms5Belowisasampleaa-unconfinedoutput:2325/sbin/portmapnotconfined3702/usr/sbin/sshdconfinedby'/usr/sbin/sshd(enforce)'4040/usr/sbin/ntpdconfinedby'/usr/sbin/ntpd(enforce)'4373/usr/lib/postfix/masterconfinedby'/usr/lib/postfix/master(enforce)'4505/usr/sbin/httpd2-preforkconfinedby'/usr/sbin/httpd2-prefork(enforce)'5274/sbin/dhcpcdnotconfined5592/usr/bin/sshnotconfined7146/usr/sbin/cupsdconfinedby'/usr/sbin/cupsd(complain)'Thefirstportionisanumber.
ThisnumberistheprocessIDnumber(PID)ofthelisteningprogram.
ThesecondportionisastringthatrepresentstheabsolutepathofthelisteningprogramThefinalportionindicatestheprofileconfiningtheprogram,ifany.
NOTEaa-unconfinedrequiresrootprivilegesandshouldnotberunfromashellthatisconfinedbyanAppArmorprofile.
aa-unconfineddoesnotdistinguishbetweenonenetworkinterfaceandanother,soitreportsallunconfinedprocesses,eventhosethatmightbelisteningtoaninternalLANinterface.
Findingusernetworkclientapplicationsisdependentonyouruserpreferences.
Theaa-unconfinedtooldetectsandreportsnetworkportsopenedbyclientapplications,butonlythoseclientapplicationsthatarerunningatthetimetheaa-unconfinedanalysisisperformed.
Thisisaproblembecausenetworkservicestendtoberunningallthetime,whilenetworkclientapplicationstendonlytoberunningwhentheuserisinterestedinthem.
ApplyingNovellAppArmorprofilestousernetworkclientapplicationsisalsodependentonuserpreferences.
Therefore,weleaveprofilingofusernetworkclientapplicationsasanexercisefortheuser.
6NovellAppArmorAdministrationGuideToaggressivelyconfinedesktopapplications,theaa-unconfinedcommandsupportsaparanoidoption,whichreportsallprocessesrunningandthecorrespondingApp-Armorprofilesthatmightormightnotbeassociatedwitheachprocess.
TheusercanthendecidewhethereachoftheseprogramsneedsanAppArmorprofile.
Ifyouhavenewormodifiedprofiles,youcansubmitthemtotheapparmor-gener-al@forge.
novell.
com[mailto:apparmor-general@forge.
novell.
com]mailinglistalongwithausecasefortheapplicationbehaviorthatyouexercised.
TheAppArmorteamreviewsandmaysubmittheworkintoopenSUSE.
Wecannotguaranteethateveryprofilewillbeincluded,butwemakeasincereefforttoincludeasmuchaspossiblesothatenduserscancontributetothesecurityprofilesthatshipinopenSUSE.
Alternatively,usetheAppArmorprofilerepositorytomakeyourprofilesavailabletootherusersandtodownloadprofilescreatedbyotherAppArmorusersandtheAppArmordevelopers.
RefertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23)formoreinformationonhowtousetheAppArmorprofilerepository.
1.
4.
1ImmunizingWebApplicationsTofindWebapplications,investigateyourWebserverconfiguration.
TheApacheWebserverishighlyconfigurableandWebapplicationscanbestoredinmanydirectories,dependingonyourlocalconfiguration.
openSUSE,bydefault,storesWebapplicationsin/srv/www/cgi-bin/.
Tothemaximumextentpossible,eachWebapplicationshouldhaveanNovellAppArmorprofile.
Onceyoufindtheseprograms,youcanusetheAppArmorAddProfileWizardtocreateprofilesforthem.
RefertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
BecauseCGIprogramsareexecutedbytheApacheWebserver,theprofileforApacheitself,usr.
sbin.
httpd2-preforkforApache2onopenSUSE,mustbemodifiedtoaddexecutepermissionstoeachoftheseprograms.
Forinstance,addingtheline/srv/www/cgi-bin/my_hit_counter.
plrpxgrantsApachepermissiontoexecutethePerlscriptmy_hit_counter.
plandrequiresthattherebeadedicatedprofileformy_hit_counter.
pl.
Ifmy_hit_counter.
pldoesnothaveaded-icatedprofileassociatedwithit,theruleshouldsay/srv/www/cgi-bin/my_hit_counter.
plrixtocausemy_hit_counter.
pltoinherittheusr.
sbin.
httpd2-preforkprofile.
ImmunizingPrograms7SomeusersmightfinditinconvenienttospecifyexecutepermissionforeveryCGIscriptthatApachemightinvoke.
Instead,theadministratorcangrantcontrolledaccesstocollectionsofCGIscripts.
Forinstance,addingtheline/srv/www/cgi-bin/*.
{pl,py,pyc}rixallowsApachetoexecuteallfilesin/srv/www/cgi-bin/endingin.
pl(Perlscripts)and.
pyor.
pyc(Pythonscripts).
Asabove,theixpartoftherulecausesPythonscriptstoinherittheApacheprofile,whichisappropriateifyoudonotwanttowriteindividualprofilesforeachPythonscript.
NOTEIfyouwantthesubprocessconfinementmodule(apache2-mod-apparmor)functionalitywhenWebapplicationshandleApachemodules(mod_perlandmod_php),usetheChangeHatfeatureswhenyouaddaprofileinYaSToratthecommandline.
Totakeadvantageofthesubprocessconfinement,refertoSection5.
1,"ApacheChangeHat"(page76).
ProfilingWebapplicationsthatusemod_perlandmod_phprequiresslightlydifferenthandling.
Inthiscase,the"program"isascriptinterpreteddirectlybythemodulewithintheApacheprocess,sonoexechappens.
Instead,theNovellAppArmorversionofApachecallschange_hat()usingasubprofile(a"hat")correspondingtothenameoftheURIrequested.
NOTEThenamepresentedforthescripttoexecutemightnotbetheURI,dependingonhowApachehasbeenconfiguredforwheretolookformodulescripts.
IfyouhaveconfiguredyourApachetoplacescriptsinadifferentplace,thedif-ferentnamesappearinlogfilewhenNovellAppArmorcomplainsaboutaccessviolations.
SeeChapter6,ManagingProfiledApplications(page87).
8NovellAppArmorAdministrationGuideFormod_perlandmod_phpscripts,thisisthenameofthePerlscriptorthePHPpagerequested.
Forexample,addingthissubprofileallowsthelocaltime.
phppagetoexecuteandaccessthelocalsystemtime:/usr/bin/httpd2-prefork{#.
.
.
^/cgi-bin/localtime.
php{/etc/localtimer,/srv/www/cgi-bin/localtime.
phpr,/usr/lib/locale/**r,}}Ifnosubprofilehasbeendefined,theNovellAppArmorversionofApacheappliestheDEFAULT_URIhat.
ThissubprofileisbasicallysufficienttodisplayanHTMLWebpage.
TheDEFAULT_URIhatthatNovellAppArmorprovidesbydefaultisthefollow-ing:^DEFAULT_URI{/usr/sbin/suexec2ixr,/var/log/apache2/**rwl,/home/*/public_html/**r,/srv/www/htdocs/**r,/srv/www/icons/*.
{gif,jpg,png}r,/usr/share/apache2/**r,}TouseasingleNovellAppArmorprofileforallWebpagesandCGIscriptsservedbyApache,agoodapproachistoedittheDEFAULT_URIsubprofile.
1.
4.
2ImmunizingNetworkAgentsTofindnetworkserverdaemonsandnetworkclients(suchasfetchmail,Firefox,amaroKorBanshee)thatshouldbeprofiled,youshouldinspecttheopenportsonyourmachine,considertheprogramsthatareansweringonthoseports,andprovideprofilesforasmanyofthoseprogramsaspossible.
Ifyouprovideprofilesforallprogramswithopennetworkports,anattackercannotgettothefilesystemonyourmachinewithoutpassingthroughaNovellAppArmorprofilepolicy.
Scanyourserverforopennetworkportsmanuallyfromoutsidethemachineusingascanner,suchasnmap,orfrominsidethemachineusingthenetstat--inet-n-pcommand.
Theninspectthemachinetodeterminewhichprogramsareansweringonthediscoveredopenports.
ImmunizingPrograms9TIPRefertothemanpageofthenetstatcommandforadetailedreferenceofallpossibleoptions.
10NovellAppArmorAdministrationGuide2ProfileComponentsandSyntaxYouarereadytobuildNovellAppArmorprofilesafteryouselecttheprogramstoprofile.
Todoso,itisimportanttounderstandthecomponentsandsyntaxofprofiles.
AppArmorprofilescontainseveralbuildingblocksthathelpbuildsimpleandreusableprofilecode:#includefiles,abstractions,programchunks,andcapabilityentries.
#includestatementsareusedtopullinpartsofotherAppArmorprofilestosimplifythestructureofnewprofiles.
Abstractionsare#includestatementsgroupedbycommonapplicationtasks.
Programchunksarechunksofprofilesthatarespecifictoprogramsuites.
CapabilityentriesareprofileentriesforanyofthePOSIX.
1eLinuxcapabilities.
Forhelpdeterminingtheprogramstoprofile,refertoSection1.
2,"DeterminingPro-gramstoImmunize"(page4).
TostartbuildingAppArmorprofileswithYaST,proceedtoChapter3,BuildingandManagingProfileswithYaST(page27).
TobuildprofilesusingtheAppArmorcommandlineinterface,proceedtoChapter4,BuildingProfilesfromtheCommandLine(page49).
ProfileComponentsandSyntax112.
1BreakingaNovellAppArmorProfileintoItsPartsNovellAppArmorprofilecomponentsarecalledNovellAppArmorrules.
CurrentlytherearethreemaintypesofNovellAppArmorrules,pathentries,capabilityentries,andnetworkentries.
Pathentriesspecifywhattheprocesscanaccessinthefilesystemandcapabilityentriesprovideamorefine-grainedcontroloverwhataconfinedprocessisallowedtodothroughothersystemcallsthatrequireprivileges.
Includesareatypeofmetaruleordirectivesthatpullinpathandcapabilityentriesfromotherfiles.
Theeasiestwayofexplainingwhataprofileconsistsofandhowtocreateoneistoshowthedetailsofasampleprofile,inthiscaseforahypotheticalapplicationcalled/usr/bin/foo:#include#acommentnamingtheapplicationtoconfine/usr/bin/foo{#includecapabilitysetgid,networkinettcp,/bin/mountux,/dev/{,u}randomr,/etc/ld.
so.
cacher,/etc/foo.
confr,/etc/foo/*r,/lib/ld-*.
so*mr,/lib/lib*.
so*mr,/proc/[0-9]**r,/usr/lib/**mr,/tmp/r,/tmp/foo.
pidwr,/tmp/foo.
*lrw,/@{HOME}/.
foo_filerw,/@{HOME}/.
foo_lockkw,#acommentaboutfoo'ssubprofile,bar.
^bar{/lib/ld-*.
so*mr,/usr/bin/barpx,/var/spool/*rwl,12NovellAppArmorAdministrationGuide}}Thisloadsafilecontainingvariabledefinitions.
Thenormalizedpathtotheprogramthatisconfined.
Thecurlybraces({})serveasacontainerforincludestatements,subprofiles,pathentries,capabilityentries,andnetworkentries.
ThisdirectivepullsincomponentsofAppArmorprofilestosimplifyprofiles.
Capabilityentrystatementsenableeachofthe29POSIX.
1edraftcapabilities.
Adirectivedeterminingthekindofnetworkaccessallowedtotheapplication.
Fordetails,refertoSection2.
1.
1,"NetworkAccessControl"(page14).
Thecurlybraces({})makethisruleapplytothepathbothwithandwithoutthecontentenclosedbythebraces.
Apathentryspecifyingwhatareasofthefilesystemtheprogramcanaccess.
Thefirstpartofapathentryspecifiestheabsolutepathofafile(includingregularexpressionglobbing)andthesecondpartindicatespermissibleaccessmodes(rforread,wforwrite,andxforexecute).
Awhitespaceofanykind(spacesortabs)canprecedepathnamesorseparatethepathnamefromtheaccessmodes.
Spacesbetweentheaccessmodeandthetrailingcommaisoptional.
FindacomprehensiveoverviewoftheavailableaccessmodesinSection2.
1.
3,"FilePermissionAccessModes"(page17).
Thisvariableexpandstoavaluethatcanbechangedwithoutchangingtheentireprofile.
Thissectionreferencesasubprofileoftheapplication,alsoknownasa"hat".
FormoredetailsonAppArmor'sChangeHatfeature,refertoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
TIP:UsingVariablesinProfilesWiththecurrentAppArmortools,variablesaspresentedintheaboveexamplecanonlybeusedwhenmanuallyeditingandmaintainingaprofile.
Atypicalexamplewhenvariablescomeinhandyarenetworkscenariosinwhichuserhomedirectoriesarenotmountedinthestandardlocation/home/username,butunderacustomlocation.
FindthevariabledefinitionsforthisProfileComponentsandSyntax13usecase(@{HOME}and@{HOMEDIRS})inthe/etc/apparmor.
d/tunables/homefile.
Whenaprofileiscreatedforaprogram,theprogramcanaccessonlythefiles,modes,andPOSIXcapabilitiesspecifiedintheprofile.
TheserestrictionsareinadditiontothenativeLinuxaccesscontrols.
Example:TogainthecapabilityCAP_CHOWN,theprogrammusthavebothaccesstoCAP_CHOWNunderconventionalLinuxaccesscontrols(typically,bearoot-ownedprocess)andhavethecapabilitychowninitsprofile.
Similarly,tobeabletowritetothefile/foo/bartheprogrammusthaveboththecorrectuserIDandmodebitssetinthefilesattributes(seethechmodandchownmanpages)andhave/foo/barwinitsprofile.
AttemptstoviolateNovellAppArmorrulesarerecordedin/var/log/audit/audit.
logiftheauditpackageisinstalledorotherwisein/var/log/messages.
Inmanycases,NovellAppArmorrulespreventanattackfromworkingbecauseneces-saryfilesarenotaccessibleand,inallcases,NovellAppArmorconfinementrestrictsthedamagethattheattackercandotothesetoffilespermittedbyNovellAppArmor.
2.
1.
1NetworkAccessControlAppArmorallowsmediationofnetworkaccessbasedontheaddresstypeandfamily.
Thefollowingillustratesthenetworkaccessrulesyntax:network[[][][]]Supporteddomains:inet,ax25,ipx,appletalk,netrom,bridge,x25,inet6,rose,netbeui,security,key,packet,ash,econet,atmsvc,sna,irda,pppox,wanpipe,bluetoothSupportedtypes:stream,dgram,seqpacket,rdm,raw,packetSupportedprotocols:tcp,udp,icmpTheAppArmortoolssupportonlyfamilyandtypespecification.
TheAppArmormoduleemitsonlynetworkdomaintypein"accessdenied"messages.
Andonlytheseareoutputbytheprofilegenerationtools,bothYaSTandcommandline.
14NovellAppArmorAdministrationGuideThefollowingexamplesillustratepossiblenetwork-relatedrulestobeusedinAppArmorprofiles.
NotethatthesyntaxofthetwolastonesisnotcurrentlysupportedbytheAppArmortools.
network,networkinet,networkinet6,networkinetstream,networkinettcp,networktcp,Allowallnetworking.
Norestrictionsappliedwithregardstodomain,type,orprotocol.
AllowgeneraluseofIPv4networking.
AllowgeneraluseofIPv6networking.
AllowtheuseofIPv4TCPnetworking.
AllowtheuseofIPv4TCPnetworking,paraphrasingtheruleabove.
AllowtheuseofbothIPv4andIPv6TCPnetworking.
2.
1.
2PathsandGlobbingAppArmorexplicitlydistinguishesdirectorypathnamesfromfilepathnames.
Useatrailing/foranydirectorypaththatneedstobeexplicitlydistinguished:/some/random/example/*rAllowreadaccesstofilesinthe/some/random/exampledirectory.
/some/random/example/rAllowreadaccesstothedirectoryonly.
/some/**/rGivereadaccesstoanydirectoriesbelow/some.
/some/random/example/**rGivereadaccesstofilesanddirectoriesunder/some/random/example.
/some/random/example/**[^/]rGivereadaccesstofilesunder/some/random/example.
Explicitlyexcludedirectories([^/]).
ProfileComponentsandSyntax15Globbing(orregularexpressionmatching)iswhenyoumodifythedirectorypathusingwildcardstoincludeagroupoffilesorsubdirectories.
Fileresourcescanbespecifiedwithaglobbingsyntaxsimilartothatusedbypopularshells,suchascsh,Bash,andzsh.
Substitutesforanynumberofanycharacters,except/.
*Example:Anarbitrarynumberoffilepathelements.
Substitutesforanynumberofcharacters,including/.
**Example:Anarbitrarynumberofpathelements,includingentiredirectories.
Substitutesforanysinglecharacter,except/.
Substitutesforthesinglecharactera,b,orc.
[abc]Example:arulethatmatches/home[01]/*/.
planallowsaprogramtoaccess.
planfilesforusersinboth/home0and/home1.
Substitutesforthesinglecharactera,b,orc.
[a-c]Expandstooneruletomatchabandoneruletomatchcd.
{ab,cd}Example:arulethatmatches/{usr,www}/pages/**grantsaccesstoWebpagesinboth/usr/pagesand/www/pages.
Substitutesforanycharacterexcepta.
[^a]16NovellAppArmorAdministrationGuide2.
1.
3FilePermissionAccessModesFilepermissionaccessmodesconsistofcombinationsofthefollowingelevenmodes:ReadmoderWritemode(mutuallyexclusivetoa)wAppendmode(mutuallyexclusivetow)aFilelockingmodekDiscreteprofileexecutemodepxDiscreteprofileexecutemode—cleanexecPxUnconstrainedexecutemodeuxUnconstrainedexecutemode—cleanexecUxInheritexecutemodeixAllowPROT_EXECwithmmap(2)callsmLinkmodelReadMode(r)Allowstheprogramtohavereadaccesstotheresource.
Readaccessisrequiredforshellscriptsandotherinterpretedcontentanddeterminesifanexecutingprocesscancoredumporbeattachedtowithptrace(2)(ptrace(2)isusedbyutilitieslikestrace(1),ltrace(1),andgdb(1)).
WriteMode(w)Allowstheprogramtohavewriteaccesstotheresource.
Filesmusthavethisper-missioniftheyaretobeunlinked(removed).
AppendMode(a)Allowsaprogramtowritetotheendofafile.
Incontrasttothewmode,theappendmodedoesnotincludetheabilitytooverwritedata,torename,ortoremoveafile.
ProfileComponentsandSyntax17Theappendpermissionistypicallyusedwithapplicationswhoneedtobeabletowritetologfiles,butwhichshouldnotbeabletomanipulateanyexistingdatainthelogfiles.
Astheappendpermissionisjustasubsetofthepermissionsassociatedwiththewritemode,thewandapermissionflagscannotbeusedtogetherandaremutuallyexclusive.
FileLockingMode(k)Theapplicationcantakefilelocks.
FormerversionsofAppArmorallowedfilestobelockedifanapplicationhadaccesstothem.
Byusingaseparatefilelockingmode,AppArmormakessurelockingisrestrictedonlytothosefileswhichneedfilelockingandtightenssecurityaslockingcanbeusedinseveraldenialofserviceattackscenarios.
DiscreteProfileExecuteMode(px)ThismoderequiresthatadiscretesecurityprofileisdefinedforaresourceexecutedatanAppArmordomaintransition.
Ifthereisnoprofiledefined,theaccessisdenied.
WARNING:UsingtheDiscreteProfileExecuteModepxdoesnotscrubtheenvironmentofvariablessuchasLD_PRELOAD.
Asaresult,thecallingdomainmayhaveanundueamountofinfluenceoverthecalleditem.
IncompatiblewithUx,ux,Px,andix.
DiscreteProfileExecuteMode(Px)—CleanExecPxallowsthenamedprogramtoruninpxmode,butAppArmorinvokestheLinuxkernel'sunsafe_execroutinestoscrubtheenvironment,similartosetuidpro-grams.
Seeld.
so(8)forsomeinformationaboutsetuidandsetgidenvironmentscrubbing.
IncompatiblewithUx,ux,px,andix.
UnconstrainedExecuteMode(ux)AllowstheprogramtoexecutetheresourcewithoutanyAppArmorprofileappliedtotheexecutedresource.
Requireslistingexecutemodeaswell.
Thismodeisusefulwhenaconfinedprogramneedstobeabletoperformaprivi-legedoperation,suchasrebootingthemachine.
Byplacingtheprivilegedsectioninanotherexecutableandgrantingunconstrainedexecutionrights,itispossibleto18NovellAppArmorAdministrationGuidebypassthemandatoryconstraintsimposedonallconfinedprocesses.
Formorein-formationaboutwhatisconstrained,seetheapparmor(7)manpage.
WARNING:UsingUnconstrainedExecuteMode(ux)Useuxonlyinveryspecialcases.
ItenablesthedesignatedchildprocessestoberunwithoutanyAppArmorprotection.
uxdoesnotscrubtheenvi-ronmentofvariablessuchasLD_PRELOAD.
Asaresult,thecallingdomainmayhaveanundueamountofinfluenceoverthecalledresource.
UsethismodeonlyifthechildabsolutelymustberununconfinedandLD_PRELOADmustbeused.
Anyprofileusingthismodeprovidesnegligiblesecurity.
Useatyourownrisk.
ThismodeisincompatiblewithUx,px,Px,andix.
UnconstrainedExecuteMode(Ux)—CleanExecUxallowsthenamedprogramtoruninuxmode,butAppArmorinvokestheLinuxkernel'sunsafe_execroutinestoscrubtheenvironment,similartosetuidpro-grams.
Seeld.
so(8)forsomeinformationaboutsetuidandsetgidenvironmentscrubbing.
WARNING:UsingUnconstrainedExecuteMode(Ux)UseUxonlyinveryspecialcases.
ItenablesthedesignatedchildprocessestorunwithoutanyAppArmorprotection.
Usethismodeonlyifthechildabsolutelymustberununconfined.
Useatyourownrisk.
Incompatiblewithux,px,Px,andix.
InheritExecuteMode(ix)ixpreventsthenormalAppArmordomaintransitiononexecve(2)whentheprofiledprogramexecutesthenamedprogram.
Instead,theexecutedresourcein-heritsthecurrentprofile.
Thismodeisusefulwhenaconfinedprogramneedstocallanotherconfinedpro-gramwithoutgainingthepermissionsofthetarget'sprofileorlosingthepermissionsofthecurrentprofile.
Thereisnoversiontoscrubtheenvironmentbecauseixexecutionsdonotchangeprivileges.
IncompatiblewithUx,ux,Px,andpx.
Impliesm.
ProfileComponentsandSyntax19AllowExecutableMapping(m)Thismodeallowsafiletobemappedintomemoryusingmmap(2)'sPROT_EXECflag.
Thisflagmarksthepagesexecutable.
Itisusedonsomearchitecturestopro-videnonexecutabledatapages,whichcancomplicateexploitattempts.
AppArmorusesthismodetolimitwhichfilesawell-behavedprogram(orallprogramsonarchitecturesthatenforcenonexecutablememoryaccesscontrols)mayuseasli-braries,tolimittheeffectofinvalid-Lflagsgiventold(1)andLD_PRELOAD,LD_LIBRARY_PATH,giventold.
so(8).
LinkModeThelinkmodemediatesaccesstohardlinks.
Whenalinkiscreated,thetargetfilemusthavethesameaccesspermissionsasthelinkcreated(withtheexceptionthatthedestinationdoesnotneedlinkaccess).
WhenchoosingoneoftheUxorPxfilepermissionaccessmodes,takeintoaccountthatthefollowingenvironmentvariablesareremovedfromtheenvironmentbeforethechildprocessinheritsit.
Asaconsequence,applicationsorprocessesrelyingonanyofthesevariablesdonotworkanymoreiftheprofileappliedtothemcarriesUxorPxflags:GCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILE20NovellAppArmorAdministrationGuideLD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIR2.
2#includeStatements#includestatementsaredirectivesthatpullincomponentsofotherNovellAppArmorprofilestosimplifyprofiles.
Includefilesfetchaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Bydefault,AppArmoradds/etc/apparmor.
dtothepathinthe#includestatement.
AppArmorexpectstheincludefilestobelocatedin/etc/apparmor.
d.
Unlikeotherprofilestatements(butsimilartoCprograms),#includelinesdonotendwithacomma.
Toassistyouinprofilingyourapplications,NovellAppArmorprovidestwoclassesof#includes:abstractionsandprogramchunks.
ProfileComponentsandSyntax212.
2.
1AbstractionsAbstractionsare#includesthataregroupedbycommonapplicationtasks.
Thesetasksincludeaccesstoauthenticationmechanisms,accesstonameserviceroutines,commongraphicsrequirements,andsystemaccounting.
Fileslistedintheseabstractionsarespecifictothenamedtask.
Programsthatrequireoneofthesefilesusuallyrequiresomeoftheotherfileslistedintheabstractionfile(dependingonthelocalconfigurationaswellasthespecificrequirementsoftheprogram).
Findabstractionsin/etc/apparmor.
d/abstractions.
2.
2.
2ProgramChunksTheprogram-chunksdirectory(/etc/apparmor.
d/program-chunks)containssomechunksofprofilesthatarespecifictoprogramsuitesandnotgenerallyusefuloutsideofthesuite,thusareneversuggestedforuseinprofilesbytheprofilewizards(aa-logprofandaa-genprof).
Currentlyprogramchunksareonlyavailableforthepostfixprogramsuite.
2.
3CapabilityEntries(POSIX.
1e)CapabilitiesstatementsaresimplythewordcapabilityfollowedbythenameofthePOSIX.
1ecapabilityasdefinedinthecapabilities(7)manpage.
2.
4UsingtheLocalAppArmorProfileRepositoryAppArmorshipsasetofprofilesenabledbydefaultandcreatedbytheAppArmorde-velopersandkeptunderthe/etc/apparmor.
d.
Inadditiontotheseprofiles,open-SUSEshipsprofilesforindividualapplicationstogetherwiththerespectiveapplication.
TheseprofilesarenotenabledbydefaultandresideunderanotherdirectorythanthestandardAppArmorprofiles,/etc/apparmor/profiles/extras.
TheAppArmortools,bothYaSTandaa-genprofandaa-logprof,supporttheuseofalocalrepository.
Wheneveryoustarttocreateanewprofilefromscratchandthereal-22NovellAppArmorAdministrationGuidereadyisoneinactiveprofileinyourlocalrepository,youareaskedwhetheryouwouldliketousetheexistinginactiveonefrom/etc/apparmor/profiles/extrasandwhetheryouwanttobaseyoureffortsonit.
Ifyoudecidetousethisprofile,itgetscopiedovertothedirectoryofprofilesenabledbydefault(/etc/apparmor.
d)andloadedwheneverAppArmorisstarted.
Anyfurtherfurtheradjustmentswillbedonetotheactiveprofileunder/etc/apparmor.
d.
2.
5UsingtheExternalAppArmorProfileRepositoryInadditiontotheprofilesshippingwithopenSUSE,AppArmorsupportstheuseofanexternalprofilerepository.
ThisrepositoryismaintainedbyNovellandallowsyoutodownloadprofilesgeneratedbyNovellandotherAppArmorusersaswellasuploadingyourown.
Findtheprofilerepositoryathttp://apparmor.
opensuse.
org.
NOTE:UsingtheAppArmorProfileRepositoryWhenusingtheprofilerepositoryinyourdeployment,bearinmindthattheprofilesmaintainedintherepositoryareprimarilytargetedatprofiledevelopersandmightprobablyneedfine-tuningbeforetheysuityourparticularneeds.
Pleasetestthedownloadedprofilesextensivelybeforedeployingthemtoyourlivesetupandadjustthemifnecessary.
Theprofilerepositoryservestwomainpurposes:1.
Allowuserstobrowseprofilescreatedbyotherusersandpullthemfromtheservertouseontheirownsystems.
2.
Allowuserstouploadtheirprofilestobeabletoeasilyusethemondifferentma-chines.
Avalidloginontheprofilerepositoryserverisrequiredforuploadingprofiles.
Justdownloadingprofilesfromtheserverdoesnotrequirealogin.
ProfileComponentsandSyntax232.
5.
1SettingupProfileRepositorySupportOnceproperlyconfigured,boththeYaSTandthecommandlinetoolssupporttheuseofanexternalprofilerepository.
TheinitialconfigurationtakesplacewhenyoustarttheYaSTAddProfileWizard,theUpdateProfileWizard,aa-genprof,oraa-logproftocreateorupdateaprofilethatalreadyexistsontherepositoryserver:1Determinewhethertouseornottousetheprofilerepositoryatall.
2Enabletherepositoryforprofiledownloads.
3Onceyouhavecreatedormodifiedaprofile,determinewhetherthetoolsshouldbeabletouploadyourprofiletotherepository.
Ifyouchosetouploadprofilestotherepository,enteryourcredentialsfortherepositoryserver.
Theconfigurationoftherepositoryisdonebyeditingtwoconfigurationfiles,/etc/apparmor/logprof.
confand/etc/apparmor/respository.
conf.
The/etc/apparmor/logprof.
conffilecontainsasectioncalled[repository].
distrodeterminestheversionofopenSUSEusedonyoursystemforwhichtheAppArmortoolsshouldsearchprofilesontheserver.
urlholdstheserverURLandpreferred_usertellstheAppArmortoolstopreferprofilescreatedbythenovelluser.
Thoseprofileswerecreated,testedandapprovedbymembersoftheSUSEdevelopmentteam.
.
.
.
[repository]distro=opensuse10.
3url=http://apparmor.
opensuse.
org/backend/apipreferred_user=novell.
.
.
The/etc/apparmor/repository.
conffileiscreatedduringtheconfigurationprocesswiththeAppArmortools.
Itcontainsyourauthenticationdataandspecifieswhichactionstoenablewithregardstotheprofilerepository.
Ifyouoptforprofiledownloadanddonotwanttobeabletouploadyourownprofilesenabledissettoyeswhileuploadissettono.
[repository]24NovellAppArmorAdministrationGuideenabled=yesupload=yesuser=tuxpass=XXXXXOnceinitiallyconfiguredthroughtheAppArmortools,theconfigurationcanonlybechangedmanually.
2.
5.
2DownloadingaProfileWhilecreatingaprofilefromscratchorupdatinganexistingprofilebyprocessingrejectmessagesinthelog,theAppArmortoolssearchtherepositoryforamatchingprofile.
Ifthesearchissuccessful,theprofileorthelistofprofilesisdisplayedandyoucanviewthemandchoosetheonethatbestmatchesyoursetup.
Assoonasyouhavechosenaprofile,itgetscopiedtothelocalmachine(tothe/etc/apparmor.
ddirectory)andactivated.
Alternatively,youcanchoosetoignoretheprofileontherepositoryandcreateyourownonefromscratch.
2.
5.
3UploadingYourownProfileAfteraprofilehasbeencreatedorupdated,theAppArmortoolsthataprofilealsopresentintherepositoryhasbeenchangedorthatanewonehasbeencreated.
Ifyoursystemisconfiguredtouploadprofilestotherepository,youarepromptedtoprovideaChangeLogtodocumentyourchangesbeforethechangesareuploadedtotheserver.
Thesechangesareonlysyncedtotherepository,butnottothecreatoroftheoriginalprofile.
2.
6ImportantFilenamesandDirectoriesThefollowinglistcontainsthemostimportantfilesanddirectoriesusedbytheApp-Armorframework.
Ifyouintendtomanageandtroubleshootyourprofilesmanually,makesurethatyouknowaboutthesefilesanddirectories:/sys/kernel/security/apparmor/profilesVirtualizedfilerepresentingthecurrentlyloadedsetofprofiles.
ProfileComponentsandSyntax25/etc/apparmor/LocationofAppArmorconfigurationfiles.
/etc/apparmor/profiles/extras/AlocalrepositoryofprofilesshippedwithAppArmor,butnotenabledbydefault.
/etc/apparmor.
d/Locationofprofiles,namedwiththeconventionofreplacingthe/inpathswith.
(notfortheroot/)soprofilesareeasiertomanage.
Forexample,theprofilefortheprogram/usr/sbin/ntpdisnamedusr.
sbin.
ntpd.
/etc/apparmor.
d/abstractions/Locationofabstractions.
/etc/apparmor.
d/program-chunks/Locationofprogramchunks.
/proc/*/attr/currentCheckthisfiletoreviewtheconfinementstatusofaprocessandtheprofilethatisusedtoconfinetheprocess.
ThepsauxZcommandretrievesthisinformationautomatically.
26NovellAppArmorAdministrationGuide3BuildingandManagingProfileswithYaSTYaSTprovidesaneasywaytobuildprofilesandmanageNovellAppArmor.
Itpro-videstwointerfaces:afullygraphicaloneandatext-basedone.
Thetext-basedinterfaceconsumeslessresourcesandbandwidth,makingitabetterchoiceforremoteadminis-trationorfortimeswhenalocalgraphicalenvironmentisinconvenient.
Althoughtheinterfaceshavedifferingappearances,theyofferthesamefunctionalityinsimilarways.
AnotheralternativeistouseAppArmorcommands,whichcancontrolAppArmorfromaterminalwindoworthroughremoteconnections.
ThecommandlinetoolsaredescribedinChapter4,BuildingProfilesfromtheCommandLine(page49).
StartYaSTfromthemainmenuandenteryourrootpasswordwhenpromptedforit.
Alternatively,startYaSTbyopeningaterminalwindow,logginginasroot,anden-teringyast2forthegraphicalmodeoryastforthetext-basedmode.
BuildingandManagingProfileswithYaST27Figure3.
1YaSTControlsforAppArmorTherightframeshowstheAppArmoroptions:AddProfileWizardFordetailedsteps,refertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
ManuallyAddProfileAddaNovellAppArmorprofileforanapplicationonyoursystemwithoutthehelpofthewizard.
Fordetailedsteps,refertoSection3.
2,"ManuallyAddingaProfile"(page37).
EditProfileEditsanexistingNovellAppArmorprofileonyoursystem.
Fordetailedsteps,refertoSection3.
3,"EditingProfiles"(page38).
DeleteProfileDeletesanexistingNovellAppArmorprofilefromyoursystem.
Fordetailedsteps,refertoSection3.
4,"DeletingaProfile"(page43).
28NovellAppArmorAdministrationGuideUpdateProfileWizardFordetailedsteps,refertoSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
AppArmorReportsFordetailedsteps,refertoSection6.
3,"ConfiguringReports"(page91).
AppArmorControlPanelFordetailedsteps,refertoSection3.
6,"ManagingNovellAppArmorandSecurityEventStatus"(page45).
3.
1AddingaProfileUsingtheWizardAddProfileWizardisdesignedtosetupNovellAppArmorprofilesusingtheAppArmorprofilingtools,aa-genprof(generateprofile)andaa-logprof(updateprofilesfromlearningmodelogfile).
Formoreinformationaboutthesetools,refertoSection4.
6.
3,"SummaryofProfilingTools"(page56).
1Stoptheapplicationbeforeprofilingittoensurethatapplicationstart-upisincludedintheprofile.
Todothis,makesurethattheapplicationordaemonisnotrunning.
Forexample,enterrcPROGRAMstop(or/etc/init.
d/PROGRAMstop)inaterminalwindowwhileloggedinasroot,replacingPROGRAMwiththenameoftheprogramtoprofile.
2StartYaSTandselectNovellAppArmor>AddProfileWizard.
BuildingandManagingProfileswithYaST293Enterthenameoftheapplicationorbrowsetothelocationoftheprogram.
4ClickCreate.
ThisrunsanAppArmortoolnamedaa-autodep,whichperformsastaticanalysisoftheprogramtoprofileandloadsanapproximateprofileintotheAppArmormodule.
Formoreinformationaboutaa-autodep,refertoSection"aa-autodep—CreatingApproximateProfiles"(page56).
Dependingonwhethertheprofileyouareabouttocreatealreadyexistseitherinthelocalprofilerepository(seeSection2.
4,"UsingtheLocalAppArmorProfileRepository"(page22))orintheexternalprofilerepository(seeSec-tion2.
5,"UsingtheExternalAppArmorProfileRepository"(page23))orwhetheritdoesnotexistyet,proceedwithoneofthefollowingoptions:Determinewhetheryouwanttouseorfine-tuneanalreadyexistingprofilefromyourlocalprofilerepository,asoutlinedinStep5(page30).
Determinewhetheryouwanttouseoffine-tuneanalreadyexistingprofilefromtheexternalprofilerepository,asoutlinedinStep6(page31).
CreatetheprofilefromscratchandproceedwithStep7(page31)andbeyond.
5Iftheprofilealreadyexistsinthelocalprofilerepositoryunder/etc/apparmor/profiles/extra,YaSTinformsyouthatthereisaninactive30NovellAppArmorAdministrationGuideprofilewhichyoucaneitheruseasabaseforyourowneffortsorwhichyoucanjustacceptasis.
Alternatively,youcanchoosenottousethelocalversionatallandstartcre-atingtheprofilefromscratch.
Inanycase,proceedwithStep7(page31).
6Iftheprofilealreadyexistsintheexternalprofilerepositoryandthisisthefirsttimeyoutriedtocreateaprofilethatalreadyexistsintherepository,configureyouraccesstotheserveranddeterminehowtouseit:6aDeterminewhetheryouwanttoenableaccesstotheexternalrepositoryorpostponethisdecision.
IncaseyouhaveselectedEnableRepository,deter-minetheaccessmode(download/upload)inanextstep.
Incaseyouwanttopostponethedecision,selectAskMeLaterandproceeddirectlytoStep7(page31).
6bProvideusernameandpasswordforyouraccountontheprofilerepositoryserverandregisterattheserver.
6cSelecttheprofiletouseandproceedtoStep7(page31).
7Runtheapplicationtoprofile.
8Performasmanyoftheapplicationfunctionsaspossiblesolearningmodecanlogthefilesanddirectoriestowhichtheprogramrequiresaccesstofunctionproperly.
Besuretoincluderestartingandstoppingtheprogramintheexercisedfunctions.
AppArmorneedstohandletheseeventsaswellasanyotherprogramfunction.
9ClickScansystemlogforAppArmoreventstoparsethelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguidethewizardingeneratingthesecurityprofile.
Ifrequeststoaddhatsappear,proceedtoChapter5,ProfilingYourWebAp-plicationsUsingChangeHat(page75).
Thequestionsfallintotwocategories:BuildingandManagingProfileswithYaST31Aresourceisrequestedbyaprofiledprogramthatisnotintheprofile(seeFigure3.
2,"LearningModeException:ControllingAccesstoSpe-cificResources"(page32)).
Allowordenyaccesstoaspecificresource.
Aprogramisexecutedbytheprofiledprogramandthesecuritydomaintransitionhasnotbeendefined(seeFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33)).
Defineexecutepermissionsforanentry.
Eachofthesecasesresultsinaseriesofquestionsthatyoumustanswertoaddtheresourcetotheprofileortoaddtheprogramtotheprofile.
Foranex-ampleofeachcase,seeFigure3.
2,"LearningModeException:ControllingAccesstoSpecificResources"(page32)andFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33).
Subsequentstepsdescribeyouroptionsinansweringthesequestions.
NOTE:VaryingProcessingOptionsDependingonthetypeofentryprocessed,theavailableoptionsvary.
Figure3.
2LearningModeException:ControllingAccesstoSpecificResources32NovellAppArmorAdministrationGuideFigure3.
3LearningModeException:DefiningExecutePermissionsforanEntry10TheAddProfileWizardbeginssuggestingdirectorypathentriesthathavebeenaccessedbytheapplicationprofiled(asseeninFigure3.
2,"LearningModeException:ControllingAccesstoSpecificResources"(page32))orrequiresyoutodefineexecutepermissionsforentries(asseeninFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33)).
ForFigure3.
2:LearningModeException:ControllingAccesstoSpecificResources:Selecttheoptionthatsatisfiestherequestforaccess,whichcouldbeasuggestedinclude,aparticularglobbedversionofthepath,ortheactualpathname.
Dependingonthesituation,theseoptionsareavail-able:#includeThesectionofaNovellAppArmorprofilethatreferstoanincludefile.
Includefilesgiveaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Itisgoodpracticetoselectincludeswhensug-gested.
BuildingandManagingProfileswithYaST33GlobbedVersionAccessedbyclickingGlob.
Forinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
ActualPathnameLiteralpaththattheprogramneedstoaccesstorunproperly.
Afterselectingadirectorypath,processitasanentrytotheNovellApp-ArmorprofilebyclickingAlloworDeny.
Ifyouarenotsatisfiedwiththedirectorypathentryasitisdisplayed,youcanalsoGloborEditit.
Thefollowingoptionsareavailabletoprocessthelearningmodeentriesandbuildtheprofile:AllowGranttheprogramaccesstothespecifieddirectorypathentries.
TheAddProfileWizardsuggestsfilepermissionaccess.
Formoreinfor-mationaboutthis,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DenyClickDenytopreventtheprogramfromaccessingthespecifiedpaths.
GlobClickingthismodifiesthedirectorypath(usingwildcards)toincludeallfilesinthesuggesteddirectory.
Double-clickingitgrantsaccesstoallfilesandsubdirectoriesbeneaththeoneshown.
Formoreinfor-mationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtModifytheoriginaldirectorypathwhileretainingthefilenameexten-sion.
Asingleclickcauses/etc/apache2/file.
exttobecome/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefilename.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirectoriesthatendwiththe.
extextension.
Whenyoudouble-clickit,accessisgrantedtoallfileswiththeparticularexten-sionandsubdirectoriesbeneaththeoneshown.
34NovellAppArmorAdministrationGuideEditEditthehighlightedline.
Theneweditedlineappearsatthebottomofthelist.
AbortAbortaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishCloseaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
ClickAlloworDenyforeachlearningmodeentry.
ThesehelpbuildtheNovellAppArmorprofile.
NOTEThenumberoflearningmodeentriescorrespondstothecomplex-ityoftheapplication.
ForFigure3.
3:LearningModeException:DefiningExecutePermissionsforanEntry:Fromthefollowingoptions,selecttheonethatsatisfiestherequestforaccess.
Fordetailedinformationabouttheoptionsavailable,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
InheritStayinthesamesecurityprofile(parent'sprofile).
ProfileRequireaseparateprofiletoexistfortheexecutedprogram.
Whenselectingthisoption,alsoselectwhetherAppArmorshouldsanitizetheenvironmentwhenswitchingprofilesbyremovingcertainenvi-ronmentvariablesthatcanmodifytheexecutionbehaviorofthechildprocess.
Unlessthesevariablesareabsolutelyrequiredtoproperlyexecutethechildprocess,alwayschoosethemoresecure,sanitizedoption.
BuildingandManagingProfileswithYaST35UnconfinedExecutetheprogramwithoutasecurityprofile.
Whenprompted,haveAppArmorsanitizetheenvironmenttoavoidaddingsecurityrisksbyinheritingcertainenvironmentvariablesfromtheparentprocess.
WARNING:RisksofRunningUnconfinedUnlessabsolutelynecessary,donotrununconfined.
ChoosingtheUnconfinedoptionexecutesthenewprogramwithoutanyprotectionfromAppArmor.
DenyClickDenytopreventtheprogramfromaccessingthespecifiedpaths.
AbortAbortaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishCloseaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
11Repeatthepreviousstepsifyouneedtoexecutemorefunctionalityoftheapplication.
Whenyouaredone,clickFinish.
Choosetoapplyyourchangestothelocalprofileset.
Ifyouhavepreviouslychosentouploadyourprofiletotheexternalprofilerepository,provideabriefchangelogentrydescribingyourworkanduploadtheprofile.
Ifyouhadpostponedthedecisiononwhethertouploadtheprofileornot,YaSTasksyouagainandyoucancreateanaccounttheuploadtheprofilenowornotuploaditatall.
AssoonasyouexittheProfileCreationWizard,theprofileissavedbothlo-callyandontherepositoryserver,ifyouhavechosentouploadit.
TheprofileisthenloadedintotheAppArmormodule.
36NovellAppArmorAdministrationGuide3.
2ManuallyAddingaProfileNovellAppArmorenablesyoutocreateaNovellAppArmorprofilebymanuallyaddingentriesintotheprofile.
Selecttheapplicationforwhichtocreateaprofilethenadden-tries.
1StartYaSTandselectNovellAppArmor>ManuallyAddProfile.
2Browseyoursystemtofindtheapplicationforwhichtocreateaprofile.
3Whenyoufindtheapplication,selectitandclickOpen.
Abasic,emptyprofileappearsintheAppArmorProfileDialogwindow.
4InAppArmorProfileDialog,add,edit,ordeleteAppArmorprofileentriesbyclickingthecorrespondingbuttonsandreferringtoSection3.
3.
1,"AddinganEntry"(page40),Section3.
3.
2,"EditinganEntry"(page42),orSection3.
3.
3,"DeletinganEntry"(page43).
5Whenfinished,clickDone.
BuildingandManagingProfileswithYaST373.
3EditingProfilesAppArmorenablesyoutoeditNovellAppArmorprofilesmanuallybyadding,editing,ordeletingentries.
Toeditaprofile,proceedasfollows:1StartYaSTandselectNovellAppArmor>EditProfile.
2Fromthelistofprofiledapplications,selecttheprofiletoedit.
3ClickNext.
TheAppArmorProfileDialogwindowdisplaystheprofile.
38NovellAppArmorAdministrationGuide4IntheAppArmorProfileDialogwindow,add,edit,ordeleteNovellAppArmorprofileentriesbyclickingthecorrespondingbuttonsandreferringtoSection3.
3.
1,"AddinganEntry"(page40),Section3.
3.
2,"EditinganEntry"(page42),orSection3.
3.
3,"DeletinganEntry"(page43).
5Whenyouarefinished,clickDone.
6Inthepop-upthatappears,clickYestoconfirmyourchangestotheprofileandreloadtheAppArmorprofileset.
TIP:SyntaxCheckinginAppArmorAppArmorcontainsasyntaxcheckthatnotifiesyouofanysyntaxerrorsinprofilesyouaretryingtoprocesswiththeYaSTAppArmortools.
Ifanerroroccurs,edittheprofilemanuallyasrootandreloadtheprofilesetwithrcapparmorreload.
BuildingandManagingProfileswithYaST393.
3.
1AddinganEntryTheAddEntryoptioncanbefoundinSection3.
2,"ManuallyAddingaProfile"(page37)orSection3.
3,"EditingProfiles"(page38).
WhenyouselectAddEntry,alistshowsthetypesofentriesyoucanaddtotheNovellAppArmorprofile.
Fromthelist,selectoneofthefollowing:FileInthepop-upwindow,specifytheabsolutepathofafile,includingthetypeofac-cesspermitted.
Whenfinished,clickOK.
Youcanuseglobbingifnecessary.
Forglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DirectoryInthepop-upwindow,specifytheabsolutepathofadirectory,includingthetypeofaccesspermitted.
Youcanuseglobbingifnecessary.
Whenfinished,clickOK.
Forglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
40NovellAppArmorAdministrationGuideCapabilityInthepop-upwindow,selecttheappropriatecapabilities.
Thesearestatementsthatenableeachofthe32POSIX.
1ecapabilities.
RefertoSection2.
1,"BreakingaNovellAppArmorProfileintoItsParts"(page12)formoreinformationaboutcapabilities.
Whenfinishedmakingyourselections,clickOK.
IncludeInthepop-upwindow,browsetothefilestouseasincludes.
IncludesaredirectivesthatpullincomponentsofotherNovellAppArmorprofilestosimplifyprofiles.
Formoreinformation,refertoSection2.
2,"#includeStatements"(page21).
BuildingandManagingProfileswithYaST41HatInthepop-upwindow,specifythenameofthesubprofile(hat)toaddtoyourcurrentprofileandclickCreateHat.
Formoreinformation,refertoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
3.
3.
2EditinganEntryWhenyouselectEditEntry,thefilebrowserpop-upwindowopens.
Fromhere,edittheselectedentry.
Inthepop-upwindow,specifytheabsolutepathofafile,includingthetypeofaccesspermitted.
Youcanuseglobbingifnecessary.
Whenfinished,clickOK.
42NovellAppArmorAdministrationGuideForglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
3.
3.
3DeletinganEntryTodeleteanentryinagivenprofile,selectDeleteEntry.
AppArmorremovestheselectedprofileentry.
3.
4DeletingaProfileAppArmorenablesyoutodeleteanAppArmorprofilemanually.
Simplyselecttheapplicationforwhichtodeleteaprofilethendeleteitasfollows:1StartYaSTandselectNovellAppArmor>DeleteProfile.
2Selecttheprofiletodelete.
3ClickNext.
4Inthepop-upthatopens,clickYestodeletetheprofileandreloadtheAppArmorprofileset.
BuildingandManagingProfileswithYaST433.
5UpdatingProfilesfromLogEntriesTheNovellAppArmorprofilewizardusesaa-logprof,thetoolthatscanslogfilesandenablesyoutoupdateprofiles.
aa-logproftracksmessagesfromtheNovellAppArmormodulethatrepresentexceptionsforallprofilesrunningonyoursystem.
Theseexcep-tionsrepresentthebehavioroftheprofiledapplicationthatisoutsideoftheprofiledefinitionfortheprogram.
Youcanaddthenewbehaviortotherelevantprofilebyselectingthesuggestedprofileentry.
TIP:SupportfortheExternalProfileRepositorySimilartotheAddProfileWizard,theUpdateProfileWizardalsosupportsprofileexchangewiththeexternalrepositoryserver.
ForbackgroundinformationontheuseoftheexternalAppArmorprofilerepository,refertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23).
Fordetailsonhowtoconfigureaccessandaccessmodetotheserver,checktheproceduredescribedunderSection3.
1,"AddingaProfileUsingtheWizard"(page29).
1StartYaSTandselectNovellAppArmor>UpdateProfileWizard.
RunningUpdateProfileWizard(aa-logprof)parsesthelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguideaa-logproftogeneratethesecurityprofile.
Theexactprocedureisthesameaswithcreatinga44NovellAppArmorAdministrationGuidenewprofile.
RefertoStep9(page31)inSection3.
1,"AddingaProfileUsingtheWizard"(page29)fordetails.
2Whenyouaredone,clickFinish.
Inthefollowingpop-up,clickYestoexittheAddProfileWizard.
TheprofileissavedandloadedintotheNovellAppArmormodule.
3.
6ManagingNovellAppArmorandSecurityEventStatusYoucanchangethestatusofAppArmorbyenablingordisablingit.
EnablingAppArmorprotectsyoursystemfrompotentialprogramexploitation.
DisablingAppArmor,evenifyourprofileshavebeensetup,removesprotectionfromyoursystem.
Youcandeter-minehowandwhenyouarenotifiedwhensystemsecurityeventsoccur.
NOTEForeventnotificationtowork,youmustsetupamailserveronyoursystemthatcansendoutgoingmailusingthesinglemailtransferprotocol(SMTP),suchaspostfixorexim.
ToconfigureeventnotificationorchangethestatusofAppArmor,startYaSTandselectNovellAppArmor>NovellAppArmorControlPanel.
BuildingandManagingProfileswithYaST45FromtheAppArmorConfigurationscreen,determinewhetherNovellAppArmorandsecurityeventnotificationarerunningbylookingforastatusmessagethatreadsenabledorconfigurethemodeofindividualprofiles.
TochangethestatusofNovellAppArmor,continueasdescribedinSection3.
6.
1,"ChangingNovellAppArmorStatus"(page46).
Tochangethemodeofindividualprofiles,continueasdescribedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Toconfiguresecurityeventnotification,continueasdescribedinSection6.
2,"ConfiguringSecurityEventNotification"(page88).
3.
6.
1ChangingNovellAppArmorStatusWhenyouchangethestatusofAppArmor,setittoenabledordisabled.
WhenAppArmorisenabled,itisinstalled,running,andenforcingtheAppArmorsecuritypolicies.
1StartYaSTandselectNovellAppArmor>AppArmorControlPanel.
2EnableAppArmorbycheckingEnableAppArmorordisableAppArmorbydes-electingit.
3ClickDoneintheAppArmorConfigurationwindow.
46NovellAppArmorAdministrationGuide4ClickFile>QuitintheYaSTControlCenter.
3.
6.
2ChangingtheModeofIndividualProfilesAppArmorcanapplyprofilesintwodifferentmodes.
Incomplainorlearningmode,violationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsarepermitted,butalsologged.
ThismodeisconvenientfordevelopingprofilesandisusedbytheAppArmortoolsforgeneratingprofiles.
Loadingaprofileinenforcemodeenforcesthepolicydefinedintheprofileandreportspolicyviolationattemptstosyslogd.
TheProfileModesdialogallowsyoutoviewandeditthemodeofcurrentlyloadedAppArmorprofiles.
Thisfeatureisusefulfordeterminingthestatusofyoursystemduringprofiledevelopment.
Duringthecourseofsystemicprofiling(seeSection4.
6.
2,"SystemicProfiling"(page54)),youcanusethistooltoadjustandmonitorthescopeoftheprofilesforwhichyouarelearningbehavior.
Toeditanapplication'sprofilemode,proceedasfollows:1StartYaSTandselectNovellAppArmor>AppArmorControlPanel.
2IntheConfigureProfileModessection,selectConfigure.
3Selecttheprofileforwhichtochangethemode.
4SelectToggleModetosetthisprofiletocomplainmodeortoenforcemode.
5ApplyyoursettingsandleaveYaSTwithDone.
Tochangethemodeofallprofiles,useSetAlltoEnforceorSetAlltoComplain.
TIP:ListingtheProfilesAvailableBydefault,onlyactiveprofilesarelisted—anyprofilethathasamatchingap-plicationinstalledonyoursystem.
Tosetupaprofilebeforeinstallingthere-spectiveapplication,clickShowAllProfilesandselecttheprofiletoconfigurefromthelistthatappears.
BuildingandManagingProfileswithYaST474BuildingProfilesfromtheCommandLineNovellAppArmorprovidestheabilitytouseacommandlineinterfaceratherthanagraphicalinterfacetomanageandconfigureyoursystemsecurity.
TrackthestatusofNovellAppArmorandcreate,delete,ormodifyAppArmorprofilesusingtheAppArmorcommandlinetools.
TIP:BackgroundInformationBeforestartingtomanageyourprofilesusingtheAppArmorcommandlinetools,checkoutthegeneralintroductiontoAppArmorgiveninChapter1,ImmunizingPrograms(page1)andChapter2,ProfileComponentsandSyntax(page11).
4.
1CheckingtheAppArmorModuleStatusAnAppArmormodulecanbeinanyoneofthreestates:UnloadedTheAppArmormoduleisnotloadedintothekernel.
RunningTheAppArmormoduleisloadedintothekernelandisenforcingAppArmorpro-grampolicies.
BuildingProfilesfromtheCommandLine49StoppedTheAppArmormoduleisloadedintothekernel,butnopoliciesareenforced.
DetectthestateoftheAppArmormodulebyinspecting/sys/kernel/security/apparmor/profiles.
Ifcat/sys/kernel/security/apparmor/profilesreportsalistofprofiles,AppArmorisrunning.
Ifitisemptyandreturnsnothing,AppArmorisstopped.
Ifthefiledoesnotexist,AppArmorisunloaded.
ManageAppArmorthroughthescriptrcapparmor,whichcanperformthefollowingoperations:rcapparmorstartBehaviordependsontheAppArmormodulestate.
Ifitisunloaded,startloadsthemoduleandstartsit,puttingitintherunningstate.
Ifitisstopped,startcausesthemoduletorescantheAppArmorprofilesusuallyfoundin/etc/apparmor.
dandputsthemoduleintherunningstate.
Ifthemoduleisalreadyrunning,startreportsawarningandtakesnoaction.
rcapparmorstopStopstheAppArmormoduleifitisrunningbyremovingallprofilesfromkernelmemory,effectivelydisablingallaccesscontrols,andputtingthemoduleintothestoppedstate.
IftheAppArmormoduleisunloadedoralreadystopped,stoptriestounloadtheprofilesagain,butnothinghappens.
rcapparmorrestartCausestheAppArmormoduletorescantheprofilesin/etc/apparmor.
dwithoutunconfiningrunningprocesses.
Freshlycreatedprofilesareenforcedandrecentlydeletedonesareremovedfromthe/etc/apparmor.
ddirectory.
rcapparmorkillUnconditionallyremovestheAppArmormodulefromthekernel.
Thisisunsafe,becauseunloadingmodulesfromtheLinuxkernelisunsafe.
Thiscommandisprovidedonlyfordebuggingandemergencieswhenthemodulemightneedtoberemoved.
50NovellAppArmorAdministrationGuideWARNINGAppArmorisapowerfulaccesscontrolsystemanditispossibletolockyourselfoutofyourownmachinetothepointwhereyoumustbootthemachinefromarescuemedium(suchasthefirstmediumofopenSUSE)toregaincontrol.
Topreventsuchaproblem,alwaysensurethatyouhavearunning,uncon-fined,rootloginonthemachinebeingconfiguredwhenyourestarttheAppArmormodule.
Ifyoudamageyoursystemtothepointwhereloginsarenolongerpossible(forexample,bybreakingtheprofileassociatedwiththeSSHdaemon),youcanrepairthedamageusingyourrunningrootpromptthenrestarttheAppArmormodule.
4.
2BuildingAppArmorProfilesTheAppArmormoduleprofiledefinitionsarestoredinthe/etc/apparmor.
ddi-rectoryasplaintextfiles.
Foradetaileddescriptionofthesyntaxofthesefiles,refertoChapter2,ProfileComponentsandSyntax(page11).
Allfilesinthe/etc/apparmor.
ddirectoryareinterpretedasprofilesandareloadedassuch.
Renamingfilesinthatdirectoryisnotaneffectivewayofpreventingprofilesfrombeingloaded.
Youmustremoveprofilesfromthisdirectorytopreventthemfrombeingreadandevaluatedeffectively.
Youcanuseatexteditor,suchasvim,toaccessandmakechangestotheseprofiles.
Thefollowingoptionscontaindetailedstepsforbuildingprofiles:AddingorCreatingAppArmorProfilesRefertoSection4.
3,"AddingorCreatinganAppArmorProfile"(page52)EditingAppArmorProfilesRefertoSection4.
4,"EditinganAppArmorProfile"(page52)DeletingAppArmorProfilesRefertoSection4.
5,"DeletinganAppArmorProfile"(page52)BuildingProfilesfromtheCommandLine514.
3AddingorCreatinganAppArmorProfileToaddorcreateanAppArmorprofileforanapplication,youcanuseasystemicorstand-aloneprofilingmethod,dependingonyourneeds.
LearnmoreaboutthesetwoapproachesinSection4.
6,"TwoMethodsofProfiling"(page53).
4.
4EditinganAppArmorProfileThefollowingstepsdescribetheprocedureforeditinganAppArmorprofile:1Ifyouarenotcurrentlyloggedinasroot,entersuinaterminalwindow.
2Entertherootpasswordwhenprompted.
3Gototheprofiledirectorywithcd/etc/apparmor.
d/.
4Enterlstoviewallprofilescurrentlyinstalled.
5Opentheprofiletoeditinatexteditor,suchasvim.
6Makethenecessarychangesthensavetheprofile.
7RestartAppArmorbyenteringrcapparmorrestartinaterminalwindow.
4.
5DeletinganAppArmorProfileThefollowingstepsdescribetheprocedurefordeletinganAppArmorprofile.
1Ifyouarenotcurrentlyloggedinasroot,entersuinaterminalwindow.
2Entertherootpasswordwhenprompted.
3GototheAppArmordirectorywithcd/etc/apparmor.
d/.
52NovellAppArmorAdministrationGuide4EnterlstoviewalltheAppArmorprofilesthatarecurrentlyinstalled.
5Deletetheprofilewithrmprofilename.
6RestartAppArmorbyenteringrcapparmorrestartinaterminalwindow.
4.
6TwoMethodsofProfilingGiventhesyntaxforAppArmorprofilesinChapter2,ProfileComponentsandSyntax(page11),youcouldcreateprofileswithoutusingthetools.
However,theeffortinvolvedwouldbesubstantial.
Toavoidsuchahassle,usetheAppArmortoolstoautomatethecreationandrefinementofprofiles.
TherearetwowaystoapproachAppArmorprofilecreation.
Toolsareavailableforbothmethods.
Stand-AloneProfilingAmethodsuitableforprofilingsmallapplicationsthathaveafiniteruntime,suchasuserclientapplicationslikemailclients.
Formoreinformation,refertoSec-tion4.
6.
1,"Stand-AloneProfiling"(page54).
SystemicProfilingAmethodsuitableforprofilinglargenumbersofprogramsallatonceandforprofilingapplicationsthatmayrunfordays,weeks,orcontinuouslyacrossreboots,suchasnetworkserverapplicationslikeWebserversandmailservers.
Formoreinformation,refertoSection4.
6.
2,"SystemicProfiling"(page54).
AutomatedprofiledevelopmentbecomesmoremanageablewiththeAppArmortools:1Decidewhichprofilingmethodsuitsyourneeds.
2Performastaticanalysis.
Runeitheraa-genproforaa-autodep,dependingontheprofilingmethodchosen.
3Enabledynamiclearning.
Activatelearningmodeforallprofiledprograms.
BuildingProfilesfromtheCommandLine534.
6.
1Stand-AloneProfilingStand-aloneprofilegenerationandimprovementismanagedbyaprogramcalledaa-genprof.
Thismethodiseasybecauseaa-genproftakescareofeverything,butislimitedbecauseitrequiresaa-genproftorunfortheentiredurationofthetestrunofyourpro-gram(youcannotrebootthemachinewhileyouarestilldevelopingyourprofile).
Touseaa-genprofforthestand-alonemethodofprofiling,refertoSection"aa-gen-prof—GeneratingProfiles"(page59).
4.
6.
2SystemicProfilingThismethodiscalledsystemicprofilingbecauseitupdatesalloftheprofilesonthesystematonce,ratherthanfocusingontheoneorfewtargetedbyaa-genproforstand-aloneprofiling.
Withsystemicprofiling,profileconstructionandimprovementaresomewhatlessautomated,butmoreflexible.
Thismethodissuitableforprofilinglong-runningapplicationswhosebehaviorcontinuesafterrebootingoralargenumberofprogramsallatonce.
BuildanAppArmorprofileforagroupofapplicationsasfollows:1Createprofilesfortheindividualprogramsthatmakeupyourapplication.
Althoughthisapproachissystemic,AppArmoronlymonitorsthoseprogramswithprofilesandtheirchildren.
TogetAppArmortoconsideraprogram,youmustatleasthaveaa-autodepcreateanapproximateprofileforit.
Tocreatethisapproximateprofile,refertoSection"aa-autodep—CreatingApproximatePro-files"(page56).
2Putrelevantprofilesintolearningorcomplainmode.
Activatelearningorcomplainmodeforallprofiledprogramsbyenteringaa-complain/etc/apparmor.
d/*inaterminalwindowwhileloggedinasroot.
ThisfunctionalityisalsoavailablethroughtheYaSTProfileModemodule,describedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Wheninlearningmode,accessrequestsarenotblockedeveniftheprofiledictatesthattheyshouldbe.
Thisenablesyoutorunthroughseveraltests(asshownin54NovellAppArmorAdministrationGuideStep3(page55))andlearntheaccessneedsoftheprogramsoitrunsproperly.
Withthisinformation,youcandecidehowsecuretomaketheprofile.
RefertoSection"aa-complain—EnteringComplainorLearningMode"(page57)formoredetailedinstructionsforusinglearningorcomplainmode.
3Exerciseyourapplication.
Runyourapplicationandexerciseitsfunctionality.
Howmuchtoexercisetheprogramisuptoyou,butyouneedtheprogramtoaccesseachfilerepresentingitsaccessneeds.
Becausetheexecutionisnotbeingsupervisedbyaa-genprof,thisstepcangoonfordaysorweeksandcanspancompletesystemreboots.
4Analyzethelog.
Insystemicprofiling,runaa-logprofdirectlyinsteadoflettingaa-genprofrunit(asinstand-aloneprofiling).
Thegeneralformofaa-logprofis:aa-logprof[-d/path/to/profiles][-f/path/to/logfile]RefertoSection"aa-logprof—ScanningtheSystemLog"(page67)formoreinformationaboutusingaa-logprof.
5RepeatStep3(page55)andStep4(page55).
Thisgeneratesoptimumprofiles.
Aniterativeapproachcapturessmallerdatasetsthatcanbetrainedandreloadedintothepolicyengine.
Subsequentiterationsgeneratefewermessagesandrunfaster.
6Edittheprofiles.
Youmightwanttoreviewtheprofilesthathavebeengenerated.
Youcanopenandedittheprofilesin/etc/apparmor.
d/usingvim.
7Returntoenforcemode.
Thisiswhenthesystemgoesbacktoenforcingtherulesoftheprofiles,notjustlogginginformation.
Thiscanbedonemanuallybyremovingtheflags=(complain)textfromtheprofilesorautomaticallybyusingtheaa-enforcecommand,whichworksidenticallytotheaa-complaincom-mand,exceptitsetstheprofilestoenforcemode.
ThisfunctionalityisalsoBuildingProfilesfromtheCommandLine55availablethroughtheYaSTProfileModemodule,describedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Toensurethatallprofilesaretakenoutofcomplainmodeandputintoenforcemode,enteraa-enforce/etc/apparmor.
d/*.
8Rescanallprofiles.
TohaveAppArmorrescanalloftheprofilesandchangetheenforcementmodeinthekernel,enterrcapparmorrestart.
4.
6.
3SummaryofProfilingToolsAlloftheAppArmorprofilingutilitiesareprovidedbytheapparmor-utilsRPMpackageandarestoredin/usr/sbin.
Eachtoolhasadifferentpurpose.
aa-autodep—CreatingApproximateProfilesThiscreatesanapproximateprofilefortheprogramorapplicationselected.
Youcangenerateapproximateprofilesforbinaryexecutablesandinterpretedscriptprograms.
Theresultingprofileiscalled"approximate"becauseitdoesnotnecessarilycontainalloftheprofileentriesthattheprogramneedstobeproperlyconfinedbyAppArmor.
Theminimumaa-autodepapproximateprofilehasatleastabaseincludedirective,whichcontainsbasicprofileentriesneededbymostprograms.
Forcertaintypesofprograms,aa-autodepgeneratesamoreexpandedprofile.
Theprofileisgeneratedbyrecursivelycallingldd(1)ontheexecutableslistedonthecommandline.
Togenerateanapproximateprofile,usetheaa-autodepprogram.
Theprogramargumentcanbeeitherthesimplenameoftheprogram,whichaa-autodepfindsbysearchingyourshell'spathvariable,oritcanbeafullyqualifiedpath.
Theprogramitselfcanbeofanytype(ELFbinary,shellscript,Perlscript,etc.
).
aa-autodepgeneratesanapprox-imateprofiletoimprovethroughthedynamicprofilingthatfollows.
Theresultingapproximateprofileiswrittentothe/etc/apparmor.
ddirectoryusingtheAppArmorprofilenamingconventionofnamingtheprofileaftertheabsolutepathoftheprogram,replacingtheforwardslash(/)charactersinthepathwithperiod(.
)characters.
Thegeneralformofaa-autodepistoenterthefollowinginaterminalwindowwhenloggedinasroot:56NovellAppArmorAdministrationGuideaa-autodep[-d/path/to/profiles][program1program2.
.
.
]Ifyoudonotentertheprogramnameornames,youarepromptedforthem.
/path/to/profilesoverridesthedefaultlocationof/etc/apparmor.
d,shouldyoukeepprofilesinalocationotherthanthedefault.
Tobeginprofiling,youmustcreateprofilesforeachmainexecutableservicethatispartofyourapplication(anythingthatmightstartwithoutbeingachildofanotherprogramthatalreadyhasaprofile).
Findingallsuchprogramsdependsontheapplicationinquestion.
Hereareseveralstrategiesforfindingsuchprograms:DirectoriesIfalltheprogramstoprofileareinonedirectoryandtherearenootherprogramsinthatdirectory,thesimplecommandaa-autodep/path/to/your/programs/*createsbasicprofilesforallprogramsinthatdirectory.
pscommandYoucanrunyourapplicationandusethestandardLinuxpscommandtofindallprocessesrunning.
Thenmanuallyhuntdownthelocationoftheseprogramsandruntheaa-autodepforeachone.
Iftheprogramsareinyourpath,aa-autodepfindsthemforyou.
Iftheyarenotinyourpath,thestandardLinuxcommandfindmightbehelpfulinfindingyourprograms.
Executefind/-name'my_application'-printtodetermineanapplication'spath(my_applicationbeinganexampleapplication).
Youmayusewildcardsifappropriate.
aa-complain—EnteringComplainorLearningModeThecomplainorlearningmodetool(aa-complain)detectsviolationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile.
Theviolationsarepermitted,butalsologged.
Toimprovetheprofile,turncomplainmodeon,runtheprogramthroughasuiteofteststogeneratelogeventsthatcharacterizetheprogram'saccessneeds,thenpostprocessthelogwiththeAppArmortoolstotransformlogeventsintoimprovedprofiles.
Manuallyactivatingcomplainmode(usingthecommandline)addsaflagtothetopoftheprofilesothat/bin/foobecomes/bin/fooflags=(complain).
Tousecomplainmode,openaterminalwindowandenteroneofthefollowinglinesasroot:BuildingProfilesfromtheCommandLine57Iftheexampleprogram(program1)isinyourpath,use:aa-complain[program1program2.
.
.
]Iftheprogramisnotinyourpath,specifytheentirepathasfollows:aa-complain/sbin/program1Iftheprofilesarenotin/etc/apparmor.
d,usethefollowingtooverridethedefaultlocation:aa-complain/path/to/profiles/program1Specifytheprofileforprogram1asfollows:aa-complain/etc/apparmor.
d/sbin.
program1Eachoftheabovecommandsactivatesthecomplainmodefortheprofilesorprogramslisted.
Iftheprogramnamedoesnotincludeitsentirepath,aa-complainsearches$PATHfortheprogram.
Forinstance,aa-complain/usr/sbin/*findsprofilesassoci-atedwithalloftheprogramsin/usr/sbinandputsthemintocomplainmode.
aa-complain/etc/apparmor.
d/*putsalloftheprofilesin/etc/apparmor.
dintocomplainmode.
TIP:TogglingProfileModewithYaSTYaSToffersagraphicalfront-endfortogglingcomplainandenforcemode.
SeeSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47)forinfor-mation.
aa-enforce—EnteringEnforceModeTheenforcemodedetectsviolationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile.
Theviolationsareloggedandnotpermitted.
Thedefaultisforenforcemodetobeenabled.
Tologtheviolationsonly,butstillpermitthem,usecomplainmode.
Enforcetoggleswithcomplainmode.
Manuallyactivatingenforcemode(usingthecommandline)addsaflagtothetopoftheprofilesothat/bin/foobecomes/bin/fooflags=(enforce).
Touseenforcemode,openaterminalwindowandenteroneofthefollowinglinesasroot.
58NovellAppArmorAdministrationGuideIftheexampleprogram(program1)isinyourpath,use:aa-enforce[program1program2.
.
.
]Iftheprogramisnotinyourpath,specifytheentirepath,asfollows:aa-enforce/sbin/program1Iftheprofilesarenotin/etc/apparmor.
d,usethefollowingtooverridethedefaultlocation:aa-enforce/path/to/profiles/program1Specifytheprofileforprogram1asfollows:aa-enforce/etc/apparmor.
d/sbin.
program1Eachoftheabovecommandsactivatestheenforcemodefortheprofilesandprogramslisted.
Ifyoudonotentertheprogramorprofilenames,youarepromptedtoenterone.
/path/to/profilesoverridesthedefaultlocationof/etc/apparmor.
d.
Theargumentcanbeeitheralistofprogramsoralistofprofiles.
Iftheprogramnamedoesnotincludeitsentirepath,aa-enforcesearches$PATHfortheprogram.
TIP:TogglingProfileModewithYaSTYaSToffersagraphicalfront-endfortogglingcomplainandenforcemode.
SeeSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47)forinfor-mation.
aa-genprof—GeneratingProfilesaa-genprofisAppArmor'sprofilegeneratingutility.
Itrunsaa-autodeponthespecifiedprogram,creatinganapproximateprofile(ifaprofiledoesnotalreadyexistforit),setsittocomplainmode,reloadsitintoAppArmor,marksthelog,andpromptstheusertoexecutetheprogramandexerciseitsfunctionality.
Itssyntaxisasfollows:aa-genprof[-d/path/to/profiles]programBuildingProfilesfromtheCommandLine59TocreateaprofileforthetheApacheWebserverprogramhttpd2-prefork,dothefol-lowingasroot:1Enterrcapache2stop.
2Next,enteraa-genprofhttpd2-prefork.
Nowaa-genprofdoesthefollowing:1.
Resolvesthefullpathofhttpd2-preforkusingyourshell'spathvariables.
Youcanalsospecifyafullpath.
OnopenSUSE,thedefaultfullpathis/usr/sbin/httpd2-prefork.
2.
Checkstoseeifthereisanexistingprofileforhttpd2-prefork.
Ifthereisone,itupdatesit.
Ifnot,itcreatesoneusingtheaa-autodepasdescribedinSection4.
6.
3,"SummaryofProfilingTools"(page56).
3.
Putstheprofileforthisprogramintolearningorcomplainmodesothatprofileviolationsareloggedbutarepermittedtoproceed.
Alogeventlookslikethis(see/var/log/audit/audit.
log):type=APPARMOR_ALLOWEDmsg=audit(1189682639.
184:20816):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/index.
html"pid=27471profile="null-complain-profile"Ifyouarenotrunningtheauditdaemon,theAppArmoreventsareloggedto/var/log/messages:Sep1313:20:30K23kernel:audit(1189682430.
672:20810):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.
tpl"pid=30405profile="/usr/sbin/httpd2-prefork///phpsysinfo/"Theyalsocanbeviewedusingthedmesgcommand:audit(1189682430.
672:20810):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.
tpl"pid=30405profile="/usr/sbin/httpd2-prefork///phpsysinfo/"4.
Marksthelogwithabeginningmarkeroflogeventstoconsider.
Forexam-ple:60NovellAppArmorAdministrationGuideSep1317:48:52figwitroot:GenProf:e2ff78636296f16d0b5301209a04430d3Whenpromptedbythetool,runtheapplicationtoprofileinanotherterminalwindowandperformasmanyoftheapplicationfunctionsaspossible.
Thus,thelearningmodecanlogthefilesanddirectoriestowhichtheprogramrequiresaccessinordertofunctionproperly.
Forexample,inanewterminalwindow,enterrcapache2start.
4Selectfromthefollowingoptionsthatareavailableintheaa-logprofterminalwindowafteryouhaveexecutedtheprogramfunction:Srunsaa-logprofonthesystemlogfromwhereitwasmarkedwhenaa-genprofwasstartedandreloadstheprofile.
Ifsystemeventsexistinthelog,AppArmorparsesthelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguideaa-genprofingeneratingthesecurityprofile.
Fexitsthetoolandreturnstothemainmenu.
NOTEIfrequeststoaddhatsappear,proceedtoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
5Answertwotypesofquestions:Aresourceisrequestedbyaprofiledprogramthatisnotintheprofile(seeExample4.
1,"LearningModeException:ControllingAccesstoSpecificResources"(page62)).
Aprogramisexecutedbytheprofiledprogramandthesecuritydomaintransitionhasnotbeendefined(seeExample4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"(page63)).
Eachofthesecategoriesresultsinaseriesofquestionsthatyoumustanswertoaddtheresourceorprogramtotheprofile.
Example4.
1,"LearningModeExcep-tion:ControllingAccesstoSpecificResources"(page62)andExample4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"BuildingProfilesfromtheCommandLine61(page63)provideexamplesofeachone.
Subsequentstepsdescribeyouroptionsinansweringthesequestions.
Dealingwithexecuteaccessesiscomplex.
Youmustdecidehowtoproceedwiththisentryregardingwhichexecutepermissiontypetogranttothisentry:Example4.
1LearningModeException:ControllingAccesstoSpecificResourcesReadinglogentriesfrom/var/log/audit/audit.
log.
UpdatingAppArmorprofilesin/etc/apparmor.
d.
Profile:/usr/sbin/xinetdProgram:xinetdExecute:/usr/lib/cups/daemon/cups-lpdSeverity:unknown[(I)nherit]/(P)rofile/(U)nconfined/(D)eny/Abo(r)t/(F)inishInherit(ix)Thechildinheritstheparent'sprofile,runningwiththesameaccesscontrolsastheparent.
Thismodeisusefulwhenaconfinedprogramneedstocallanotherconfinedprogramwithoutgainingthepermissionsofthetarget'sprofileorlosingthepermissionsofthecurrentprofile.
Thismodeisoftenusedwhenthechildprogramisahelperapplication,suchasthe/usr/bin/mailclientusinglessasapagerortheMozilla*WebbrowserusingAdobeAcrobat*todisplayPDFfiles.
Profile(px)Thechildrunsusingitsownprofile,whichmustbeloadedintotheker-nel.
Iftheprofileisnotpresent,attemptstoexecutethechildfailwithpermissiondenied.
Thisismostusefuliftheparentprogramisinvokingaglobalservice,suchasDNSlookupsorsendingmailwithyoursystem'sMTA.
Choosetheprofilewithcleanexec(Px)optiontoscrubtheenvironmentofenvironmentvariablesthatcouldmodifyexecutionbehaviorwhenpassedtothechildprocess.
Unconfined(ux)ThechildrunscompletelyunconfinedwithoutanyAppArmorprofileappliedtotheexecutedresource.
62NovellAppArmorAdministrationGuideChoosetheunconfinedwithcleanexec(Ux)optiontoscrubtheenviron-mentofenvironmentvariablesthatcouldmodifyexecutionbehaviorwhenpassedtothechildprocess.
Thisoptionintroducesasecurityvul-nerabilitythatcouldbeusedtoexploitAppArmor.
Onlyuseitasalastresort.
mmap(m)ThispermissiondenotesthattheprogramrunningundertheprofilecanaccesstheresourceusingthemmapsystemcallwiththeflagPROT_EXEC.
Thismeansthatthedatamappedinitcanbeexecuted.
Youarepromptedtoincludethispermissionifitisrequestedduringaprofilingrun.
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
Example4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"(page63)showsAppArmorsuggestingdirectorypathentriesthathavebeenaccessedbytheapplicationbeingprofiled.
Itmightalsorequireyoutodefineexecutepermissionsforentries.
Example4.
2LearningModeException:DefiningExecutePermissionsforanEntryAdding/bin/psixtoprofile.
Profile:/usr/sbin/xinetdPath:/etc/hosts.
allowNewMode:r[1-/etc/hosts.
allow][(A)llow]/(D)eny/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishBuildingProfilesfromtheCommandLine63AppArmorprovidesoneormorepathsorincludes.
Byenteringtheoptionnumber,selectthedesiredoptionsthenproceedtothenextstep.
NOTEAlloftheseoptionsarenotalwayspresentedintheAppArmormenu.
#includeThisisthesectionofanAppArmorprofilethatreferstoanincludefile,whichprocuresaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Itisgoodpracticetoselectincludeswhensuggested.
GlobbedVersionThisisaccessedbyselectingGlobasdescribedinthenextstep.
Forin-formationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
ActualPathThisistheliteralpathtowhichtheprogramneedsaccesssothatitcanrunproperly.
Afteryouselectthepathorinclude,processitasanentryintotheAppArmorprofilebyselectingAlloworDeny.
Ifyouarenotsatisfiedwiththedirectorypathentryasitisdisplayed,youcanalsoGlobit.
Thefollowingoptionsareavailabletoprocessthelearningmodeentriesandbuildtheprofile:SelectEnterAllowsaccesstotheselecteddirectorypath.
AllowAllowsaccesstothespecifieddirectorypathentries.
AppArmorsuggestsfilepermissionaccess.
Formoreinformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
64NovellAppArmorAdministrationGuideNewPromptsyoutoenteryourownruleforthisevent,allowingyoutospecifyaregularexpression.
Iftheexpressiondoesnotactuallysatisfytheeventthatpromptedthequestioninthefirstplace,AppArmorasksforconfirmationandletsyoureentertheexpression.
GlobSelectaspecificpathorcreateageneralruleusingwildcardsthatmatchabroadersetofpaths.
Toselectanyoftheofferedpaths,enterthenumberthatisprintedinfrontofthepaththendecidehowtoproceedwiththeselecteditem.
Formoreinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtThismodifiestheoriginaldirectorypathwhileretainingthefilenameextension.
Forexample,/etc/apache2/file.
extbecomes/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefile-name.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirec-torythatendwiththe.
extextension.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
6Toviewandedityourprofileusingvim,entervim/etc/apparmor.
d/profilenameinaterminalwindow.
7RestartAppArmorandreloadtheprofilesetincludingthenewlycreatedoneusingthercapparmorrestartcommand.
Likethegraphicalfront-endforbuildingAppArmorprofiles,theYaSTAddProfileWizard,aa-genprofalsosupportstheuseofthelocalprofilerepositoryunder/etc/apparmor/profiles/extrasandtheremoteAppArmorprofilerepository.
BuildingProfilesfromtheCommandLine65Touseaprofilefromthelocalrepository,proceedasfollows:1Startaa-genprofasdescribedabove.
Ifaa-genproffindsaninactivelocalprofile,thefollowinglinesappearonyourterminalwindow:Profile:/usr/bin/opera[1-Inactivelocalprofilefor/usr/bin/opera][(V)iewProfile]/(U)seProfile/(C)reateNewProfile/Abo(r)t/(F)inish2Ifyouwanttojustusethisprofile,hitU(UseProfile)andfollowtheprofilegenerationprocedureoutlinedabove.
Ifyouwanttoexaminetheprofilebeforeactivatingit,hitV(ViewProfile).
Ifyouwanttoignoretheexistingprofile,hitC(CreateNewProfile)andfollowtheprofilegenerationprocedureoutlinedabovetocreatetheprofilefromscratch.
3Leaveaa-genprofbyhittingF(Finish)whenyouaredoneandsaveyourchanges.
TousetheremoteAppArmorprofilerepositorywithaa-genprof,proceedasfollows:1Startaa-genprofasdescribedabove.
Ifaa-genprofdetectsasuitableprofileontherepositoryserver,thefollowinglinesappearonyourterminalwindow:Repository:http://apparmor.
opensuse.
org/backend/apiWouldyouliketoenableaccesstotheprofilerepository(E)nableRepository/(D)isableRepository/AskMe(L)ater2HitE(EnableRepository)toenabletherepository.
3Determinewhetheryouwanttoaa-genproftouploadanyprofilestothereposi-toryserver:Wouldyouliketouploadnewlycreatedandchangedprofilestotheprofilerepository66NovellAppArmorAdministrationGuide(Y)es/(N)o/AskMe(L)aterHitY(Yes),ifyouwanttoenableprofileuploadorselectN(No),ifyouwantaa-genproftojustpullprofilesfromtherepository,butnottouploadany.
4Createanewuserontheprofilerepositoryservertobeabletouploadprofiles.
Provideusernameandpassword.
5Determinewhetheryouwanttousetheprofiledownloadedfromtheserverorwhetheryouwouldjustliketoreviewit:Profile:/usr/bin/opera[1-novell][(V)iewProfile]/(U)seProfile/(C)reateNewProfile/Abo(r)t/(F)inishIfyouwanttojustusethisprofile,hitU(UseProfile)andfollowtheprofilegenerationprocedureoutlinedabove.
Ifyouwanttoexaminetheprofilebeforeactivatingit,hitV(ViewProfile).
Ifyouwanttoignoretheexistingprofile,hitC(CreateNewProfile)andfollowtheprofilegenerationprocedureoutlinedabovetocreatetheprofilefromscratch.
6Leaveaa-genprofbyhittingF(Finish)whenyouaredoneandsavetheprofile.
Ifyouoptedforuploadingyourprofile,provideashortchangelogandpushittotherepository.
aa-logprof—ScanningtheSystemLogaa-logprofisaninteractivetoolusedtoreviewthelearningorcomplainmodeoutputfoundinthelogentriesin/var/log/audit/audit.
logor/var/log/messages(ifauditdisnotrunning)andgeneratenewentriesinAppArmorsecurityprofiles.
Whenyourunaa-logprof,itbeginstoscanthelogfilesproducedinlearningorcomplainmodeand,iftherearenewsecurityeventsthatarenotcoveredbytheexistingprofileset,itgivessuggestionsformodifyingtheprofile.
ThelearningorcomplainmodetracesBuildingProfilesfromtheCommandLine67programbehaviorandentersitinthelog.
aa-logprofusesthisinformationtoobserveprogrambehavior.
Ifaconfinedprogramforksandexecutesanotherprogram,aa-logprofseesthisandaskstheuserwhichexecutionmodeshouldbeusedwhenlaunchingthechildprocess.
Theexecutionmodesix,px,Px,ux,andUxareoptionsforstartingthechildprocess.
Ifaseparateprofileexistsforthechildprocess,thedefaultselectionispx.
Ifonedoesnotexist,theprofiledefaultstoix.
Childprocesseswithseparateprofileshaveaa-autodeprunonthemandareloadedintoAppArmor,ifitisrunning.
Whenaa-logprofexits,profilesareupdatedwiththechanges.
IftheAppArmormoduleisrunning,theupdatedprofilesarereloadedand,ifanyprocessesthatgeneratedsecu-rityeventsarestillrunninginthenull-complain-profile,thoseprocessesaresettorunundertheirproperprofiles.
TIP:SupportfortheExternalProfileRepositorySimilartotheaa-genprof,aa-logprofalsosupportsprofileexchangewiththeexternalrepositoryserver.
Forbackgroundinformationontheuseoftheexter-nalAppArmorprofilerepository,refertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23).
Fordetailsonhowtoconfigureaccessandaccessmodetotheserver,checktheproceduredescribedunderSection"aa-genprof—GeneratingProfiles"(page59).
Torunaa-logprof,enteraa-logprofintoaterminalwindowwhileloggedinasroot.
Thefollowingoptionscanbeusedforaa-logprof:aa-logprof-d/path/to/profile/directory/Specifiesthefullpathtothelocationoftheprofilesiftheprofilesarenotlocatedinthestandarddirectory,/etc/apparmor.
d/.
aa-logprof-f/path/to/logfile/Specifiesthefullpathtothelocationofthelogfileifthelogfileisnotlocatedinthedefaultdirectory,/var/log/audit/audit.
logor/var/log/messages(ifauditdisnotrunning).
aa-logprof-m"stringmarkerinlogfile"Marksthestartingpointforaa-logproftolookinthesystemlog.
aa-logprofignoresalleventsinthesystemlogbeforethespecifiedmark.
Ifthemarkcontainsspaces,itmustbesurroundedbyquotestoworkcorrectly.
Forexample:68NovellAppArmorAdministrationGuideaa-logprof-m"17:04:21"orlogprof-me2ff78636296f16d0b5301209a04430daa-logprofscansthelog,askingyouhowtohandleeachloggedevent.
EachquestionpresentsanumberedlistofAppArmorrulesthatcanbeaddedbypressingthenumberoftheitemonthelist.
Bydefault,aa-logproflooksforprofilesin/etc/apparmor.
d/andscansthelogin/var/log/messages.
Inmanycases,runningaa-logprofasrootisenoughtocreatetheprofile.
However,theremightbetimeswhenyouneedtosearcharchivedlogfiles,suchasiftheprogramexerciseperiodexceedsthelogrotationwindow(whenthelogfileisarchivedandanewlogfileisstarted).
Ifthisisthecase,youcanenterzcat-f`ls-1tr/var/log/messages*`|aa-logprof-f-.
aa-logprofExample1Thefollowingisanexampleofhowaa-logprofaddresseshttpd2-preforkaccessingthefile/etc/group.
[]indicatesthedefaultoption.
Inthisexample,theaccessto/etc/groupispartofhttpd2-preforkaccessingnameservices.
Theappropriateresponseis1,whichincludesapredefinedsetofAppArmorrules.
Selecting1to#includethenameservicepackageresolvesallofthefuturequestionspertainingtoDNSlookupsandalsomakestheprofilelessbrittleinthatanychangestoDNSconfigurationandtheassociatednameserviceprofilepackagecanbemadejustonce,ratherthanneedingtorevisemanyprofiles.
Profile:/usr/sbin/httpd2-preforkPath:/etc/groupNewMode:r[1-#include]2-/etc/group[(A)llow]/(D)eny/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishSelectoneofthefollowingresponses:BuildingProfilesfromtheCommandLine69SelectEnterTriggersthedefaultaction,whichis,inthisexample,allowingaccesstothespecifieddirectorypathentry.
AllowAllowsaccesstothespecifieddirectorypathentries.
AppArmorsuggestsfileper-missionaccess.
Formoreinformationaboutthis,refertoSection2.
1.
3,"FilePer-missionAccessModes"(page17).
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
NewPromptsyoutoenteryourownruleforthisevent,allowingyoutospecifywhateverformofregularexpressionyouwant.
Iftheexpressionentereddoesnotactuallysatisfytheeventthatpromptedthequestioninthefirstplace,AppArmorasksforconfirmationandletsyoureentertheexpression.
GlobSelecteitheraspecificpathorcreateageneralruleusingwildcardsthatmatchesonabroadersetofpaths.
Toselectanyoftheofferedpaths,enterthenumberthatisprintedinfrontofthepathsthendecidehowtoproceedwiththeselecteditem.
Formoreinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtThismodifiestheoriginaldirectorypathwhileretainingthefilenameextension.
Forexample,/etc/apache2/file.
extbecomes/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefilename.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirectorythatendwiththe.
extextension.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
70NovellAppArmorAdministrationGuideaa-logprofExample2Forexample,whenprofilingvsftpd,seethisquestion:Profile:/usr/sbin/vsftpdPath:/y2k.
jpgNewMode:r[1-/y2k.
jpg](A)llow/[(D)eny]/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishSeveralitemsofinterestappearinthisquestion.
First,notethatvsftpdisaskingforapathentryatthetopofthetree,eventhoughvsftpdonopenSUSEservesFTPfilesfrom/srv/ftpbydefault.
Thisisbecausehttpd2-preforkuseschrootand,fortheportionofthecodeinsidethechrootjail,AppArmorseesfileaccessesintermsofthechrootenvironmentratherthantheglobalabsolutepath.
TheseconditemofinterestisthatyoumightwanttograntFTPreadaccesstoallJPEGfilesinthedirectory,soyoucoulduseGlobw/Extandusethesuggestedpathof/*.
jpg.
Doingsocollapsesallpreviousrulesgrantingaccesstoindividual.
jpgfilesandforestallsanyfuturequestionspertainingtoaccessto.
jpgfiles.
Finally,youmightwanttograntmoregeneralaccesstoFTPfiles.
IfyouselectGlobinthelastentry,aa-logprofreplacesthesuggestedpathof/y2k.
jpgwith/*.
Alter-natively,youmightwanttograntevenmoreaccesstotheentiredirectorytree,inwhichcaseyoucouldusetheNewpathoptionandenter/**.
jpg(whichwouldgrantaccesstoall.
jpgfilesintheentiredirectorytree)or/**(whichwouldgrantaccesstoallfilesinthedirectorytree).
Theseitemsdealwithreadaccesses.
Writeaccessesaresimilar,exceptthatitisgoodpolicytobemoreconservativeinyouruseofregularexpressionsforwriteaccesses.
Dealingwithexecuteaccessesismorecomplex.
FindanexampleinExample4.
1,"LearningModeException:ControllingAccesstoSpecificResources"(page62).
Inthefollowingexample,the/usr/bin/mailmailclientisbeingprofiledandaa-logprofhasdiscoveredthat/usr/bin/mailexecutes/usr/bin/lessasahelperapplicationto"page"longmailmessages.
Consequently,itpresentsthisprompt:/usr/bin/nail->/usr/bin/less(I)nherit/(P)rofile/(U)nconfined/(D)enyBuildingProfilesfromtheCommandLine71TIPTheactualexecutablefilefor/usr/bin/mailturnsouttobe/usr/bin/nail,whichisnotatypographicalerror.
Theprogram/usr/bin/lessappearstobeasimpleoneforscrollingthroughtextthatismorethanonescreenlongandthatisinfactwhat/usr/bin/mailisusingitfor.
However,lessisactuallyalargeandpowerfulprogramthatmakesuseofmanyotherhelperapplications,suchastarandrpm.
TIPRunlessonatarfileoranRPMfileanditshowsyoutheinventoryofthesecontainers.
Youdonotwanttorunrpmautomaticallywhenreadingmailmessages(thatleadsdi-rectlytoaMicrosoft*Outlook–stylevirusattack,becauserpmhasthepowertoinstallandmodifysystemprograms),so,inthiscase,thebestchoiceistouseInherit.
Thisresultsinthelessprogramexecutedfromthiscontextrunningundertheprofilefor/usr/bin/mail.
Thishastwoconsequences:Youneedtoaddallofthebasicfileaccessesfor/usr/bin/lesstotheprofilefor/usr/bin/mail.
Youcanavoidaddingthehelperapplications,suchastarandrpm,tothe/usr/bin/mailprofilesothatwhen/usr/bin/mailruns/usr/bin/lessinthiscontext,thelessprogramisfarlessdangerousthanitwouldbewithoutApp-Armorprotection.
Inothercircumstances,youmightinsteadwanttousetheProfileoption.
Thishastwoeffectsonaa-logprof:Therulewrittenintotheprofileusespx,whichforcesthetransitiontothechild'sownprofile.
aa-logprofconstructsaprofileforthechildandstartsbuildingit,inthesamewaythatitbuilttheparentprofile,byassigningeventsforthechildprocesstothechild'sprofileandaskingtheaa-logprofuserquestions.
72NovellAppArmorAdministrationGuideIfaconfinedprogramforksandexecutesanotherprogram,aa-logprofseesthisandaskstheuserwhichexecutionmodeshouldbeusedwhenlaunchingthechildprocess.
Theexecutionmodesofinherit,profile,unconfinedoranoptiontodenytheexecutionarepresented.
Ifaseparateprofileexistsforthechildprocess,thedefaultselectionisprofile.
Ifaprofiledoesnotexist,thedefaultisinherit.
Theinheritoption,orix,isdescribedinSection2.
1.
3,"FilePermissionAccessModes"(page17).
Theprofileoptionindicatesthatthechildprogramshouldruninitsownprofile—asecondaryquestionaskswhethertosanitizetheenvironmentthatthechildprograminheritsfromtheparent.
Ifyouchoosetosanitizetheenvironment,thisplacestheexe-cutionmodifierPxinyourAppArmorprofile.
Ifyouselectnottosanitize,pxisplacedintheprofileandnoenvironmentsanitizingoccurs.
Thedefaultfortheexecutionmodeispxifyouselectprofileexecutionmode.
Theunconfinedexecutionmodeisnotrecommendedandshouldonlybeusedincaseswherethereisnootheroptiontogenerateaprofileforaprogramreliably.
Selectingunconfinedopensawarningdialogaskingforconfirmationofthechoice.
IfyouaresureandchooseYes,aseconddialogaskwhethertosanitizetheenvironment.
ChoosingYesusestheexecutionmodeUxinyourprofile.
ChoosingNousestheexecutionmodeuxforyourprofile.
ThedefaultvalueselectedisUxforunconfinedexecutionmode.
IMPORTANT:RunningUnconfinedChoosinguxisverydangerousandprovidesnoenforcementofpolicyfromasecurityperspectiveofresultingexecutionbehaviorofthechildprogram.
aa-unconfined—IdentifyingUnprotectedProcessesTheaa-unconfinedcommandexaminesopennetworkportsonyoursystem,comparesthattothesetofprofilesloadedonyoursystem,andreportsnetworkservicesthatdonothaveAppArmorprofiles.
ItrequiresrootprivilegesandthatitnotbeconfinedbyanAppArmorprofile.
aa-unconfinedmustberunasroottoretrievetheprocessexecutablelinkfromthe/procfilesystem.
Thisprogramissusceptibletothefollowingraceconditions:AnunlinkedexecutableismishandledBuildingProfilesfromtheCommandLine73Aprocessthatdiesbetweennetstat(8)andfurtherchecksismishandledNOTEThisprogramlistsprocessesusingTCPandUDPonly.
Inshort,thisprogramisunsuitableforforensicsuseandisprovidedonlyasanaidtoprofilingallnet-work-accessibleprocessesinthelab.
74NovellAppArmorAdministrationGuide5ProfilingYourWebApplicationsUsingChangeHatANovellAppArmorprofilerepresentsthesecuritypolicyforanindividualprograminstanceorprocess.
Itappliestoanexecutableprogram,butifaportionoftheprogramneedsdifferentaccesspermissionsthanotherportions,theprogramcan"changehats"touseadifferentsecuritycontext,distinctivefromtheaccessofthemainprogram.
Thisisknownasahatorsubprofile.
ChangeHatenablesprogramstochangetoorfromahatwithinaNovellAppArmorprofile.
Itenablesyoutodefinesecurityatafinerlevelthantheprocess.
Thisfeaturerequiresthateachapplicationbemade"ChangeHataware"meaningthatitismodifiedtomakearequesttotheNovellAppArmormoduletoswitchsecuritydomainsatarbitrarytimesduringtheapplicationexecution.
TwoexamplesforChangeHat-awareapplicationsaretheApacheWebserverandTomcat.
Aprofilecanhaveanarbitrarynumberofsubprofiles,butthereareonlytwolevels:asubprofilecannothavefurthersub-subprofiles.
Asubprofileiswrittenasaseparateprofileandnamedasthecontainingprofilefollowedbythesubprofilename,separatedbya^.
Subprofilesmustbestoredinthesamefileastheparentprofile.
Notethatthesecurityofhatsisconsiderablyweakerthanthatoffullprofiles.
Thatistosay,ifanattackercanfindjusttherightkindofbuginaprogram,theymaybeabletoescapefromahatintothecontainingprofile.
Thisisbecausethesecurityofhatsisdeterminedbyasecretkeyhandledbythecontainingprocess,andthecoderunninginthehatmustnothaveaccesstothekey.
Thuschange_hatismostusefulinconjunctionwithapplicationservers,wherealanguageinterpreter(suchasPERL,PHP,orJava)isisolatingpiecesofcodesuchthattheydonothavedirectaccesstothememoryofthecontainingprocess.
ProfilingYourWebApplicationsUsingChangeHat75Therestofthischapterdescribesusingchange_hatinconjunctionwithApache,tocontainwebservercomponentsrunusingmod_perlandmod_php.
Similarapproachescanbeusedwithanyapplicationserverbyprovidinganapplicationmodulesimilartothemod_apparmordescribednextinSection5.
2.
2,"LocationandDirectoryDirectives"(page84).
NOTE:ForMoreInformationFormoreinformation,seethechange_hatmanpage.
5.
1ApacheChangeHatNovellAppArmorprovidesamod_apparmormodule(packageapache2-mod_apparmor)fortheApacheprogram.
ThismodulemakestheApacheWebserverChangeHataware.
InstallitalongwithApache.
WhenApacheisChangeHataware,itchecksforthefollowingcustomizedNovellAppArmorsecurityprofilesintheordergivenforeveryURIrequestthatitreceives.
URI-specifichat(forexample,^phpsysinfo/templates/classic/images/bar_left.
gif)DEFAULT_URIHANDLING_UNTRUSTED_INPUTNOTE:ApacheConfigurationIfyouinstallapache2-mod_apparmorwithoutNovellAppArmor,makesurethattheApacheloadmodulehasacommandintheconfigurationfilethatloadsthemod_apparmormodulebyaddingapparmortothelistofmodulestoloadin/etc/sysconfig/apache2:APACHE_MODULES="apparmor"Alternatively,addthefollowinglinetoyourApacheconfigurationfile:LoadModulemod_apparmormodules/mod_apparmor.
so76NovellAppArmorAdministrationGuide5.
1.
1ManagingChangeHat-AwareApplicationsAswithmostoftheNovellAppArmortools,youcanusetwomethodsformanagingChangeHat,YaSTorthecommandlineinterface.
ManagingChangeHat-awareapplica-tionsfromthecommandlineismuchmoreflexible,buttheprocessisalsomorecom-plicated.
Bothmethodsallowyoutomanagethehatsforyourapplicationandpopulatethemwithprofileentries.
ThefollowingstepsareademonstrationthataddshatstoanApacheprofileusingYaST.
IntheAddProfileWizard,theNovellAppArmorprofilingutilitiespromptyoutocreatenewhatsfordistinctURIrequests.
ChoosingtocreateanewhatallowsyoutocreateindividualprofilesforeachURI.
Youcancreateverytightrulesforeachrequest.
IftheURIthatisprocesseddoesnotrepresentsignificantprocessingorotherwisedoesnotrepresentasignificantsecurityrisk,safelyselectUseDefaultHattoprocessthisURIinthedefaulthat,whichisthedefaultsecurityprofile.
ThisexamplecreatesanewhatfortheURIphpsysinfoanditssubsequentaccesses.
Usingtheprofilingutilities,delegatewhattoaddtothisnewhat.
Theresultinghatbe-comesatight-securitycontainerthatencompassesalltheprocessingontheserverthatoccurswhenthephpsysinfoURIispassedtotheApacheWebserver.
TheURIrunstheapplicationphpsysinfo(refertohttp://phpsysinfo.
sourceforge.
netformoreinformation).
Thephpsysinfopackageisassumedtobeinstalledin/srv/www/htdocs/phpsysinfoinaclean(new)installationofopenSUSEandAppArmor.
1Oncephpsysinfoisinstalled,youarereadytoaddhatstotheApacheprofile.
FromtheNovellAppArmorGUI,selectAddProfileWizard.
ProfilingYourWebApplicationsUsingChangeHat772InApplicationtoProfile,enterhttpd2-prefork.
3ClickCreateProfile.
4RestartApachebyenteringrcapache2restartinaterminalwindow.
Restartanyprogramyouareprofilingatthispoint.
78NovellAppArmorAdministrationGuide5Openhttp://localhost/phpsysinfo/inaWebbrowserwindow.
Thebrowserwindowshoulddisplaynetworkusageandsysteminformation.
NOTE:DataCachingToensurethatthisrequestisprocessedbytheserverandyoudonotreviewcacheddatainyourbrowser,refreshthepage.
Todothis,clickthebrowserRefreshbuttontomakesurethatApacheprocessesthere-questforthephpsysinfoURI.
6ClickScanSystemLogforEntriestoAddtoProfiles.
NovellAppArmorlaunchestheaa-logproftool,whichscanstheinformationlearnedinthepreviousstep.
Itbeginstopromptyouwithprofilequestions.
7aa-logproffirstpromptswithAddRequestedHatorUseDefaultHatbecauseitnoticedthatthephpsysinfoURIwasaccessed.
SelectAddRequestedHat.
8ClickAllow.
ChoosingAddRequestedHatinthepreviousstepcreatesanewhatintheprofileandspecifiesthattheresultsofsubsequentquestionsaboutthescript'sactionsareaddedtothenewlycreatedhatratherthanthedefaulthatforthisapplication.
ProfilingYourWebApplicationsUsingChangeHat79Inthenextscreen,NovellAppArmordisplaysanexternalprogramthatthescriptexecuted.
Youcanspecifythattheprogramshouldrunconfinedbythephpsys-infohat(chooseInherit),confinedbyaseparateprofile(chooseProfile),orthatitshouldrununconfinedorwithoutanysecurityprofile(chooseUnconfined).
ForthecaseoftheProfileoption,anewprofileiscreatedfortheprogramifonedoesnotalreadyexist.
NOTE:SecurityConsiderationsSelectingUnconfinedcancreateasignificantsecurityholeandshouldbedonewithcaution.
8aSelectInheritforthe/bin/bashpath.
Thisadds/bin/bash(accessedbyApache)tothephpsysinfohatprofilewiththenecessarypermissions.
8bClickAllow.
9Theremainingquestionspromptyoutogeneratenewhatsandaddentriestoyourprofileanditshats.
TheprocessofaddingentriestoprofilesiscoveredindetailintheSection3.
1,"AddingaProfileUsingtheWizard"(page29).
Whenallprofilingquestionsareanswered,clickFinishtosaveyourchangesandexitthewizard.
80NovellAppArmorAdministrationGuideThefollowingisanexamplephpsysinfohat.
Example5.
1ExamplephpsysinfoHat/usr/sbin/httpd2-prefork{.
.
.
^phpsysinfo{#include#include/bin/basenameixr,/bin/bashixr,/bin/dfixr,/bin/grepixr,/bin/mountUx,/bin/sedixr,/dev/bus/usb/r,/dev/bus/usb/**r,/dev/nullw,/dev/ttyrw,/dev/urandomr,/etc/SuSE-releaser,/etc/ld.
so.
cacher,/etc/lsb-releaser,/etc/lsb-release.
d/r,/lib/ld-2.
6.
1.
soixr,/proc/**r,/sbin/lspciixr,/srv/www/htdocs/phpsysinfo/**r,/sys/bus/pci/**r,/sys/bus/scsi/devices/r,/sys/devices/**r,/usr/bin/cutixr,/usr/bin/getoptixr,/usr/bin/headixr,/usr/bin/lsb_releaseixr,/usr/bin/lsscsiixr,/usr/bin/trixr,/usr/bin/whoixr,/usr/lib/lib*so*mr,/usr/lib/locale/**r,/usr/sbin/lsusbixr,/usr/share/locale/**r,/usr/share/pci.
idsr,/usr/share/usb.
idsr,/var/log/apache2/access_logw,/var/run/utmpkr,}}ProfilingYourWebApplicationsUsingChangeHat81NOTE:HatandParentProfileRelationshipTheprofile^phpsysinfoisonlyvalidinthecontextofaprocessrunningundertheparentprofilehttpd2-prefork.
5.
1.
2AddingHatsandEntriestoHatsWhenyouusetheEditProfiledialog(forinstructions,refertoSection3.
3,"EditingProfiles"(page38))orwhenyouaddanewprofileusingManuallyAddProfile(forinstructions,refertoSection3.
2,"ManuallyAddingaProfile"(page37)),youaregiventheoptionofaddinghats(subprofiles)toyourNovellAppArmorprofiles.
AddaChangeHatsubprofilefromtheAppArmorProfileDialogwindowasinthefollowing.
1FromtheAppArmorProfileDialogwindow,clickAddEntrythenselectHat.
TheEnterHatNamedialogboxopens:82NovellAppArmorAdministrationGuide2EnterthenameofthehattoaddtotheNovellAppArmorprofile.
ThenameistheURIthat,whenaccessed,receivesthepermissionssetinthehat.
3ClickCreateHat.
YouarereturnedtotheAppArmorProfileDialogscreen.
4Afteraddingthenewhat,clickDone.
NOTE:ForMoreInformationForanexampleofanNovellAppArmorprofile,refertoExample5.
1,"ExamplephpsysinfoHat"(page81).
5.
2ConfiguringApacheformod_apparmorApacheisconfiguredbyplacingdirectivesinplaintextconfigurationfiles.
Themainconfigurationfileisusuallyhttpd.
conf.
WhenyoucompileApache,youcanindicatethelocationofthisfile.
DirectivescanbeplacedinanyoftheseconfigurationfilestoalterthewayApachebehaves.
Whenyoumakechangestothemainconfigurationfiles,youneedtostartorrestartApachesothechangesarerecognized.
5.
2.
1VirtualHostDirectivesVirtualhostdirectivescontrolwhetherrequeststhatcontaintrailingpathnameinforma-tionfollowinganactualfilenameorthatrefertoanonexistentfileinanexistingdirec-toryareacceptedorrejected.
ForApachedocumentationonvirtualhostdirectives,referProfilingYourWebApplicationsUsingChangeHat83tohttp://httpd.
apache.
org/docs-2.
2/mod/core.
html#virtualhost.
TheChangeHat-specificconfigurationkeywordisAADefaultHatName.
ItisusedsimilarlytoAAHatName,forexample,AADefaultHatNameMy_Funky_Default_Hat.
Theconfigurationoptionisactuallybasedonaserverdirective,whichenablesyoutousethekeywordoutsideofotheroptions,settingitforthedefaultserver.
VirtualhostsareconsideredinternallywithinApachetobeseparate"servers,"soyoucansetadefaulthatnameforthedefaultserveraswellasoneforeachvirtualhost,ifdesired.
Whenarequestcomesin,thefollowingstepsreflectthesequenceinwhichmod_apparmorattemptstoapplyhats.
1.
AlocationordirectoryhatasspecifiedbytheAAHatNamekeyword2.
AhatnamedbytheentireURIpath3.
AdefaultserverhatasspecifiedbytheAADefaultHatNamekeyword4.
DEFAULT_URI(ifnoneofthoseexist,itgoesbacktothe"parent"Apachehat)5.
2.
2LocationandDirectoryDirectivesLocationanddirectorydirectivesspecifyhatnamesintheprogramconfigurationfilesotheprogramcallsthehatregardingitssecurity.
ForApache,youcanfinddocumen-tationaboutthelocationanddirectorydirectivesathttp://httpd.
apache.
org/docs-2.
0/sections.
html.
Thelocationdirectiveexamplebelowspecifiesthat,foragivenlocation,mod_apparmorshoulduseaspecifichat:AAHatNameMY_HAT_NAMEThistriestouseMY_HAT_NAMEforanyURIbeginningwith/foo/(/foo/,/foo/bar,/foo/cgi/path/blah_blah/blah,etc.
).
Thedirectorydirectiveworkssimilarlytothelocationdirective,exceptitreferstoapathinthefilesystemasinthefollowingexample:84NovellAppArmorAdministrationGuide#NotelackoftrailingslashAAHatNameimmunix.
comExample:Theprogramphpsysinfoisusedtoillustratealocationdirectiveinthefollowingexample.
Thetarballcanbedownloadedfromhttp://phpsysinfo.
sourceforge.
com.
1Afterdownloadingthetarball,installitinto/srv/www/htdocs/phpsysinfo.
2Create/etc/apache2/conf.
d/phpsysinfo.
confandaddthefollowingtexttoit:AAHatNamephpsysinfoThefollowinghatshouldthenworkforphpsysinfo:/usr/sbin/httpd2-prefork{.
.
.
^phpsysinfo{#include#include/bin/basenameixr,/bin/bashixr,/bin/dfixr,/bin/grepixr,/bin/mountUx,/bin/sedixr,/dev/bus/usb/r,/dev/bus/usb/**r,/dev/nullw,/dev/ttyrw,/dev/urandomr,/etc/SuSE-releaser,/etc/ld.
so.
cacher,/etc/lsb-releaser,/etc/lsb-release.
d/r,/lib/ld-2.
6.
1.
soixr,/proc/**r,/sbin/lspciixr,/srv/www/htdocs/phpsysinfo/**r,/sys/bus/pci/**r,/sys/bus/scsi/devices/r,ProfilingYourWebApplicationsUsingChangeHat85/sys/devices/**r,/usr/bin/cutixr,/usr/bin/getoptixr,/usr/bin/headixr,/usr/bin/lsb_releaseixr,/usr/bin/lsscsiixr,/usr/bin/trixr,/usr/bin/whoixr,/usr/lib/lib*so*mr,/usr/lib/locale/**r,/usr/sbin/lsusbixr,/usr/share/locale/**r,/usr/share/pci.
idsr,/usr/share/usb.
idsr,/var/log/apache2/access_logw,/var/run/utmpkr,}}3ReloadNovellAppArmorprofilesbyenteringrcapparmorrestartataterminalwindowasroot.
4RestartApachebyenteringrcapache2restartataterminalwindowasroot.
5Enterhttp://hostname/phpsysinfo/intoabrowsertoreceivethesysteminformationthatphpsysinfodelivers.
6Locateconfigurationerrorsbygoingto/var/log/audit/audit.
logorrunningdmesgandlookingforanyrejectionsintheoutput.
86NovellAppArmorAdministrationGuide6ManagingProfiledApplicationsAftercreatingprofilesandimmunizingyourapplications,openSUSEbecomesmoreefficientandbetterprotectedifyouperformNovellAppArmorprofilemaintenance,whichinvolvesanalyzinglogfilesandrefiningyourprofilesaswellasbackingupyoursetofprofilesandkeepingitup-to-date.
Youcandealwiththeseissuesbeforetheybecomeaproblembysettingupeventnotificationbye-mail,runningperiodicreports,updatingprofilesfromsystemlogentriesbyrunningtheaa-logproftoolthroughYaST,anddealingwithmaintenanceissues.
6.
1MonitoringYourSecuredApplicationsApplicationsthatareconfinedbyNovellAppArmorsecurityprofilesgeneratemessageswhenapplicationsexecuteinunexpectedwaysoroutsideoftheirspecifiedprofile.
Thesemessagescanbemonitoredbyeventnotification,periodicreportgeneration,orintegrationintoathird-partyreportingmechanism.
Forreportingandalerting,AppArmorusesauserspacedaemon(/usr/sbin/aa-eventd).
Thisdaemonmonitorslogtraffic,sendsoutnotifications,andrunsscheduledreports.
ItdoesnotrequireanyenduserconfigurationanditisstartedautomaticallyaspartofthesecurityeventnotificationthroughtheYaSTApp-ArmorControlPanelorbytheconfigurationofscheduledreportsintheYaSTAppArmorReportsmodule.
ManagingProfiledApplications87Apartfromtransparentlyenablinganddisablingaa-eventdwiththeYaSTmodules,youcanmanuallytoggleitsstatuswiththercaaeventdinitscript.
TheAppArmoreventdaemonisnotrequiredforproperfunctioningoftheprofilingprocess(suchasenforcementorlearning).
Itisjustrequiredforreporting.
FindmoredetailsonsecurityeventnotificationinSection6.
2,"ConfiguringSecurityEventNotification"(page88)andonscheduledreportsinSection6.
3,"ConfiguringReports"(page91).
IfyoupreferasimplewayofbeingnotifiedofanyAppArmorrejecteventsthatdoesnotrequireyoutocheckyoure-mailsoranylogfiles,usetheAppArmorDesktopMonitorappletthatintegratesintotheGNOMEdesktop.
RefertoSection6.
4,"Config-uringandUsingtheAppArmorDesktopMonitorApplet"(page111)fordetails.
6.
2ConfiguringSecurityEventNotificationSecurityeventnotificationisaNovellAppArmorfeaturethatinformsyouwhensystemicNovellAppArmoractivityoccurs.
Activateitbyselectinganotificationfrequency(receivingdailynotification,forexample).
Enterane-mailaddress,soyoucanbenoti-fiedbye-mailwhenNovellAppArmorsecurityeventsoccur.
Selectoneofthefollowingnotificationtypes:TerseTersenotificationsummarizesthetotalnumberofsystemeventswithoutprovidingdetails.
Forexample:jupiter.
example.
comhashad41securityeventssinceMonSep1014:53:162007.
SummaryNotificationSummarynotificationdisplaystheloggedNovellAppArmorsecurityeventsandliststhenumberofindividualoccurrences,includingthedateofthelastoccurrence.
Forexample:AppArmor:PERMITTINGaccesstocapability'setgid'(httpd2-prefork(6347)profile/usr/sbin/httpd2-preforkactive/usr/sbin/httpd2-prefork)2times,thelatestatSatOct916:05:542004.
88NovellAppArmorAdministrationGuideVerboseNotificationVerbosenotificationdisplaysunmodified,loggedNovellAppArmorsecurityevents.
Ittellsyoueverytimeaneventoccursandwritesanewlineintheverboselog.
Thesesecurityeventsincludethedateandtimetheeventoccurred,whentheappli-cationprofilepermitsandrejectsaccess,andthetypeoffilepermissionaccessthatispermittedorrejected.
Verbosenotificationalsoreportsseveralmessagesthattheaa-logproftool(seeSection"aa-logprof—ScanningtheSystemLog"(page67))usestointerpretprofiles.
Forexample:type=APPARMOR_DENIEDmsg=audit(1189428793.
218:2880):operation="file_permission"requested_mask="w"denied_mask="w"name="/var/log/apache2/error_log"pid=22969profile="/usr/sbin/httpd2-prefork"NOTEYoumustsetupamailserverthatcansendoutgoingmailusingtheSMTPprotocol(forexample,postfixorexim)foreventnotificationtowork.
1IntheEnableSecurityEventNotificationsectionoftheAppArmorConfigurationwindow,clickConfigure.
2IntheSecurityEventNotificationwindow,enableTerse,Summary,orVerboseeventnotification.
ManagingProfiledApplications892aIneachapplicablenotificationtypesection,enterthee-mailaddressesofthosewhoshouldreceivenotificationinthefieldprovided.
Ifnotificationisenabled,youmustenterane-mailaddress.
Separatemultiplee-mailaddresseswithcommas.
2bForeachnotificationtypeenabled,selectthefrequencyofnotification.
Selectanotificationfrequencyfromthefollowingoptions:Disabled1minute5minutes10minutes15minutes30minutes1hour1day1week2cForeachselectednotificationtype,selectthelowestseveritylevelforwhichanotificationshouldbesent.
Securityeventsareloggedandthenotificationsaresentatthetimeindicatedbytheintervalwheneventsareequaltoorgreaterthantheselectedseveritylevel.
Iftheintervalis1day,thenotificationissentdaily,ifsecurityeventsoccur.
NOTE:SeverityLevelsNovellAppArmorsendsouteventmessagesforthingsthatareintheseveritydatabaseandabovethelevelselected.
Severitylevelsarenumbered1through10,with10beingthemostseveresecurityincident.
The/etc/severity.
dbfiledefinestheseveritylevelofpotentialsecurityevents.
Theseveritylevelsaredeterminedbythe90NovellAppArmorAdministrationGuideimportanceofdifferentsecurityevents,suchascertainresourcesaccessedorservicesdenied.
3ClickOK.
4ClickDoneintheNovellAppArmorConfigurationwindow.
5ClickFile>QuitintheYaSTControlCenter.
Afterconfiguringsecurityeventnotification,readthereportsanddeterminewhethereventsrequirefollowup.
FollowupmayincludetheproceduresoutlinedinSection6.
5,"ReactingtoSecurityEventRejections"(page112).
6.
3ConfiguringReportsNovellAppArmor'sreportingfeatureaddsflexibilitybyenhancingthewayuserscanviewsecurityeventdata.
Thereportingtoolperformsthefollowing:Createson-demandreportsExportsreportsSchedulesperiodicreportsforarchivingE-mailsperiodicreportsFiltersreportdatabydateFiltersreportdatabyotheroptions,suchasprogramnameUsingreports,youcanreadimportantNovellAppArmorsecurityeventsreportedinthelogfileswithoutmanuallysiftingthroughthemessagesonlyusefultotheaa-logproftool.
Narrowdownthesizeofthereportbyfilteringbydaterangeorprogramname.
Youcanalsoexportanhtmlorcsvfile.
ThefollowingarethethreetypesofreportsavailableinNovellAppArmor:ManagingProfiledApplications91ExecutiveSecuritySummaryAcombinedreport,consistingofoneormoresecurityincidentreportsfromoneormoremachines.
Thisreportcanprovideasingleviewofsecurityeventsonmultiplemachines.
Formoredetails,refertoSection"ExecutiveSecuritySummary"(page101).
ApplicationAuditReportAnauditingtoolthatreportswhichapplicationserversarerunningandwhethertheapplicationsareconfinedbyAppArmor.
Applicationserversareapplicationsthatacceptincomingnetworkconnections.
Formoredetails,refertoSection"Ap-plicationAuditReport"(page97).
SecurityIncidentReportAreportthatdisplaysapplicationsecurityforasinglehost.
Itreportspolicyviola-tionsforlocallyconfinedapplicationsduringaspecifictimeperiod.
Youcaneditandcustomizethisreportoraddnewversions.
Formoredetails,refertoSection"SecurityIncidentReport"(page99).
TousetheNovellAppArmorreportingfeatures,proceedwiththefollowingsteps:1OpenYaST>NovellAppArmor.
2InNovellAppArmor,clickAppArmorReports.
TheAppArmorSecurityEventReportswindowappears.
FromtheReportswindow,selectanoptionandproceedtotherespectivesectionforinstructions:92NovellAppArmorAdministrationGuideViewArchiveDisplaysallreportsthathavebeenrunandstoredin/var/log/apparmor/reports-archived/.
SelectthereportyouwanttoseeindetailandclickView.
ForViewArchiveinstructions,proceedtoSection6.
3.
1,"ViewingArchivedReports"(page94).
RunNowProducesaninstantversionoftheselectedreporttype.
Ifyouselectasecu-rityincidentreport,itcanbefurtherfilteredinvariousways.
ForRunNowinstructions,proceedtoSection6.
3.
2,"RunNow:RunningOn-DemandReports"(page102).
AddCreatesascheduledsecurityincidentreport.
ForAddinstructions,proceedtoSection6.
3.
3,"AddingNewReports"(page105).
EditEditsascheduledsecurityincidentreport.
DeleteDeletesascheduledsecurityincidentreport.
Allstockorcannedreportscannotbedeleted.
ManagingProfiledApplications93BackReturnsyoutotheNovellAppArmormainscreen.
AbortReturnsyoutotheNovellAppArmormainscreen.
NextPerformsthesamefunctionastheRunNowbutton.
6.
3.
1ViewingArchivedReportsViewReportsenablesyoutospecifythelocationofacollectionofreportsfromoneormoresystems,includingtheabilitytofilterbydateornamesofprogramsaccessedanddisplaythemalltogetherinonereport.
1FromtheAppArmorSecurityEventReportwindow,selectViewArchive.
2Selectthereporttypetoview.
Togglebetweenthedifferenttypes:SIR(SecurityIncidentReport),AppAud(ApplicationAudit),andESS(ExecutiveSecuritySummary).
94NovellAppArmorAdministrationGuide3YoucanalterthedirectorylocationofthearchivedreportsinLocationofArchivedReports.
SelectAccepttousethecurrentdirectoryorselectBrowsetofindanewreportlocation.
Thedefaultdirectoryis/var/log/apparmor/reports-archived.
4Toviewallthereportsinthearchive,selectViewAll.
Toviewaspecificreport,selectareportfilelistedintheReportfieldthenselectView.
5ForApplicationAuditandExecutiveSecuritySummaryreports,proceedtoStep9(page97).
6TheReportConfigurationDialogopensforSecurityIncidentreports.
7TheReportConfigurationdialogenablesyoutofilterthereportsselectedinthepreviousscreen.
Enterthedesiredfilterdetails.
Thefieldsare:DateRangeTodisplayreportsforacertaintimeperiod,selectFilterByDateRange.
Enterthestartandenddatesthatdefinethescopeofthereport.
ManagingProfiledApplications95ProgramNameWhenyouenteraprogramnameorpatternthatmatchesthenameofthebi-naryexecutableoftheprogramofinterest,thereportdisplayssecurityeventsthathaveoccurredforaspecificprogram.
ProfileNameWhenyouenterthenameoftheprofile,thereportdisplaysthesecurityeventsthataregeneratedforthespecifiedprofile.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberPIDnumberisanumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatpro-cess).
SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandabovearethenincludedinthereports.
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichprofilespreventaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeTheModeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsareall(allmodeswithoutfiltering),r(read),w(write),l(link),x(execute),andm(mmap).
ExportTypeEnablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Youcanenterapathforyourexportedreportbytypingthefullpathinthefieldpro-vided.
96NovellAppArmorAdministrationGuideLocationtoStoreLogEnablesyoutochangethelocationatwhichtostoretheexportedreport.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
8Toseethereport,filteredasdesired,selectNext.
Oneofthethreereportsdisplays.
9Referthefollowingsectionsfordetailedinformationabouteachtypeofreport.
Fortheapplicationauditreport,refertoSection"ApplicationAuditReport"(page97).
Forthesecurityincidentreport,refertoSection"SecurityIncidentReport"(page99).
Fortheexecutivesummaryreport,refertoSection"ExecutiveSecuritySummary"(page101).
ApplicationAuditReportAnapplicationauditreportisanauditingtoolthatreportswhichapplicationserversarerunningandwhethertheyareconfinedbyAppArmor.
ManagingProfiledApplications97Thefollowingfieldsareprovidedinanapplicationauditreport:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
DateThedateduringwhichsecurityeventsoccurred.
ProgramThenameandpathoftheexecutingprocess.
ProfileTheabsolutenameofthesecurityprofilethatisappliedtotheprocess.
PIDAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
StateThisfieldrevealswhethertheprogramlistedintheprogramfieldisconfined.
Ifitisnotconfined,youmightconsidercreatingaprofileforit.
98NovellAppArmorAdministrationGuideTypeThisfieldrevealsthetypeofconfinementthesecurityeventrepresents.
Itsayseithercomplainorenforce.
Iftheapplicationisnotconfined(state),notypeofconfinementisreported.
SecurityIncidentReportAsecurityincidentreportdisplayssecurityeventsofinteresttoanadministrator.
TheSIRreportspolicyviolationsforlocallyconfinedapplicationsduringthespecifiedtimeperiod.
Italsoreportspolicyexceptionsandpolicyenginestatechanges.
Thesetwotypesofsecurityeventsaredefinedasfollows:PolicyExceptionsWhenanapplicationrequestsaresourcethatisnotdefinedwithinitsprofile,ase-curityeventistriggered.
Areportisgeneratedthatdisplayssecurityeventsofinteresttoanadministrator.
TheSIRreportspolicyviolationsforlocallyconfinedapplica-tionsduringthespecifiedtimeperiod.
TheSIRreportspolicyexceptionsandpolicyenginestatechanges.
PolicyEngineStateChangesEnforcespolicyforapplicationsandmaintainsitsownstate,includingwhenenginesstartorstop,whenapolicyisreloaded,andwhenglobalsecurityfeatureareenabledordisabled.
ManagingProfiledApplications99ThefieldsintheSIRreporthavethefollowingmeanings:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
DateThedateduringwhichsecurityeventsoccurred.
ProgramThenameoftheexecutingprocess.
ProfileTheabsolutenameofthesecurityprofilethatisappliedtotheprocess.
PIDAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
SeveritySeveritylevelsofeventsarereportedfromtheseveritydatabase.
Theseveritydatabasedefinestheimportanceofpotentialsecurityeventsandnumbersthem1through10,10beingthemostseveresecurityincident.
Theseveritylevelsarede-100NovellAppArmorAdministrationGuideterminedbythethreatorimportanceofdifferentsecurityevents,suchascertainresourcesaccessedorservicesdenied.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichtheprofilepreventsaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ExecutiveSecuritySummaryAcombinedreportconsistingofoneormorehigh-levelreportsfromoneormorema-chines.
Thisreportcanprovideasingleviewofsecurityeventsonmultiplemachinesifeachmachine'sdataiscopiedtothereportarchivedirectory,whichis/var/log/apparmor/reports-archived.
OnelineoftheESSreportrepresentsarangeofSIRreports.
ManagingProfiledApplications101Thefollowingfieldsareprovidedinanexecutivesecuritysummary:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
StartDateThefirstdateinarangeofdatesduringwhichsecurityeventsarereported.
EndDateThelastdateinarangeofdatesduringwhichsecurityeventsarereported.
NumRejectsInthedaterangegiven,thetotalnumberofsecurityeventsthatarerejectedaccessattempts.
NumEventsInthedaterangegiven,thetotalnumberofsecurityevents.
Ave.
SevThisistheaverageoftheseveritylevelsreportedinthedaterangegiven.
Unknownseveritiesaredisregardedinthisfigure.
HighSevThisistheseverityofthehighestseverityeventreportedinthedaterangegiven.
6.
3.
2RunNow:RunningOn-DemandReportsTheRunNowreportfeatureenablesyoutoinstantlyextractreportinformationfromtheNovellAppArmoreventlogswithoutwaitingforscheduledevents.
Ifyouneedhelpnavigatingtothemainreportscreen,seeSection6.
3,"ConfiguringReports"(page91).
Performthefollowingstepstorunareportfromthelistofreports:1SelectthereporttoruninstantlyfromthelistofreportsintheScheduleReportswindow.
2SelectRunNoworNext.
Thenextscreendependsonwhichreportyouselectedinthepreviousstep.
Asanexample,selectasecurityincidentreport.
102NovellAppArmorAdministrationGuide3TheReportConfigurationDialogopensforsecurityincidentreports.
4TheReportConfigurationDialogenablesyoutofilterthereportsselectedinthepreviousscreen.
Enterthedesiredfilterdetails.
Thefollowingfilteroptionsareavailable:DateRangeTolimitreportstoacertaintimeperiod,selectFilterByDateRange.
Enterthestartandenddatesthatdeterminethescopeofthereport.
ProgramNameWhenyouenteraprogramnameorpatternthatmatchesthenameofthebi-naryexecutablefortheprogramofinterest,thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameWhenyouenterthenameoftheprofile,thereportdisplaysthesecurityeventsthataregeneratedforthespecifiedprofile.
Youcanusethistoseewhatisconfinedbyaspecificprofile.
PIDNumberAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
ManagingProfiledApplications103SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichprofilespreventaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
ExportTypeEnablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypinginthefullpathinthefieldprovided.
LocationtoStoreLogEnablesyoutochangethelocationthattheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
5Toseethereport,filteredasdesired,selectNext.
Oneofthethreereportsdisplays.
Referthefollowingsectionsfordetailedinformationabouteachtypeofreport.
Fortheapplicationauditreport,refertoSection"ApplicationAuditReport"(page97).
Forthesecurityincidentreport,refertoSection"SecurityIncidentReport"(page99).
104NovellAppArmorAdministrationGuideFortheexecutivesummaryreport,refertoSection"ExecutiveSecuritySummary"(page101).
6.
3.
3AddingNewReportsAddingnewreportsenablesyoutocreateascheduledsecurityincidentreportthatdis-playsNovellAppArmorsecurityeventsaccordingtoyourpresetfilters.
WhenareportissetupinScheduleReports,itperiodicallylaunchesareportofNovellAppArmorsecurityeventsthathaveoccurredonthesystem.
Youcanconfigureadaily,weekly,monthly,orhourlyreporttorunforaspecifiedpe-riod.
Youcansetthereporttodisplayrejectionsforcertainseveritylevelsortofilterbyprogramname,profilename,severitylevel,ordeniedresources.
ThisreportcanbeexportedtoanHTML(HypertextMarkupLanguage)orCSV(CommaSeparatedValues)fileformat.
NOTEReturntothebeginningofthissectionifyouneedhelpnavigatingtothemainreportscreen(seeSection6.
3,"ConfiguringReports"(page91)).
Toaddanewscheduledsecurityincidentreport,proceedasfollows:1ClickAddtocreateanewsecurityincidentreport.
ThefirstpageofAddScheduledSIRopens.
ManagingProfiledApplications1052Fillinthefieldswiththefollowingfilteringinformation,asnecessary:ReportNameSpecifythenameofthereport.
Usenamesthateasilydistinguishdifferentreports.
DayofMonthSelectanydayofthemonthtoactivatemonthlyfilteringinreports.
IfyouselectAll,monthlyfilteringisnotperformed.
DayofWeekSelectthedayoftheweekonwhichtoscheduleweeklyreports,ifdesired.
IfyouselectALL,weeklyfilteringisnotperformed.
Ifmonthlyreportingisselected,thisfielddefaultstoALL.
HourandMinuteSelectthetime.
Thisspecifiesthehourandminutethatyouwouldlikethereportstorun.
Ifyoudonotchangethetime,selectedreportsrunsatmidnight.
Ifneithermonthnordayofweekareselected,thereportrunsdailyatthespecifiedtime.
E-MailTargetYouhavetheabilitytosendthescheduledsecurityincidentreportviae-mailtouptothreerecipients.
Justenterthee-mailaddressesforthosewhorequirethesecurityincidentinformation.
ExportTypeThisoptionenablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypinginthefullpathinthefieldprovided.
LocationtoStoreLogEnablesyoutochangethelocationthattheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
3ClickNexttoproceedtothesecondpageofAddScheduledSIR.
106NovellAppArmorAdministrationGuide4Fillinthefieldswiththefollowingfilteringinformation,asnecessary:ProgramNameYoucanspecifyaprogramnameorpatternthatmatchesthenameofthebinaryexecutablefortheprogramofinterest.
Thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameYoucanspecifythenameoftheprofileforwhichthereportshoulddisplaysecurityevents.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtocreateareportofresourcestowhichprofilespreventaccess.
SeveritySelectthelowestseveritylevelofsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
ManagingProfiledApplications107AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
5ClickSavetosavethisreport.
NovellAppArmorreturnstotheScheduledReportsmainwindowwherethenewlyscheduledreportappearsinthelistofreports.
6.
3.
4EditingReportsFromtheAppArmorReportsscreen,youcanselectandeditareport.
Thethreepre-configuredreports(stockreports)cannotbeeditedordeleted.
NOTEReturntothebeginningofthissectionifyouneedhelpnavigatingtothemainreportscreen(seeSection6.
3,"ConfiguringReports"(page91)).
Performthefollowingstepstomodifyareportfromthelistofreports:1FromthelistofreportsintheScheduleReportswindow,selectthereporttoedit.
Thisexampleassumesthatyouhaveselectedasecurityincidentreport.
2ClickEdittoeditthesecurityincidentreport.
ThefirstpageoftheEditScheduledSIRdisplays.
108NovellAppArmorAdministrationGuide3Modifythefollowingfilteringinformation,asnecessary:DayofMonthSelectanydayofthemonthtoactivatemonthlyfilteringinreports.
IfyouselectAll,monthlyfilteringisnotperformed.
DayofWeekSelectthedayoftheweekonwhichtoscheduletheweeklyreports.
IfyouselectAll,weeklyfilteringisnotperformed.
Ifmonthlyreportingisselected,thisdefaultstoAll.
HourandMinuteSelectthetime.
Thisspecifiesthehourandminutethatyouwouldlikethereportstorun.
Ifyoudonotchangethetime,theselectedreportrunsatmidnight.
Ifneitherthedayofthemonthnordayoftheweekisselected,thereportrunsdailyatthespecifiedtime.
E-MailTargetYouhavetheabilitytosendthescheduledsecurityincidentreportviae-mailtouptothreerecipients.
Justenterthee-mailaddressesforthosewhorequirethesecurityincidentinformation.
ExportTypeThisoptionenablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypingthefullpathinthefieldpro-vided.
LocationtoStoreLogEnablesyoutochangethelocationwheretheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
4ClickNexttoproceedtothenextEditScheduledSIRpage.
ThesecondpageofEditScheduledReportsopens.
ManagingProfiledApplications1095Modifythefieldswiththefollowingfilteringinformation,asnecessary:ProgramNameYoucanspecifyaprogramnameorpatternthatmatchesthenameofthebinaryexecutablefortheprogramofinterest.
Thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameYoucanspecifythenameoftheprofileforwhichtodisplaysecurityevents.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberProcessIDnumberisanumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtocreateareportofresourcestowhichprofilespreventaccess.
SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
110NovellAppArmorAdministrationGuideAccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
6SelectSavetosavethechangestothisreport.
NovellAppArmorreturnstotheScheduledReportsmainwindowwherethescheduledreportappearsinthelistofreports.
6.
3.
5DeletingReportsDeleteaReportenablesyoutopermanentlyremoveareportfromthelistofNovellAppArmorscheduledreports.
Todeleteareport,followtheseinstructions:1Toremoveareportfromthelistofreports,highlightthereportandclickDelete.
2Fromtheconfirmationpop-up,selectCancelifyoudonotwanttodeletetheselectedreport.
Ifyouaresureyouwanttoremovethereportpermanentlyfromthelistofreports,selectDelete.
6.
4ConfiguringandUsingtheAppArmorDesktopMonitorAppletTheLinuxauditframeworkcontainsadispatcherthatcansendAppArmoreventstoanyconsumerapplicationviadbus.
TheGNOMEAppArmorDesktopMonitorappletisoneexampleofanapplicationthatgathersAppArmoreventsviadbus.
Toconfigureaudittousethedbusdispatcher,justsetthedispatcherinyourauditconfigurationin/etc/audit/auditd.
conftoapparmor-dbusandrestartauditd:dispatcher=/usr/bin/apparmor-dbusManagingProfiledApplications111Oncethedbusdispatcherisconfiguredcorrectly,addtheAppArmorDesktopMonitortotheGNOMEpanelbyright-clickingthepanelandselectingAddtoPanel>AppArmorDesktopMonitor.
AssoonasaREJECTeventislogged,theapplet'spaneliconchangesappearanceandyoucanclicktheapplettoseethenumberofrejecteventsperconfinedapplication.
Toviewtheexactlogmessages,refertotheauditlogunder/var/log/audit/audit.
log.
ReacttoanyREJECTeventsasdescribedinSection6.
5,"Re-actingtoSecurityEventRejections"(page112).
6.
5ReactingtoSecurityEventRejectionsWhenyoureceiveasecurityeventrejection,examinetheaccessviolationanddetermineifthateventindicatedathreatorwaspartofnormalapplicationbehavior.
Application-specificknowledgeisrequiredtomakethedetermination.
Iftherejectedactionispartofnormalapplicationbehavior,runaa-logprofatthecommandlineortheUpdateProfileWizardinNovellAppArmortoupdateyourprofile.
Iftherejectedactionisnotpartofnormalapplicationbehavior,thisaccessshouldbeconsideredapossibleintrusionattempt(thatwasprevented)andthisnotificationshouldbepassedtothepersonresponsibleforsecuritywithinyourorganization.
6.
6MaintainingYourSecurityProfilesInaproductionenvironment,youshouldplanonmaintainingprofilesforallofthede-ployedapplications.
Thesecuritypoliciesareanintegralpartofyourdeployment.
Youshouldplanontakingstepstobackupandrestoresecuritypolicyfiles,planforsoftwarechanges,andallowanyneededmodificationofsecuritypoliciesthatyourenvironmentdictates.
6.
6.
1BackingUpYourSecurityProfilesBecauseyoutakethetimetomakeprofiles,itmakessensetobackthemup.
Backingupprofilesmightsaveyoufromhavingtoreprofileallyourprogramsafteradiskcrash.
Also,ifprofilesarechanged,youcaneasilyrestoreprevioussettingsbyusingthebackedupfiles.
112NovellAppArmorAdministrationGuideBackupprofilesbycopyingtheprofilefilestoaspecifieddirectory.
1Youshouldfirstarchivethefilesintoonefile.
Todothis,openaterminalwindowandenterthefollowingasroot:tarzclpfprofiles.
tgz/etc/apparmor.
dThesimplestmethodtoensurethatyoursecuritypolicyfilesareregularlybackedupistoincludethedirectory/etc/apparmor.
dinthelistofdirectoriesthatyourbackupsystemarchives.
2YoucanalsousescporafilemanagerlikeKonquerororNautilustostorethefilesonsomekindofstoragemedia,thenetwork,oranothercomputer.
6.
6.
2ChangingYourSecurityProfilesMaintenanceofsecurityprofilesincludeschangingthemifyoudecidethatyoursystemrequiresmoreorlesssecurityforitsapplications.
TochangeyourprofilesinNovellAppArmor,refertoSection3.
3,"EditingProfiles"(page38).
6.
6.
3IntroducingNewSoftwareintoYourEnvironmentWhenyouaddanewapplicationversionorpatchtoyoursystem,youshouldalwaysupdatetheprofiletofityourneeds.
Youhaveseveraloptionsthatdependonyourcompany'ssoftwaredeploymentstrategy.
Youcandeployyourpatchesandupgradesintoatestorproductionenvironment.
Thefollowingexplainshowtodothiswitheachmethod.
Ifyouintendtodeployapatchorupgradeinatestenvironment,thebestmethodforupdatingyourprofilesisoneofthefollowing:RuntheprofilingwizardbyselectingAddProfileWizardinYaST.
Thiscreatesanewprofilefortheaddedorpatchedapplication.
Forstep-by-stepinstructions,refertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
Runaa-genprofbytypingaa-genprofinaterminalwhileloggedinasroot.
Fordetailedinstructions,refertoSection"aa-genprof—GeneratingProfiles"(page59).
ManagingProfiledApplications113Ifyouintendtodeployapatchorupgradedirectlyintoaproductionenvironment,thebestmethodforupdatingyourprofilesisoneofthefollowing:Monitorthesystemfrequentlytodetermineifanynewrejectionsshouldbeaddedtotheprofileandupdateasneededusingaa-logprof.
Fordetailedinstructions,refertoSection"aa-logprof—ScanningtheSystemLog"(page67).
RuntheYaSTUpdateProfileWizardtolearnthenewbehavior(highsecurityriskasallaccessesareallowedandlogged,notrejected).
Forstep-by-stepinstructions,refertoSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
114NovellAppArmorAdministrationGuide7SupportThischapteroutlinesmaintenance-relatedtasks.
LearnhowtoupdateNovellApp-ArmorandgetalistofavailablemanpagesprovidingbasichelpforusingthecommandlinetoolsprovidedbyNovellAppArmor.
UsethetroubleshootingsectiontolearnaboutsomecommonproblemsencounteredwithNovellAppArmorandtheirsolutions.
ReportdefectsorenhancementrequestsforNovellAppArmorfollowingtheinstructionsinthischapter.
7.
1UpdatingNovellAppArmorOnlineUpdatesforNovellAppArmorpackagesareprovidedinthesamewayasanyotherupdateforopenSUSE.
RetrieveandapplythemexactlylikeforanyotherpackagethatshipsaspartofopenSUSE.
7.
2UsingtheManPagesTherearemanpagesavailableforyouruse.
Inaterminal,entermanapparmortoopentheapparmormanpage.
Manpagesaredistributedinsectionsnumbered1through8.
Eachsectionisspecifictoacategoryofdocumentation:Support115Table7.
1ManPages:SectionsandCategoriesCategorySectionUsercommands1Systemcalls2Libraryfunctions3Devicedriverinformation4Configurationfileformats5Games6Highlevelconcepts7Administratorcommands8Thesectionnumbersareusedtodistinguishmanpagesfromeachother.
Forexample,exit(2)describestheexitsystemcall,whileexit(3)describestheexitClibraryfunction.
TheNovellAppArmormanpagesare:unconfined(8)autodep(1)complain(1)enforce(1)genprof(1)logprof(1)change_hat(2)logprof.
conf(5)116NovellAppArmorAdministrationGuideapparmor.
conf(5)apparmor.
d(5)apparmor.
vim(5)apparmor(7)apparmor_parser(8)7.
3ForMoreInformationFindmoreinformationabouttheAppArmorproductontheNovellAppArmorproductpageatNovell:http://www.
novell.
com/products/apparmor/.
FindtheproductdocumentationforNovellAppArmor,includingthisdocument,athttp://www.
novell.
com/documentation/apparmor/orintheinstalledsystemin/usr/share/doc/manual.
TherearespecificmailinglistsforAppArmorthatuserscanposttoorjointocommu-nicatewithdevelopers.
apparmor-general@forge.
novell.
com[mailto:apparmor-general@forge.
novell.
com]ThisisamailinglistforendusersofAppArmor.
ItisagoodplaceforquestionsabouthowtouseAppArmortoprotectyourapplications.
apparmor-dev@forge.
novell.
com[mailto:apparmor-dev@forge.
novell.
com]ThisisadevelopermailinglistforAppArmordevelopersandcommunitymembers.
ThislistisforquestionsaboutdevelopmentofcoreAppArmorfeatures—thekernelmoduleandtheprofilingtools.
IfyouareinterestedinreviewingthecodeforAppArmorandcontributingreviewsorpatches,thiswouldbethelistforyou.
apparmor-announce@forge.
novell.
com[mailto:apparmor-announce@forge.
novell.
com]Thisisalowtrafficlistannouncingtheavailabilityofnewreleasesorfeatures.
Support1177.
4TroubleshootingThissectionliststhemostcommonproblemsanderrormessagesthatmayoccurusingNovellAppArmor.
7.
4.
1HowtoReacttooddApplicationBehaviorIfyounoticeoddapplicationbehaviororanyothertypeofapplicationproblem,youshouldfirstchecktherejectmessagesinthelogfilestoseeifAppArmoristoocloselyconstrictingyourapplication.
Tocheckrejectmessages,startYaST>NovellAppArmorandgotoAppArmorReports.
SelectViewArchiveandAppAudfortheapplicationauditreport.
Youcanfilterdatesandtimestonarrowdownthespecificperiodswhentheunexpectedapplicationbehavioroccurred.
IfyoudetectrejectmessagesthatindicatethatyourapplicationorserviceistoocloselyrestrictedbyAppArmor,updateyourprofiletoproperlyhandleyourusecaseoftheapplication.
DothiswiththeUpdateProfileProfileWizardinYaST,asdescribedinSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
IfyoudecidetorunyourapplicationorservicewithoutAppArmorprotection,removetheapplication'sprofilefrom/etc/apparmor.
dormoveittoanotherlocation.
7.
4.
2MyProfilesdonotSeemtoWorkAnymore…IfyouhavebeenusingpreviousversionsofAppArmorandhaveupdatedyoursystem,butkeptyouroldsetofprofiles,youmightnoticesomeapplicationsbehavingstrangelyornotworkingatallwhichseemedtoworkperfectlybeforeyouupdated.
ThisversionofAppArmorintroducesasetofnewfeaturestotheprofilesyntaxandtheAppArmortoolsthatmightcausetroublewitholderversionsoftheAppArmorprofiles.
Thefeaturesconcernedare:FileLocking118NovellAppArmorAdministrationGuideNetworkAccessControlTheSYS_PTRACECapabilityDirectoryPathAccessThecurrentversionofAppArmormediatesfilelockingandintroducesanewpermissionmode(k)forthis.
Applicationsrequestingfilelockingpermissionmightmisbehaveorfailaltogetherifconfinedbyolderprofileswhichdonotexplicitlycontainpermissionstolockfiles.
Ifyoususpectthisbeingthecase,checkthelogfileunder/var/log/audit/audit.
logforentrieslikethefollowing:type=APPARMOR_DENIEDmsg=audit(1188913493.
299:9304):operation="file_lock"requested_mask="k"denied_mask="k"name="/home/tux/.
qt/.
qtrc.
lock"pid=25736profile="/usr/bin/opera"UpdatetheprofileusingtheYaSTUpdateProfileWizardortheaa-logprofcom-mandasoutlinedbelow.
Thenewnetworkaccesscontrolsyntaxbasedonthenetworkfamilyandtypespecifi-cation,describedinSection2.
1.
1,"NetworkAccessControl"(page14),mightcauseapplicationmisbehaviororevenstopapplicationsfromworking.
Ifyounoticeanetwork-relatedapplicationbehavingstrangely,checkthelogfileunder/var/log/audit/audit.
logforentrieslikethefollowing:type=APPARMOR_DENIEDmsg=audit(1188894313.
206:9123):operation="socket_create"family="inet"sock_type="raw"protocol=1pid=23810profile="/bin/ping"Thislogentrymeansthatourexampleapplication,/bin/pinginthiscase,failedtogetAppArmor'spermissiontoopenanetworkconnection.
Thispermissionhastobeexplicitlystatedtomakesurethatanapplicationhasnetworkaccess.
Toupdatetheprofiletothenewsyntax,usetheYaSTUpdateProfileWizardortheaa-logprofcommandasoutlinedbelow.
ThecurrentkernelrequirestheSYS_PTRACEcapability,ifaprocesstriestoaccessfilesin/proc/pid/fd/*.
Newprofilesneedanentryforthefileandthecapabilitywhereoldprofilesonlyneededthefileentry.
Forexample:/proc/*/fd/**rw,intheoldsyntaxwouldtranslatetothefollowingrulesinthenewsyntax:capabilitySYS_PTRACE,/proc/*/fd/**rw,Support119Toupdatetheprofiletothenewsyntax,usetheYaSTUpdateProfileWizardortheaa-logprofcommandasoutlinedbelow.
WiththisversionofAppArmor,afewchangeshavebeenmadetotheprofilerulesyntaxtobetterdistinguishdirectoryfromfileaccess.
Therefore,somerulesmatchingbothfileanddirectorypathsinthepreviousversionmightnowjustmatchafilepath.
ThiscouldleadtoAppArmornotbeingabletoaccessacrucialdirectoryatallandthustriggermisbehaviorofyourapplicationandvariouslogmessages.
Thefollowingexam-pleshighlightthemostimportantchangestothepathsyntax.
Usingtheoldsyntax,thefollowingrulewouldallowaccesstofilesanddirectoriesin/proc/net.
Itwouldallowdirectoryaccessonlytoreadtheentriesinthedirectory,butnotgiveaccesstofilesordirectoriesunderthedirectory,e.
g.
/proc/net/dir/foowouldbematchedbytheasterisk(*),butasfooisafileordirectoryunderdir,itcannotbeaccessed.
/proc/net/*r,Togetthesamebehaviorusingthenewsyntax,youneedtworulesinsteadofone.
Thefirstallowsaccesstofileunder/proc/netandthesecondallowsaccesstodirectoriesunder/proc/net.
Directoryaccesscanonlybeusedforlistingthecontents,nottoactuallyaccessfilesordirectoriesunderneaththedirectory.
/proc/net/*r,/proc/net/*/r,Thefollowingruleworkssimilarlybothundertheoldandthenewsyntaxandallowsaccesstobothfilesanddirectoriesunder/proc/net:/proc/net/**r,Todistinguishfilefromdirectoryaccessusingtheaboveexpressioninthenewsyntax,usethefollowingtworules.
Thefirstoneonlyallowstorecursivelyaccessdirectoriesunder/proc/netwhilethesecondoneexplicitlyallowsforrecursivefileaccessonly.
/proc/net/**/r,/proc/net/**[^/]r,Thefollowingruleworkssimilarlybothundertheoldandthenewsyntaxandallowsaccesstobothfilesanddirectoriesbeginningwithfoounder/proc/net:/proc/net/foo**r,120NovellAppArmorAdministrationGuideTodistinguishfilefromdirectoryaccessinthenewsyntaxandusethe**globbingpattern,usethefollowingtworules.
Thefirstonewouldhavematchedbothfilesanddirectoriesintheoldsyntax,butonlymatchesfilesinthenewsyntaxduetothemissingtrailingslash.
Thesecondrulematchedneitherfilenordirectoryintheoldsyntax,butmatchesdirectoriesonlyinthenewsyntax:/proc/net/**foor,/proc/net/**foo/r,Thefollowingrulesillustratehowtheuseoftheglobbingpatternhaschanged.
Intheoldsyntax,thefirstrulewouldhavematchedbothfilesanddirectories(fourcharacters,lastcharactercouldbeanybutaslash).
Inthenewsyntax,itmatchesonlyfiles(trailingslashismissing).
Thesecondrulewouldmatchnothingintheoldprofilesyntax,butmatchesdirectoriesonlyinthenewsyntax.
Thelastrulematchesexplicitlymatchesafilecalledbarunder/proc/net/foo.
Usingtheoldsyntax,thisrulewouldhaveappliedtobothfilesanddirectories:/proc/net/foor,/proc/net/foo/r,/proc/net/foo/barr,Tofindandresolveissuesrelatedtosyntaxchanges,takesometimeaftertheupdatetochecktheprofilesyouwanttokeepandproceedasfollowsforeachapplicationyoukepttheprofilefor:1MakesurethatAppArmorisrunningandthattheapplication'sprofileisloaded.
2StarttheYaSTAppArmorControlPanelandputtheapplication'sprofileintocomplainmode.
Logentriesaremadeforanyactionsviolatingthecurrentprofile,buttheprofileisnotenforcedandtheapplication'sbehaviornotrestricted.
3Runtheapplicationcoveringallthetasksyouneedthisapplicationtobeabletoperform.
4StarttheYaSTUpdateProfileWizardtoupdatetheapplication'sprofileaccordingtothelogentriesgeneratedwhilerunningtheapplication.
5Oncetheprofileisupdated,putitbackintoenforcemodeviatheYaSTAppArmorControlPanel.
UsingtheAppArmorcommandlinetools,youwouldproceedasfollows:1Puttheapplication'sprofileintocomplainmode:Support121aa-complain/path/to/application2Runtheapplication.
3Updatetheprofileaccordingtothelogentriesmadewhilerunningtheapplication:aa-logprof/path/to/application4Puttheresultingprofilebackintoenforcemode:aa-enforce/path/to/application7.
4.
3HowtoConfineKDEApplicationswithAppArmorCurrently,itisnotpossibletoconfineKDEapplicationstothesameextentasanyotherapplicationduetothewayKDEmanagesitsprocesses.
IfyouwanttoconfineKDEapplications,chooseoneofthefollowingapproaches,butnotethatnoneofthemisreallysuitedforastandardsetup:CreateaSingleProfilefortheEntireKDEDesktopAsallKDEprocessesarechildrenofoneparentprocessandAppArmorcannotdistinguishanindividualapplication'sprocessfromtherest,createonehugeprofiletoconfinetheentiredesktopallatonce.
Thisapproachisonlyfeasibleifyoursetupisaverylimited(kiosk-type)one.
MaintainingsuchaprofileforastandardKDEdesktopincludingallofitsapplicationswouldbeclosetoimpossible.
ModifyKDE'sprocesshandlingUseKDE_EXEC_SLAVES=1andKDE_IS_PRELINKED=1variablesforceKDEtomanageitsprocessesinawaythatAppArmorcandistinguishindividualappli-cationsfromeachotherandapplyprofilestothem.
Thisapproachmightslowdownyourdesktopconsiderably,asitturnsoffacrucialoptimizationforspeed.
NotethattheabovementionedenvironmentvariableshavetobesetbeforeKDM/XDM/GDMorstartxarestarted.
Onewaytoachievethiswouldbetoaddthemto/etc/security/pam_env.
conf.
122NovellAppArmorAdministrationGuide7.
4.
4HowtoResolveIssueswithApacheApacheisnotstartingproperlyoritisnotservingWebpagesandyoujustinstalledanewmoduleormadeaconfigurationchange.
WhenyouinstalladditionalApachemodules(likeapache2-mod_apparmor)ormakeconfigurationchangestoApache,youshouldprofileApacheagaintocatchanyadditionalrulesthatneedtobeaddedtotheprofile.
7.
4.
5WhyaretheReportsnotSentbyE-MailWhenthereportingfeaturegeneratesanHTMLorCSVfilethatexceedsthedefaultsize,thefileisnotsent.
Mailservershaveadefault,hardlimitfore-mailsize.
ThislimitationcanimpedeAppArmor'sabilitytosende-mailsthataregeneratedforreportingpurposes.
Ifyourmailisnotarriving,thiscouldbewhy.
Considerthemailsizelimitsandcheckthearchivesife-mailshavenotbeenreceived.
7.
4.
6HowtoExcludeCertainProfilesfromtheListofProfilesUsedAppArmoralwaysloadsandappliesallprofilesthatareavailableinitsprofiledirectory(/etc/apparmor.
d/).
Ifyoudecidenottoapplyaprofiletoacertainapplication,deletetheappropriateprofileormoveittoanotherlocationwhereAppArmorwouldnotcheckforit.
7.
4.
7CanIManageProfilesforApplicationsnotInstalledonmySystemManagingprofileswithAppArmorrequiresyoutohaveaccesstoathesystem'slogtheapplicationisrunningon.
Soyoudonotneedtoruntheapplicationonyourprofilebuildhostaslongasyouhaveaccesstothemachinethatrunstheapplication.
Youcanruntheapplicationononesystem,transferthelogs(/var/log/audit.
logor,ifauditisnotinstalled,/var/log/messages)toyourprofilebuildhostandrunaa-logprof-fpath_to_logfile.
Support1237.
4.
8HowtoSpotandfixAppArmorSyntaxErrorsManuallyeditingNovellAppArmorprofilescanintroducesyntaxerrors.
IfyouattempttostartorrestartAppArmorwithsyntaxerrorsinyourprofiles,errorresultsareshown.
Thisexampleshowsthesyntaxoftheentireparsererror.
localhost:~#rcapparmorstartLoadingAppArmorprofilesAppArmorparsererror,line2:Foundunexpectedcharacter:'h'Profile/etc/apparmor.
d/usr.
sbin.
squidfailedtoloadfailedUsingtheAppArmorYaSTtools,agraphicalerrormessageindicateswhichprofilecontainedtheerrorandrequestsyoutofixit.
Tofixasyntaxerror,logintoaterminalwindowasroot,opentheprofile,andcorrectthesyntax.
Reloadtheprofilesetwithrcapparmorreload.
7.
5ReportingBugsforAppArmorThedevelopersofAppArmorareeagertodeliverproductsofthehighestquality.
Yourfeedbackandyourbugreportshelpuskeepthequalityhigh.
WheneveryouencounterabuginAppArmor,fileabugreportagainstthisproduct:124NovellAppArmorAdministrationGuide1UseyourWebbrowsertogotohttps://bugzilla.
novell.
com/index.
cgi.
2EntertheaccountdataofyourNovellaccountandclickLoginorCreateanewNovellaccountasfollows:2aClickCreateNewAccountontheLogintoContinuepage.
2bProvideausernameandpasswordandadditionaladdressdataandclickCreateLogintoimmediatelyproceedwiththelogincreation.
orProvidedataonwhichotherNovellaccountsyoumaintaintosyncallthesetooneaccount.
3CheckwhetheraproblemsimilartoyourshasalreadybeenreportedbyclickingSearchReports.
UseaquicksearchagainstagivenproductandkeywordorusetheAdvancedSearch.
4Ifyourproblemhasalreadybeenreported,checkthisbugreportandaddextrainformationtoit,ifnecessary.
5Ifyourproblemhasnotbeenreportedyet,selectNewfromthetopnavigationbarandproceedtotheEnterBugpage.
6Selecttheproductagainstwhichtofilethebug.
Inyourcase,thiswouldbeyourproduct'srelease.
ClickSubmit.
7Selecttheproductversion,component(AppArmorinthiscase),hardwareplat-form,andseverity.
8Enterabriefheadlinedescribingyourproblemandaddamoreelaboratedescrip-tionincludinglogfiles.
Youmaycreateattachmentstoyourbugreportforscreenshots,logfiles,ortestcases.
9ClickSubmitafteryouhaveenteredallthedetailstosendyourreporttothede-velopers.
Support125ABackgroundInformationonAppArmorProfilingFormoreinformationaboutthescienceandsecurityofNovellAppArmor,refertothefollowingpapers:SubDomain:ParsimoniousServerSecuritybyCrispinCowan,SteveBeattie,GregKroah-Hartman,CaltonPu,PerryWagle,andVirgilGligorDescribestheinitialdesignandimplementationofNovellAppArmor.
PublishedintheproceedingsoftheUSENIXLISAConference,December2000,NewOrleans,LA.
Thispaperisnowoutofdate,describingsyntaxandfeaturesthataredifferentfromthecurrentNovellAppArmorproduct.
Thispapershouldbeusedonlyforscientificbackgroundandnotfortechnicaldocumentation.
DefconCapturetheFlag:DefendingVulnerableCodefromIntenseAttackbyCrispinCowan,SethArnold,SteveBeattie,ChrisWright,andJohnViegaAgoodguidetostrategicandtacticaluseofNovellAppArmortosolveseverese-curityproblemsinaveryshortperiodoftime.
PublishedintheProceedingsoftheDARPAInformationSurvivabilityConferenceandExpo(DISCEXIII),April2003,Washington,DC.
AppArmorforGeeksbySethArnoldThisdocumenttriestoconveyabetterunderstandingofthetechnicaldetailsofAppArmor.
Itisavailableathttp://en.
opensuse.
org/AppArmor_Geeks.
AppArmorTechnicalDocumentationbyAndreasGruenbacherandSethArnoldThisdocumentdiscussestheconceptanddesignofAppArmorfromaverytechnicalpointofview.
Itisavailableathttp://forgeftp.
novell.
com//apparmor/LKML_Submission-June-07/techdoc.
html.
BGNULicensesThisappendixcontainstheGNUGeneralPublicLicenseandtheGNUFreeDocumen-tationLicense.
GNUGeneralPublicLicenseVersion2,June1991Copyright(C)1989,1991FreeSoftwareFoundation,Inc.
59TemplePlace-Suite330,Boston,MA02111-1307,USAEveryoneispermittedtocopyanddistributeverbatimcopiesofthislicensedocument,butchangingitisnotallowed.
PreambleThelicensesformostsoftwarearedesignedtotakeawayyourfreedomtoshareandchangeit.
Bycontrast,theGNUGeneralPublicLicenseisintendedtoguaranteeyourfreedomtoshareandchangefreesoftware--tomakesurethesoftwareisfreeforallitsusers.
ThisGeneralPublicLicenseappliestomostoftheFreeSoftwareFoundation'ssoftwareandtoanyotherprogramwhoseauthorscommittousingit.
(SomeotherFreeSoftwareFoundationsoftwareiscoveredbytheGNULibraryGeneralPublicLicenseinstead.
)Youcanapplyittoyourprograms,too.
Whenwespeakoffreesoftware,wearereferringtofreedom,notprice.
OurGeneralPublicLicensesaredesignedtomakesurethatyouhavethefreedomtodistributecopiesoffreesoftware(andchargeforthisserviceifyouwish),thatyoureceivesourcecodeorcangetitifyouwantit,thatyoucanchangethesoftwareorusepiecesofitinnewfreeprograms;andthatyouknowyoucandothesethings.
Toprotectyourrights,weneedtomakerestrictionsthatforbidanyonetodenyyoutheserightsortoaskyoutosurrendertherights.
Theserestrictionstranslatetocertainresponsibilitiesforyouifyoudistributecopiesofthesoftware,orifyoumodifyit.
Forexample,ifyoudistributecopiesofsuchaprogram,whethergratisorforafee,youmustgivetherecipientsalltherightsthatyouhave.
Youmustmakesurethatthey,too,receiveorcangetthesourcecode.
Andyoumustshowthemthesetermssotheyknowtheirrights.
Weprotectyourrightswithtwosteps:(1)copyrightthesoftware,and(2)offeryouthislicensewhichgivesyoulegalpermissiontocopy,distributeand/ormodifythesoftware.
Also,foreachauthor'sprotectionandours,wewanttomakecertainthateveryoneunderstandsthatthereisnowarrantyforthisfreesoftware.
Ifthesoftwareismodifiedbysomeoneelseandpassedon,wewantitsrecipientstoknowthatwhattheyhaveisnottheoriginal,sothatanyproblemsintroducedbyotherswillnotreflectontheoriginalauthors'reputations.
Finally,anyfreeprogramisthreatenedconstantlybysoftwarepatents.
Wewishtoavoidthedangerthatredistributorsofafreeprogramwillindividu-allyobtainpatentlicenses,ineffectmakingtheprogramproprietary.
Topreventthis,wehavemadeitclearthatanypatentmustbelicensedforeveryone'sfreeuseornotlicensedatall.
Theprecisetermsandconditionsforcopying,distributionandmodificationfollow.
GNUGENERALPUBLICLICENSETERMSANDCONDITIONSFORCOPYING,DISTRIBUTIONANDMODIFICATION0.
ThisLicenseappliestoanyprogramorotherworkwhichcontainsanoticeplacedbythecopyrightholdersayingitmaybedistributedunderthetermsofthisGeneralPublicLicense.
The"Program",below,referstoanysuchprogramorwork,anda"workbasedontheProgram"meanseithertheProgramoranyderivativeworkundercopyrightlaw:thatistosay,aworkcontainingtheProgramoraportionofit,eitherverbatimorwithmodificationsand/ortranslatedintoanotherlanguage.
(Hereinafter,translationisincludedwithoutlimitationintheterm"modification".
)Eachlicenseeisaddressedas"you".
Activitiesotherthancopying,distributionandmodificationarenotcoveredbythisLicense;theyareoutsideitsscope.
TheactofrunningtheProgramisnotrestricted,andtheoutputfromtheProgramiscoveredonlyifitscontentsconstituteaworkbasedontheProgram(independentofhavingbeenmadebyrunningtheProgram).
WhetherthatistruedependsonwhattheProgramdoes.
1.
YoumaycopyanddistributeverbatimcopiesoftheProgram'ssourcecodeasyoureceiveit,inanymedium,providedthatyouconspicuouslyandappropriatelypublishoneachcopyanappropriatecopyrightnoticeanddisclaimerofwarranty;keepintactallthenoticesthatrefertothisLicenseandtotheabsenceofanywarranty;andgiveanyotherrecipientsoftheProgramacopyofthisLicensealongwiththeProgram.
Youmaychargeafeeforthephysicalactoftransferringacopy,andyoumayatyouroptionofferwarrantyprotectioninexchangeforafee.
2.
YoumaymodifyyourcopyorcopiesoftheProgramoranyportionofit,thusformingaworkbasedontheProgram,andcopyanddistributesuchmodificationsorworkunderthetermsofSection1above,providedthatyoualsomeetalloftheseconditions:a)Youmustcausethemodifiedfilestocarryprominentnoticesstatingthatyouchangedthefilesandthedateofanychange.
b)Youmustcauseanyworkthatyoudistributeorpublish,thatinwholeorinpartcontainsorisderivedfromtheProgramoranypartthereof,tobelicensedasawholeatnochargetoallthirdpartiesunderthetermsofthisLicense.
c)Ifthemodifiedprogramnormallyreadscommandsinteractivelywhenrun,youmustcauseit,whenstartedrunningforsuchinteractiveuseinthemostordinaryway,toprintordisplayanannouncementincludinganappropriatecopyrightnoticeandanoticethatthereisnowarranty(orelse,sayingthatyouprovideawarranty)andthatusersmayredistributetheprogramundertheseconditions,andtellingtheuserhowtoviewacopyofthisLicense.
(Exception:iftheProgramitselfisinteractivebutdoesnotnormallyprintsuchanannouncement,yourworkbasedontheProgramisnotrequiredtoprintanannouncement.
)Theserequirementsapplytothemodifiedworkasawhole.
IfidentifiablesectionsofthatworkarenotderivedfromtheProgram,andcanbereasonablyconsideredindependentandseparateworksinthemselves,thenthisLicense,anditsterms,donotapplytothosesectionswhenyoudistributethemasseparateworks.
ButwhenyoudistributethesamesectionsaspartofawholewhichisaworkbasedontheProgram,thedistributionofthewholemustbeonthetermsofthisLicense,whosepermissionsforotherlicenseesextendtotheentirewhole,andthustoeachandeverypartregardlessofwhowroteit.
Thus,itisnottheintentofthissectiontoclaimrightsorcontestyourrightstoworkwrittenentirelybyyou;rather,theintentistoexercisetherighttocontrolthedistributionofderivativeorcollectiveworksbasedontheProgram.
Inaddition,mereaggregationofanotherworknotbasedontheProgramwiththeProgram(orwithaworkbasedontheProgram)onavolumeofastorageordistributionmediumdoesnotbringtheotherworkunderthescopeofthisLicense.
3.
YoumaycopyanddistributetheProgram(oraworkbasedonit,underSection2)inobjectcodeorexecutableformunderthetermsofSections1and2aboveprovidedthatyoualsodooneofthefollowing:a)Accompanyitwiththecompletecorrespondingmachine-readablesourcecode,whichmustbedistributedunderthetermsofSections1and2aboveonamediumcustomarilyusedforsoftwareinterchange;or,b)Accompanyitwithawrittenoffer,validforatleastthreeyears,togiveanythirdparty,forachargenomorethanyourcostofphysicallyperformingsourcedistribution,acompletemachine-readablecopyofthecorrespondingsourcecode,tobedistributedunderthetermsofSections1and2aboveonamediumcustomarilyusedforsoftwareinterchange;or,c)Accompanyitwiththeinformationyoureceivedastotheoffertodistributecorrespondingsourcecode.
(Thisalternativeisallowedonlyfornoncommercialdistributionandonlyifyoureceivedtheprograminobjectcodeorexecutableformwithsuchanoffer,inaccordwithSubsectionbabove.
)Thesourcecodeforaworkmeansthepreferredformoftheworkformakingmodificationstoit.
Foranexecutablework,completesourcecodemeansallthesourcecodeforallmodulesitcontains,plusanyassociatedinterfacedefinitionfiles,plusthescriptsusedtocontrolcompilationandinstallationoftheexecutable.
However,asaspecialexception,thesourcecodedistributedneednotincludeanythingthatisnormallydistributed(ineithersourceorbinaryform)withthemajorcomponents(compiler,kernel,andsoon)oftheoperatingsystemonwhichtheexecutableruns,unlessthatcomponentitselfaccompaniestheexecutable.
Ifdistributionofexecutableorobjectcodeismadebyofferingaccesstocopyfromadesignatedplace,thenofferingequivalentaccesstocopythesourcecodefromthesameplacecountsasdistributionofthesourcecode,eventhoughthirdpartiesarenotcompelledtocopythesourcealongwiththeobjectcode.
4.
Youmaynotcopy,modify,sublicense,ordistributetheProgramexceptasexpresslyprovidedunderthisLicense.
Anyattemptotherwisetocopy,modify,sublicenseordistributetheProgramisvoid,andwillautomaticallyterminateyourrightsunderthisLicense.
However,partieswhohavereceivedcopies,orrights,fromyouunderthisLicensewillnothavetheirlicensesterminatedsolongassuchpartiesremaininfullcompliance.
130NovellAppArmorAdministrationGuide5.
YouarenotrequiredtoacceptthisLicense,sinceyouhavenotsignedit.
However,nothingelsegrantsyoupermissiontomodifyordistributetheProgramoritsderivativeworks.
TheseactionsareprohibitedbylawifyoudonotacceptthisLicense.
Therefore,bymodifyingordistributingtheProgram(oranyworkbasedontheProgram),youindicateyouracceptanceofthisLicensetodoso,andallitstermsandconditionsforcopying,dis-tributingormodifyingtheProgramorworksbasedonit.
6.
EachtimeyouredistributetheProgram(oranyworkbasedontheProgram),therecipientautomaticallyreceivesalicensefromtheoriginallicensortocopy,distributeormodifytheProgramsubjecttothesetermsandconditions.
Youmaynotimposeanyfurtherrestrictionsontherecipients'exerciseoftherightsgrantedherein.
YouarenotresponsibleforenforcingcompliancebythirdpartiestothisLicense.
7.
If,asaconsequenceofacourtjudgmentorallegationofpatentinfringementorforanyotherreason(notlimitedtopatentissues),conditionsareimposedonyou(whetherbycourtorder,agreementorotherwise)thatcontradicttheconditionsofthisLicense,theydonotexcuseyoufromtheconditionsofthisLicense.
IfyoucannotdistributesoastosatisfysimultaneouslyyourobligationsunderthisLicenseandanyotherpertinentobligations,thenasaconsequenceyoumaynotdistributetheProgramatall.
Forexample,ifapatentlicensewouldnotpermitroyalty-freeredistributionoftheProgrambyallthosewhoreceivecopiesdirectlyorindirectlythroughyou,thentheonlywayyoucouldsatisfybothitandthisLicensewouldbetorefrainen-tirelyfromdistributionoftheProgram.
Ifanyportionofthissectionisheldinvalidorunenforceableunderanyparticularcircumstance,thebalanceofthesectionisintendedtoapplyandthesectionasawholeisintendedtoapplyinothercircumstances.
Itisnotthepurposeofthissectiontoinduceyoutoinfringeanypatentsorotherpropertyrightclaimsortocontestvalidityofanysuchclaims;thissectionhasthesolepurposeofprotectingtheintegrityofthefreesoftwaredistributionsystem,whichisimplementedbypubliclicensepractices.
Manypeoplehavemadegenerouscontributionstothewiderangeofsoftwaredistributedthroughthatsysteminrelianceonconsistentapplicationofthatsystem;itisuptotheauthor/donortodecideifheorsheiswillingtodistributesoftwarethroughanyothersystemandalicenseecannotimposethatchoice.
ThissectionisintendedtomakethoroughlyclearwhatisbelievedtobeaconsequenceoftherestofthisLicense.
8.
Ifthedistributionand/oruseoftheProgramisrestrictedincertaincountrieseitherbypatentsorbycopyrightedinterfaces,theoriginalcopyrightholderwhoplacestheProgramunderthisLicensemayaddanexplicitgeographicaldistributionlimitationexcludingthosecountries,sothatdistributionispermittedonlyinoramongcountriesnotthusexcluded.
Insuchcase,thisLicenseincorporatesthelimitationasifwritteninthebodyofthisLicense.
9.
TheFreeSoftwareFoundationmaypublishrevisedand/ornewversionsoftheGeneralPublicLicensefromtimetotime.
Suchnewversionswillbesimilarinspirittothepresentversion,butmaydifferindetailtoaddressnewproblemsorconcerns.
Eachversionisgivenadistinguishingversionnumber.
IftheProgramspecifiesaversionnumberofthisLicensewhichappliestoitand"anylaterversion",youhavetheoptionoffollowingthetermsandconditionseitherofthatversionorofanylaterversionpublishedbytheFreeSoftwareFoun-dation.
IftheProgramdoesnotspecifyaversionnumberofthisLicense,youmaychooseanyversioneverpublishedbytheFreeSoftwareFoundation.
10.
IfyouwishtoincorporatepartsoftheProgramintootherfreeprogramswhosedistributionconditionsaredifferent,writetotheauthortoaskforpermission.
ForsoftwarewhichiscopyrightedbytheFreeSoftwareFoundation,writetotheFreeSoftwareFoundation;wesometimesmakeexceptionsforthis.
Ourdecisionwillbeguidedbythetwogoalsofpreservingthefreestatusofallderivativesofourfreesoftwareandofpromotingthesharingandreuseofsoftwaregenerally.
NOWARRANTY11.
BECAUSETHEPROGRAMISLICENSEDFREEOFCHARGE,THEREISNOWARRANTYFORTHEPROGRAM,TOTHEEXTENTPERMITTEDBYAPPLICABLELAW.
EXCEPTWHENOTHERWISESTATEDINWRITINGTHECOPYRIGHTHOLDERSAND/OROTHERPARTIESPROVIDETHEPROGRAM"ASIS"WITHOUTWARRANTYOFANYKIND,EITHEREXPRESSEDORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSE.
THEENTIRERISKASTOTHEQUALITYANDPERFORMANCEOFTHEPROGRAMISWITHYOU.
SHOULDTHEPROGRAMPROVEDEFECTIVE,YOUASSUMETHECOSTOFALLNECESSARYSERVICING,REPAIRORCORRECTION.
12.
INNOEVENTUNLESSREQUIREDBYAPPLICABLELAWORAGREEDTOINWRITINGWILLANYCOPYRIGHTHOLDER,ORANYOTHERPARTYWHOMAYMODIFYAND/ORREDISTRIBUTETHEPROGRAMASPERMITTEDABOVE,BELIABLETOYOUFORDAMAGES,INCLUDINGANYGENERAL,SPECIAL,INCIDENTALORCONSEQUENTIALDAMAGESARISINGOUTOFTHEUSEORINABILITYTOUSETHEPROGRAM(INCLUDINGBUTNOTLIMITEDTOLOSSOFDATAORDATABEINGRENDEREDINACCURATEORLOSSESSUSTAINEDBYYOUORTHIRDPARTIESORAFAILUREOFTHEPROGRAMTOOPERATEWITHANYOTHERPROGRAMS),EVENIFSUCHHOLDEROROTHERPARTYHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
ENDOFTERMSANDCONDITIONSHowtoApplyTheseTermstoYourNewProgramsIfyoudevelopanewprogram,andyouwantittobeofthegreatestpossibleusetothepublic,thebestwaytoachievethisistomakeitfreesoftwarewhicheveryonecanredistributeandchangeundertheseterms.
Todoso,attachthefollowingnoticestotheprogram.
Itissafesttoattachthemtothestartofeachsourcefiletomosteffectivelyconveytheexclusionofwarranty;andeachfileshouldhaveatleastthe"copyright"lineandapointertowherethefullnoticeisfound.
onelinetogivetheprogram'snameandanideaofwhatitdoes.
Copyright(C)yyyynameofauthorGNULicenses131Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNUGeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2oftheLicense,or(atyouroption)anylaterversion.
Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY;withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULARPURPOSE.
SeetheGNUGeneralPublicLicenseformoredetails.
YoushouldhavereceivedacopyoftheGNUGeneralPublicLicensealongwiththisprogram;ifnot,writetotheFreeSoftwareFoundation,Inc.
,59TemplePlace-Suite330,Boston,MA02111-1307,USA.
Alsoaddinformationonhowtocontactyoubyelectronicandpapermail.
Iftheprogramisinteractive,makeitoutputashortnoticelikethiswhenitstartsinaninteractivemode:Gnomovisionversion69,Copyright(C)yearnameofauthorGnomovisioncomeswithABSOLUTELYNOWARRANTY;fordetailstype`showw'.
Thisisfreesoftware,andyouarewelcometoredistributeitundercertainconditions;type`showc'fordetails.
Thehypotheticalcommands`showw'and`showc'shouldshowtheappropriatepartsoftheGeneralPublicLicense.
Ofcourse,thecommandsyouusemaybecalledsomethingotherthan`showw'and`showc';theycouldevenbemouse-clicksormenuitems--whateversuitsyourprogram.
Youshouldalsogetyouremployer(ifyouworkasaprogrammer)oryourschool,ifany,tosigna"copyrightdisclaimer"fortheprogram,ifnecessary.
Hereisasample;alterthenames:Yoyodyne,Inc.
,herebydisclaimsallcopyrightinterestintheprogram`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.
signatureofTyCoon,1April1989TyCoon,PresidentofViceThisGeneralPublicLicensedoesnotpermitincorporatingyourprogramintoproprietaryprograms.
Ifyourprogramisasubroutinelibrary,youmayconsideritmoreusefultopermitlinkingproprietaryapplicationswiththelibrary.
Ifthisiswhatyouwanttodo,usetheGNULesserGeneralPublicLicense[http://www.
fsf.
org/licenses/lgpl.
html]insteadofthisLicense.
GNUFreeDocumentationLicenseVersion1.
2,November2002Copyright(C)2000,2001,2002FreeSoftwareFoundation,Inc.
59TemplePlace,Suite330,Boston,MA02111-1307USAEveryoneispermittedtocopyanddistributeverbatimcopiesofthislicensedocument,butchangingitisnotallowed.
PREAMBLEThepurposeofthisLicenseistomakeamanual,textbook,orotherfunctionalandusefuldocument"free"inthesenseoffreedom:toassureeveryonetheeffectivefreedomtocopyandredistributeit,withorwithoutmodifyingit,eithercommerciallyornoncommercially.
Secondarily,thisLicensepreservesfortheauthorandpublisherawaytogetcreditfortheirwork,whilenotbeingconsideredresponsibleformodificationsmadebyothers.
ThisLicenseisakindof"copyleft",whichmeansthatderivativeworksofthedocumentmustthemselvesbefreeinthesamesense.
ItcomplementstheGNUGeneralPublicLicense,whichisacopyleftlicensedesignedforfreesoftware.
132NovellAppArmorAdministrationGuideWehavedesignedthisLicenseinordertouseitformanualsforfreesoftware,becausefreesoftwareneedsfreedocumentation:afreeprogramshouldcomewithmanualsprovidingthesamefreedomsthatthesoftwaredoes.
ButthisLicenseisnotlimitedtosoftwaremanuals;itcanbeusedforanytextualwork,regardlessofsubjectmatterorwhetheritispublishedasaprintedbook.
WerecommendthisLicenseprincipallyforworkswhosepurposeisinstructionorreference.
APPLICABILITYANDDEFINITIONSThisLicenseappliestoanymanualorotherwork,inanymedium,thatcontainsanoticeplacedbythecopyrightholdersayingitcanbedistributedunderthetermsofthisLicense.
Suchanoticegrantsaworld-wide,royalty-freelicense,unlimitedinduration,tousethatworkundertheconditionsstatedherein.
The"Document",below,referstoanysuchmanualorwork.
Anymemberofthepublicisalicensee,andisaddressedas"you".
Youacceptthelicenseifyoucopy,modifyordistributetheworkinawayrequiringpermissionundercopyrightlaw.
A"ModifiedVersion"oftheDocumentmeansanyworkcontainingtheDocumentoraportionofit,eithercopiedverbatim,orwithmodificationsand/ortranslatedintoanotherlanguage.
A"SecondarySection"isanamedappendixorafront-mattersectionoftheDocumentthatdealsexclusivelywiththerelationshipofthepublishersorauthorsoftheDocumenttotheDocument'soverallsubject(ortorelatedmatters)andcontainsnothingthatcouldfalldirectlywithinthatoverallsubject.
(Thus,iftheDocumentisinpartatextbookofmathematics,aSecondarySectionmaynotexplainanymathematics.
)Therelationshipcouldbeamatterofhistoricalconnectionwiththesubjectorwithrelatedmatters,oroflegal,commercial,philosophical,ethicalorpoliticalpositionregardingthem.
The"InvariantSections"arecertainSecondarySectionswhosetitlesaredesignated,asbeingthoseofInvariantSections,inthenoticethatsaysthattheDocumentisreleasedunderthisLicense.
IfasectiondoesnotfittheabovedefinitionofSecondarythenitisnotallowedtobedesignatedasInvariant.
TheDocumentmaycontainzeroInvariantSections.
IftheDocumentdoesnotidentifyanyInvariantSectionsthentherearenone.
The"CoverTexts"arecertainshortpassagesoftextthatarelisted,asFront-CoverTextsorBack-CoverTexts,inthenoticethatsaysthattheDocumentisreleasedunderthisLicense.
AFront-CoverTextmaybeatmost5words,andaBack-CoverTextmaybeatmost25words.
A"Transparent"copyoftheDocumentmeansamachine-readablecopy,representedinaformatwhosespecificationisavailabletothegeneralpublic,thatissuitableforrevisingthedocumentstraightforwardlywithgenerictexteditorsor(forimagescomposedofpixels)genericpaintprogramsor(fordrawings)somewidelyavailabledrawingeditor,andthatissuitableforinputtotextformattersorforautomatictranslationtoavarietyofformatssuitableforinputtotextformatters.
AcopymadeinanotherwiseTransparentfileformatwhosemarkup,orabsenceofmarkup,hasbeenarrangedtothwartordiscouragesubsequentmodificationbyreadersisnotTransparent.
AnimageformatisnotTransparentifusedforanysubstantialamountoftext.
Acopythatisnot"Transparent"iscalled"Opaque".
ExamplesofsuitableformatsforTransparentcopiesincludeplainASCIIwithoutmarkup,Texinfoinputformat,LaTeXinputformat,SGMLorXMLusingapubliclyavailableDTD,andstandard-conformingsimpleHTML,PostScriptorPDFdesignedforhumanmodification.
ExamplesoftransparentimageformatsincludePNG,XCFandJPG.
Opaqueformatsincludeproprietaryformatsthatcanbereadandeditedonlybyproprietarywordprocessors,SGMLorXMLforwhichtheDTDand/orprocessingtoolsarenotgenerallyavailable,andthemachine-generatedHTML,PostScriptorPDFproducedbysomewordprocessorsforoutputpurposesonly.
The"TitlePage"means,foraprintedbook,thetitlepageitself,plussuchfollowingpagesasareneededtohold,legibly,thematerialthisLicenserequirestoappearinthetitlepage.
Forworksinformatswhichdonothaveanytitlepageassuch,"TitlePage"meansthetextnearthemostprominentappearanceofthework'stitle,precedingthebeginningofthebodyofthetext.
Asection"EntitledXYZ"meansanamedsubunitoftheDocumentwhosetitleeitherispreciselyXYZorcontainsXYZinparenthesesfollowingtextthattranslatesXYZinanotherlanguage.
(HereXYZstandsforaspecificsectionnamementionedbelow,suchas"Acknowledgements","Dedications","Endorsements",or"History".
)To"PreservetheTitle"ofsuchasectionwhenyoumodifytheDocumentmeansthatitremainsasection"EntitledXYZ"accordingtothisdefinition.
TheDocumentmayincludeWarrantyDisclaimersnexttothenoticewhichstatesthatthisLicenseappliestotheDocument.
TheseWarrantyDisclaimersareconsideredtobeincludedbyreferenceinthisLicense,butonlyasregardsdisclaimingwarranties:anyotherimplicationthattheseWarrantyDisclaimersmayhaveisvoidandhasnoeffectonthemeaningofthisLicense.
VERBATIMCOPYINGYoumaycopyanddistributetheDocumentinanymedium,eithercommerciallyornoncommercially,providedthatthisLicense,thecopyrightnotices,andthelicensenoticesayingthisLicenseappliestotheDocumentarereproducedinallcopies,andthatyouaddnootherconditionswhatsoevertothoseofthisLicense.
Youmaynotusetechnicalmeasurestoobstructorcontrolthereadingorfurthercopyingofthecopiesyoumakeordistribute.
However,youmayacceptcompensationinexchangeforcopies.
Ifyoudistributealargeenoughnumberofcopiesyoumustalsofollowtheconditionsinsection3.
Youmayalsolendcopies,underthesameconditionsstatedabove,andyoumaypubliclydisplaycopies.
COPYINGINQUANTITYIfyoupublishprintedcopies(orcopiesinmediathatcommonlyhaveprintedcovers)oftheDocument,numberingmorethan100,andtheDocument'slicensenoticerequiresCoverTexts,youmustenclosethecopiesincoversthatcarry,clearlyandlegibly,alltheseCoverTexts:Front-CoverTextsonthefrontcover,andBack-CoverTextsonthebackcover.
Bothcoversmustalsoclearlyandlegiblyidentifyyouasthepublisherofthesecopies.
Thefrontcovermustpresentthefulltitlewithallwordsofthetitleequallyprominentandvisible.
Youmayaddothermaterialonthecoversinaddition.
Copyingwithchangeslimitedtothecovers,aslongastheypreservethetitleoftheDocumentandsatisfytheseconditions,canbetreatedasverbatimcopyinginotherrespects.
GNULicenses133Iftherequiredtextsforeithercoveraretoovoluminoustofitlegibly,youshouldputthefirstoneslisted(asmanyasfitreasonably)ontheactualcover,andcontinuetherestontoadjacentpages.
IfyoupublishordistributeOpaquecopiesoftheDocumentnumberingmorethan100,youmusteitherincludeamachine-readableTransparentcopyalongwitheachOpaquecopy,orstateinorwitheachOpaquecopyacomputer-networklocationfromwhichthegeneralnetwork-usingpublichasaccesstodownloadusingpublic-standardnetworkprotocolsacompleteTransparentcopyoftheDocument,freeofaddedmaterial.
Ifyouusethelatteroption,youmusttakereasonablyprudentsteps,whenyoubegindistributionofOpaquecopiesinquantity,toensurethatthisTransparentcopywillremainthusaccessibleatthestatedlocationuntilatleastoneyearafterthelasttimeyoudistributeanOpaquecopy(directlyorthroughyouragentsorretailers)ofthateditiontothepublic.
Itisrequested,butnotrequired,thatyoucontacttheauthorsoftheDocumentwellbeforeredistributinganylargenumberofcopies,togivethemachancetoprovideyouwithanupdatedversionoftheDocument.
MODIFICATIONSYoumaycopyanddistributeaModifiedVersionoftheDocumentundertheconditionsofsections2and3above,providedthatyoureleasetheModifiedVersionunderpreciselythisLicense,withtheModifiedVersionfillingtheroleoftheDocument,thuslicensingdistributionandmodificationoftheModifiedVersiontowhoeverpossessesacopyofit.
Inaddition,youmustdothesethingsintheModifiedVersion:A.
UseintheTitlePage(andonthecovers,ifany)atitledistinctfromthatoftheDocument,andfromthoseofpreviousversions(whichshould,iftherewereany,belistedintheHistorysectionoftheDocument).
Youmayusethesametitleasapreviousversioniftheoriginalpublisherofthatversiongivespermission.
B.
ListontheTitlePage,asauthors,oneormorepersonsorentitiesresponsibleforauthorshipofthemodificationsintheModifiedVersion,togetherwithatleastfiveoftheprincipalauthorsoftheDocument(allofitsprincipalauthors,ifithasfewerthanfive),unlesstheyreleaseyoufromthisrequire-ment.
C.
StateontheTitlepagethenameofthepublisheroftheModifiedVersion,asthepublisher.
D.
PreserveallthecopyrightnoticesoftheDocument.
E.
Addanappropriatecopyrightnoticeforyourmodificationsadjacenttotheothercopyrightnotices.
F.
Include,immediatelyafterthecopyrightnotices,alicensenoticegivingthepublicpermissiontousetheModifiedVersionunderthetermsofthisLicense,intheformshownintheAddendumbelow.
G.
PreserveinthatlicensenoticethefulllistsofInvariantSectionsandrequiredCoverTextsgivenintheDocument'slicensenotice.
H.
IncludeanunalteredcopyofthisLicense.
I.
PreservethesectionEntitled"History",PreserveitsTitle,andaddtoitanitemstatingatleastthetitle,year,newauthors,andpublisheroftheModifiedVersionasgivenontheTitlePage.
IfthereisnosectionEntitled"History"intheDocument,createonestatingthetitle,year,authors,andpublisheroftheDocumentasgivenonitsTitlePage,thenaddanitemdescribingtheModifiedVersionasstatedintheprevioussentence.
J.
Preservethenetworklocation,ifany,givenintheDocumentforpublicaccesstoaTransparentcopyoftheDocument,andlikewisethenetworklocationsgivenintheDocumentforpreviousversionsitwasbasedon.
Thesemaybeplacedinthe"History"section.
YoumayomitanetworklocationforaworkthatwaspublishedatleastfouryearsbeforetheDocumentitself,oriftheoriginalpublisheroftheversionitreferstogivespermission.
K.
ForanysectionEntitled"Acknowledgements"or"Dedications",PreservetheTitleofthesection,andpreserveinthesectionallthesubstanceandtoneofeachofthecontributoracknowledgementsand/ordedicationsgiventherein.
L.
PreservealltheInvariantSectionsoftheDocument,unalteredintheirtextandintheirtitles.
Sectionnumbersortheequivalentarenotconsideredpartofthesectiontitles.
M.
DeleteanysectionEntitled"Endorsements".
SuchasectionmaynotbeincludedintheModifiedVersion.
N.
DonotretitleanyexistingsectiontobeEntitled"Endorsements"ortoconflictintitlewithanyInvariantSection.
O.
PreserveanyWarrantyDisclaimers.
IftheModifiedVersionincludesnewfront-mattersectionsorappendicesthatqualifyasSecondarySectionsandcontainnomaterialcopiedfromtheDocument,youmayatyouroptiondesignatesomeorallofthesesectionsasinvariant.
Todothis,addtheirtitlestothelistofInvariantSectionsintheModifiedVersion'slicensenotice.
Thesetitlesmustbedistinctfromanyothersectiontitles.
YoumayaddasectionEntitled"Endorsements",provideditcontainsnothingbutendorsementsofyourModifiedVersionbyvariousparties--forexample,statementsofpeerrevieworthatthetexthasbeenapprovedbyanorganizationastheauthoritativedefinitionofastandard.
YoumayaddapassageofuptofivewordsasaFront-CoverText,andapassageofupto25wordsasaBack-CoverText,totheendofthelistofCoverTextsintheModifiedVersion.
OnlyonepassageofFront-CoverTextandoneofBack-CoverTextmaybeaddedby(orthrougharrangementsmadeby)anyoneentity.
IftheDocumentalreadyincludesacovertextforthesamecover,previouslyaddedbyyouorbyarrangementmadebythesameentityyouareactingonbehalfof,youmaynotaddanother;butyoumayreplacetheoldone,onexplicitpermissionfromthepreviouspublisherthataddedtheoldone.
134NovellAppArmorAdministrationGuideTheauthor(s)andpublisher(s)oftheDocumentdonotbythisLicensegivepermissiontousetheirnamesforpublicityforortoassertorimplyendorsementofanyModifiedVersion.
COMBININGDOCUMENTSYoumaycombinetheDocumentwithotherdocumentsreleasedunderthisLicense,underthetermsdefinedinsection4aboveformodifiedversions,providedthatyouincludeinthecombinationalloftheInvariantSectionsofalloftheoriginaldocuments,unmodified,andlistthemallasInvariantSectionsofyourcombinedworkinitslicensenotice,andthatyoupreservealltheirWarrantyDisclaimers.
ThecombinedworkneedonlycontainonecopyofthisLicense,andmultipleidenticalInvariantSectionsmaybereplacedwithasinglecopy.
IftherearemultipleInvariantSectionswiththesamenamebutdifferentcontents,makethetitleofeachsuchsectionuniquebyaddingattheendofit,inparentheses,thenameoftheoriginalauthororpublisherofthatsectionifknown,orelseauniquenumber.
MakethesameadjustmenttothesectiontitlesinthelistofInvariantSectionsinthelicensenoticeofthecombinedwork.
Inthecombination,youmustcombineanysectionsEntitled"History"inthevariousoriginaldocuments,formingonesectionEntitled"History";likewisecombineanysectionsEntitled"Acknowledgements",andanysectionsEntitled"Dedications".
YoumustdeleteallsectionsEntitled"Endorsements".
COLLECTIONSOFDOCUMENTSYoumaymakeacollectionconsistingoftheDocumentandotherdocumentsreleasedunderthisLicense,andreplacetheindividualcopiesofthisLicenseinthevariousdocumentswithasinglecopythatisincludedinthecollection,providedthatyoufollowtherulesofthisLicenseforverbatimcopyingofeachofthedocumentsinallotherrespects.
Youmayextractasingledocumentfromsuchacollection,anddistributeitindividuallyunderthisLicense,providedyouinsertacopyofthisLicenseintotheextracteddocument,andfollowthisLicenseinallotherrespectsregardingverbatimcopyingofthatdocument.
AGGREGATIONWITHINDEPENDENTWORKSAcompilationoftheDocumentoritsderivativeswithotherseparateandindependentdocumentsorworks,inoronavolumeofastorageordistributionmedium,iscalledan"aggregate"ifthecopyrightresultingfromthecompilationisnotusedtolimitthelegalrightsofthecompilation'susersbeyondwhattheindividualworkspermit.
WhentheDocumentisincludedinanaggregate,thisLicensedoesnotapplytotheotherworksintheaggregatewhicharenotthemselvesderivativeworksoftheDocument.
IftheCoverTextrequirementofsection3isapplicabletothesecopiesoftheDocument,theniftheDocumentislessthanonehalfoftheentireaggregate,theDocument'sCoverTextsmaybeplacedoncoversthatbrackettheDocumentwithintheaggregate,ortheelectronicequivalentofcoversiftheDocumentisinelectronicform.
Otherwisetheymustappearonprintedcoversthatbracketthewholeaggregate.
TRANSLATIONTranslationisconsideredakindofmodification,soyoumaydistributetranslationsoftheDocumentunderthetermsofsection4.
ReplacingInvariantSectionswithtranslationsrequiresspecialpermissionfromtheircopyrightholders,butyoumayincludetranslationsofsomeorallInvariantSectionsinadditiontotheoriginalversionsoftheseInvariantSections.
YoumayincludeatranslationofthisLicense,andallthelicensenoticesintheDocument,andanyWarrantyDisclaimers,providedthatyoualsoincludetheoriginalEnglishversionofthisLicenseandtheoriginalversionsofthosenoticesanddisclaimers.
IncaseofadisagreementbetweenthetranslationandtheoriginalversionofthisLicenseoranoticeordisclaimer,theoriginalversionwillprevail.
IfasectionintheDocumentisEntitled"Acknowledgements","Dedications",or"History",therequirement(section4)toPreserveitsTitle(section1)willtypicallyrequirechangingtheactualtitle.
TERMINATIONYoumaynotcopy,modify,sublicense,ordistributetheDocumentexceptasexpresslyprovidedforunderthisLicense.
Anyotherattempttocopy,modify,sublicenseordistributetheDocumentisvoid,andwillautomaticallyterminateyourrightsunderthisLicense.
However,partieswhohavereceivedcopies,orrights,fromyouunderthisLicensewillnothavetheirlicensesterminatedsolongassuchpartiesremaininfullcompliance.
FUTUREREVISIONSOFTHISLICENSETheFreeSoftwareFoundationmaypublishnew,revisedversionsoftheGNUFreeDocumentationLicensefromtimetotime.
Suchnewversionswillbesimilarinspirittothepresentversion,butmaydifferindetailtoaddressnewproblemsorconcerns.
Seehttp://www.
gnu.
org/copyleft/.
EachversionoftheLicenseisgivenadistinguishingversionnumber.
IftheDocumentspecifiesthataparticularnumberedversionofthisLicense"oranylaterversion"appliestoit,youhavetheoptionoffollowingthetermsandconditionseitherofthatspecifiedversionorofanylaterversionthathasbeenpublished(notasadraft)bytheFreeSoftwareFoundation.
IftheDocumentdoesnotspecifyaversionnumberofthisLicense,youmaychooseanyversioneverpublished(notasadraft)bytheFreeSoftwareFoundation.
ADDENDUM:HowtousethisLicenseforyourdocumentsTousethisLicenseinadocumentyouhavewritten,includeacopyoftheLicenseinthedocumentandputthefollowingcopyrightandlicensenoticesjustafterthetitlepage:Copyright(c)YEARYOURNAME.
GNULicenses135Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.
2onlyaspublishedbytheFreeSoftwareFoundation;withtheInvariantSectionbeingthiscopyrightnoticeandlicense.
Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
IfyouhaveInvariantSections,Front-CoverTextsandBack-CoverTexts,replacethe"with.
.
.
Texts.
"linewiththis:withtheInvariantSectionsbeingLISTTHEIRTITLES,withtheFront-CoverTextsbeingLIST,andwiththeBack-CoverTextsbeingLIST.
IfyouhaveInvariantSectionswithoutCoverTexts,orsomeothercombinationofthethree,mergethosetwoalternativestosuitthesituation.
Ifyourdocumentcontainsnontrivialexamplesofprogramcode,werecommendreleasingtheseexamplesinparallelunderyourchoiceoffreesoftwarelicense,suchastheGNUGeneralPublicLicense,topermittheiruseinfreesoftware.
136NovellAppArmorAdministrationGuideGlossaryApacheApacheisafreelyavailableUNIX-basedWebserver.
ItiscurrentlythemostcommonlyusedWebserverontheInternet.
FindmoreinformationaboutApacheattheApacheWebsiteathttp://www.
apache.
org.
applicationfirewallingNovellAppArmorcontainsapplicationsandlimitstheactionstheyarepermittedtotake.
Itusesprivilegeconfinementtopreventattackersfromusingmaliciousprogramsontheprotectedserverandevenusingtrustedapplicationsinunintendedways.
attacksignaturePatterninsystemornetworkactivitythatsignalsapossiblevirusorhackerattack.
Intrusiondetectionsystemsmightuseattacksignaturestodistinguishbetweenle-gitimateandpotentiallymaliciousactivity.
Bynotrelyingonattacksignatures,NovellAppArmorprovides"proactive"insteadof"reactive"defensefromattacks.
ThisisbetterbecausethereisnowindowofvulnerabilitywheretheattacksignaturemustbedefinedforNovellAppArmorasitdoesforproductsusingattacksignaturestosecuretheirnetworks.
GUIGraphicaluserinterface.
Referstoasoftwarefront-endmeanttoprovideanattrac-tiveandeasy-to-useinterfacebetweenacomputeruserandapplication.
Itselementsincludesuchthingsaswindows,icons,buttons,cursors,andscrollbars.
globbingFilenamesubstitution.
HIPHostintrusionprevention.
Workswiththeoperatingsystemkerneltoblockabnormalapplicationbehaviorintheexpectationthattheabnormalbehaviorrepresentsanunknownattack.
Blocksmaliciouspacketsonthehostatthenetworklevelbeforetheycan"hurt"theapplicationtheytarget.
mandatoryaccesscontrolAmeansofrestrictingaccesstoobjectsthatisbasedonfixedsecurityattributesassignedtousers,files,andotherobjects.
Thecontrolsaremandatoryinthesensethattheycannotbemodifiedbyusersortheirprograms.
profilefoundationclassesProfilebuildingblocksneededforcommonapplicationactivities,suchasDNSlookupanduserauthentication.
RPMTheRPMPackageManager.
Anopenpackagingsystemavailableforanyonetouse.
ItworksonRedHatLinux,openSUSE,andotherLinuxandUNIXsystems.
Itiscapableofinstalling,uninstalling,verifying,querying,andupdatingcomputersoftwarepackages.
Seehttp://www.
rpm.
org/formoreinformation.
SSHSecureShell.
Aservicethatallowsyoutoaccessyourserverfromaremotecom-puterandissuetextcommandsthroughasecureconnection.
streamlinedaccesscontrolNovellAppArmorprovidesstreamlinedaccesscontrolfornetworkservicesbyspecifyingwhichfileseachprogramisallowedtoread,write,andexecute.
Thisensuresthateachprogramdoeswhatitissupposedtodoandnothingelse.
URIUniversalresourceidentifier.
ThegenerictermforalltypesofnamesandaddressesthatrefertoobjectsontheWorldWideWeb.
AURLisonekindofURI.
URLUniformResourceLocator.
TheglobaladdressofdocumentsandotherresourcesontheWorldWideWeb.
ThefirstpartoftheaddressindicateswhatprotocoltouseandthesecondpartspecifiestheIPaddressorthedomainnamewheretheresourceislocated.
Forexample,inhttp://www.
novell.
com,httpistheprotocoltouse.
vulnerabilitiesAnaspectofasystemornetworkthatleavesitopentoattack.
Characteristicsofcomputersystemsthatallowanindividualtokeepitfromcorrectlyoperatingorthatallowsunauthorizeduserstotakecontrolofthesystem.
Design,administrative,138NovellAppArmorAdministrationGuideorimplementationweaknessesorflawsinhardware,firmware,orsoftware.
Ifex-ploited,avulnerabilitycouldleadtoanunacceptableimpactintheformofunau-thorizedaccesstoinformationordisruptionofcriticalprocessing.
Glossary139
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.
2oranylaterversionpublishedbytheFreeSoftwareFoun-dation;withtheInvariantSectionbeingthiscopyrightnoticeandlicense.
Acopyofthelicenseisin-cludedinthesectionentitled"GNUFreeDocumentationLicense".
SUSE,openSUSE,theopenSUSElogo,Novell,theNovelllogo,theNlogo,areregisteredtrademarksofNovell,Inc.
intheUnitedStatesandothercountries.
Linux*isaregisteredtrademarkofLinusTorvalds.
Allotherthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Atrademarksymbol(,,etc.
)denotesaNovelltrademark;anasterisk(*)denotesathird-partytrademark.
Allinformationfoundinthisbookhasbeencompiledwithutmostattentiontodetail.
However,thisdoesnotguaranteecompleteaccuracy.
NeitherNovell,Inc.
,SUSELINUXProductsGmbH,theauthors,northetranslatorsshallbeheldliableforpossibleerrorsortheconsequencesthereof.
ContentsAboutThisGuidev1ImmunizingPrograms11.
1IntroducingtheAppArmorFramework21.
2DeterminingProgramstoImmunize41.
3ImmunizingcronJobs51.
4ImmunizingNetworkApplications52ProfileComponentsandSyntax112.
1BreakingaNovellAppArmorProfileintoItsParts122.
2#includeStatements212.
3CapabilityEntries(POSIX.
1e)222.
4UsingtheLocalAppArmorProfileRepository222.
5UsingtheExternalAppArmorProfileRepository232.
6ImportantFilenamesandDirectories253BuildingandManagingProfileswithYaST273.
1AddingaProfileUsingtheWizard293.
2ManuallyAddingaProfile373.
3EditingProfiles383.
4DeletingaProfile433.
5UpdatingProfilesfromLogEntries443.
6ManagingNovellAppArmorandSecurityEventStatus454BuildingProfilesfromtheCommandLine494.
1CheckingtheAppArmorModuleStatus494.
2BuildingAppArmorProfiles514.
3AddingorCreatinganAppArmorProfile524.
4EditinganAppArmorProfile524.
5DeletinganAppArmorProfile524.
6TwoMethodsofProfiling535ProfilingYourWebApplicationsUsingChangeHat755.
1ApacheChangeHat765.
2ConfiguringApacheformod_apparmor836ManagingProfiledApplications876.
1MonitoringYourSecuredApplications876.
2ConfiguringSecurityEventNotification886.
3ConfiguringReports916.
4ConfiguringandUsingtheAppArmorDesktopMonitorApplet1116.
5ReactingtoSecurityEventRejections1126.
6MaintainingYourSecurityProfiles1127Support1157.
1UpdatingNovellAppArmorOnline1157.
2UsingtheManPages1157.
3ForMoreInformation1177.
4Troubleshooting1187.
5ReportingBugsforAppArmor124ABackgroundInformationonAppArmorProfiling127BGNULicenses129B.
1GNUGeneralPublicLicense129B.
2GNUFreeDocumentationLicense132Glossary137AboutThisGuideNovellAppArmorisdesignedtoprovideeasy-to-useapplicationsecurityforbothserversandworkstations.
NovellAppArmorisanaccesscontrolsystemthatletsyouspecifyperprogramwhichfilestheprogrammayread,write,andexecute.
AppArmorsecuresapplicationsbyenforcinggoodapplicationbehaviorwithoutrelyingonattacksignatures,soitcanpreventattackseveniftheyareexploitingpreviouslyunknownvulnerabilities.
NovellAppArmorconsistsof:AlibraryofAppArmorprofilesforcommonLinux*applicationsdescribingwhatfilestheprogramneedstoaccess.
AlibraryofAppArmorprofilefoundationclasses(profilebuildingblocks)neededforcommonapplicationactivities,suchasDNSlookupanduserauthentication.
AtoolsuitefordevelopingandenhancingAppArmorprofiles,sothatyoucanchangetheexistingprofilestosuityourneedsandcreatenewprofilesforyourownlocalandcustomapplications.
SeveralspeciallymodifiedapplicationsthatareAppArmorenabledtoprovideen-hancedsecurityintheformofuniquesubprocessconfinement,includingApacheandTomcat.
TheNovellAppArmor–loadablekernelmoduleandassociatedcontrolscriptstoenforceAppArmorpoliciesonyouropenSUSEsystem.
Thisguidecoversthefollowingtopics:ImmunizingProgramsDescribestheoperationofNovellAppArmoranddescribesthetypesofprogramsthatshouldhaveNovellAppArmorprofilescreatedforthem.
ProfileComponentsandSyntaxIntroducestheprofilecomponentsandsyntax.
BuildingandManagingProfileswithYaSTDescribeshowtousetheAppArmorYaSTmodulestobuild,maintainandupdateprofiles.
BuildingProfilesfromtheCommandLineDescribeshowtousetheAppArmorcommandlinetoolstobuild,maintainandupdateprofiles.
ProfilingYourWebApplicationsUsingChangeHatEnablesyoutocreatesubprofilesfortheApacheWebserverthatallowyoutotightlyconfinesmallsectionsofWebapplicationprocessing.
ManagingProfiledApplicationsDescribeshowtoperformNovellAppArmorprofilemaintenance,whichinvolvestrackingcommonissuesandconcerns.
SupportIndicatessupportoptionsforthisproduct.
GlossaryProvidesalistoftermsandtheirdefinitions.
1FeedbackWewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdoc-umentationincludedwiththisproduct.
PleaseusetheUserCommentsfeatureatthebottomofeachpageoftheonlinedocumentationandenteryourcommentsthere.
2DocumentationConventionsThefollowingtypographicalconventionsareusedinthismanual:/etc/passwd:filenamesanddirectorynamesplaceholder:replaceplaceholderwiththeactualvaluePATH:theenvironmentvariablePATHls,--help:commands,options,andparametersuser:usersorgroupsviNovellAppArmorAdministrationGuideAlt,Alt+F1:akeytopressorakeycombination;keysareshowninuppercaseasonakeyboardFile,File>SaveAs:menuitems,buttonsDancingPenguins(ChapterPenguins,↑AnotherManual):Thisisareferencetoachapterinanothermanual.
3SourceCodeThesourcecodeofopenSUSEispubliclyavailable.
Todownloadthesourcecode,proceedasoutlinedunderhttp://www.
novell.
com/products/suselinux/source_code.
html.
IfrequestedwesendyouthesourcecodeonaDVD.
Weneedtochargea$15or15feeforcreation,handlingandpostage.
TorequestaDVDofthesourcecode,sendane-mailtosourcedvd@suse.
de[mailto:sourcedvd@suse.
de]ormailtherequestto:SUSELinuxProductsGmbHProductManagementopenSUSEMaxfeldstr.
5D-90409NürnbergGermanyAboutThisGuidevii1ImmunizingProgramsNovellAppArmorprovidesimmunizationtechnologiesthatprotectapplicationsfromtheinherentvulnerabilitiestheypossess.
AfterinstallingNovellAppArmor,settingupNovellAppArmorprofiles,andrebootingthecomputer,yoursystembecomesimmu-nizedbecauseitbeginstoenforcetheNovellAppArmorsecuritypolicies.
ProtectingprogramswithNovellAppArmorisreferredtoasimmunizing.
NovellAppArmorsetsupacollectionofdefaultapplicationprofilestoprotectstandardLinuxservices.
Toprotectotherapplications,usetheNovellAppArmortoolstocreateprofilesfortheapplicationsthatyouwantprotected.
Thischapterintroducesthephilos-ophyofimmunizingprograms.
ProceedtoChapter2,ProfileComponentsandSyntax(page11),Chapter3,BuildingandManagingProfileswithYaST(page27),orChap-ter4,BuildingProfilesfromtheCommandLine(page49)ifyouarereadytobuildandmanageNovellAppArmorprofiles.
NovellAppArmorprovidesstreamlinedaccesscontrolfornetworkservicesbyspecifyingwhichfileseachprogramisallowedtoread,write,andexecute,andwhichtypeofnetworkitisallowedtoaccess.
Thisensuresthateachprogramdoeswhatitissupposedtodoandnothingelse.
NovellAppArmorquarantinesprogramstoprotecttherestofthesystemfrombeingdamagedbyacompromisedprocess.
NovellAppArmorisahostintrusionpreventionormandatoryaccesscontrolscheme.
Previously,accesscontrolschemeswerecenteredaroundusersbecausetheywerebuiltforlargetimesharesystems.
Alternatively,modernnetworkserverslargelydonotpermituserstologin,butinsteadprovideavarietyofnetworkservicesforusers,suchasWeb,mail,file,andprintservers.
NovellAppArmorcontrolstheaccessgiventonetworkservicesandotherprogramstopreventweaknessesfrombeingexploited.
ImmunizingPrograms1TIP:BackgroundInformationforNovellAppArmorTogetamorein-depthoverviewofAppArmorandtheoverallconceptbehindit,refertoAppendixA,BackgroundInformationonAppArmorProfiling(page127).
1.
1IntroducingtheAppArmorFrameworkThissectionprovidesaverybasicunderstandingofwhatishappening"behindthescenes"(andunderthehoodoftheYaSTinterface)whenyourunAppArmor.
AnAppArmorprofileisaplaintextfilecontainingpathentriesandaccesspermissions.
SeeSection2.
1,"BreakingaNovellAppArmorProfileintoItsParts"(page12)foradetailedreferenceprofile.
ThedirectivescontainedinthistextfilearethenenforcedbytheAppArmorroutinestoquarantinetheprocessorprogram.
ThefollowingtoolsinteractinthebuildingandenforcementofAppArmorprofilesandpolicies:aa-unconfinedaa-unconfineddetectsanyapplicationrunningonyoursystemthatlistensfornet-workconnectionsandisnotprotectedbyanAppArmorprofile.
RefertoSection"aa-unconfined—IdentifyingUnprotectedProcesses"(page73)fordetailedinfor-mationaboutthistool.
aa-autodepaa-autodepcreatesabasicskeletonofaprofilethatneedstobefleshedoutbeforeitisputtoproductiveuse.
Theresultingprofileisloadedandputintocomplainmode,reportinganybehavioroftheapplicationthatisnot(yet)coveredbyApp-Armorrules.
RefertoSection"aa-autodep—CreatingApproximateProfiles"(page56)fordetailedinformationaboutthistool.
aa-genprofaa-genprofgeneratesabasicprofileandasksyoutorefinethisprofilebyexecutingtheapplication,generatinglogeventsthatneedtobetakencareofbyAppArmorpolicies.
Youareguidedthroughaseriesofquestionstodealwiththelogevents2NovellAppArmorAdministrationGuidethathavebeentriggeredduringtheapplication'sexecution.
Aftertheprofilehasbeengenerated,itisloadedandputintoenforcemode.
RefertoSection"aa-gen-prof—GeneratingProfiles"(page59)fordetailedinformationaboutthistool.
aa-logprofaa-logprofinteractivelyscansandreviewsthelogentriesgeneratedbyanapplicationthatisconfinedbyanAppArmorprofileincomplainmode.
Itassistsyouingener-atingnewentriesintheprofileconcerned.
RefertoSection"aa-logprof—ScanningtheSystemLog"(page67)fordetailedinformationaboutthistool.
aa-complainaa-complaintogglesthemodeofanAppArmorprofilefromenforcetocomplain.
Exceptionstorulessetinaprofilearelogged,buttheprofileisnotenforced.
RefertoSection"aa-complain—EnteringComplainorLearningMode"(page57)fordetailedinformationaboutthistool.
aa-enforceaa-enforcetogglesthemodeofanAppArmorprofilefromcomplaintoenforce.
Exceptionstorulessetinaprofilearelogged,butnotpermitted—theprofileisenforced.
RefertoSection"aa-enforce—EnteringEnforceMode"(page58)fordetailedinformationaboutthistool.
Onceaprofilehasbeenbuiltandisloaded,therearetwowaysinwhichitcangetpro-cessed:complainIncomplainmode,violationsofAppArmorprofilerules,suchastheprofiledpro-gramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsarepermitted,butalsologged.
Toimprovetheprofile,turncomplainmodeon,runtheprogramthroughasuiteofteststogeneratelogeventsthatcharacterizetheprogram'saccessneeds,thenpostprocessthelogwiththeAppArmortools(YaSToraa-log-prof)totransformlogeventsintoimprovedprofiles.
enforceInenforcemode,violationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsareloggedandnotpermitted.
Thedefaultisforenforcemodetobeenabled.
Tologtheviola-tionsonly,butstillpermitthem,usecomplainmode.
Enforcetoggleswithcomplainmode.
ImmunizingPrograms31.
2DeterminingProgramstoImmunizeNowthatyouhavefamiliarizedyourselfwithAppArmor,startselectingtheapplicationsforwhichtobuildprofiles.
Programsthatneedprofilingarethosethatmediateprivilege.
Thefollowingprogramshaveaccesstoresourcesthatthepersonusingtheprogramdoesnothave,sotheygranttheprivilegetotheuserwhenused:cronJobsProgramsthatarerunperiodicallybycron.
Suchprogramsreadinputfromavarietyofsourcesandcanrunwithspecialprivileges,sometimeswithasmuchasrootprivilege.
Forexample,croncanrun/usr/sbin/logrotatedailytorotate,compress,orevenmailsystemlogs.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
3,"ImmunizingcronJobs"(page5).
WebApplicationsProgramsthatcanbeinvokedthroughaWebbrowser,includingCGIPerlscripts,PHPpages,andmorecomplexWebapplications.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
4.
1,"ImmunizingWebApplications"(page7).
NetworkAgentsPrograms(serversandclients)thathaveopennetworkports.
Userclients,suchasmailclientsandWebbrowsersmediateprivilege.
Theseprogramsrunwiththeprivilegetowritetotheuser'shomedirectoryandtheyprocessinputfrompoten-tiallyhostileremotesources,suchashostileWebsitesande-mailedmaliciouscode.
Forinstructionsforfindingthesetypesofprograms,refertoSection1.
4.
2,"ImmunizingNetworkAgents"(page9).
Conversely,unprivilegedprogramsdonotneedtobeprofiled.
Forinstance,ashellscriptmightinvokethecpprogramtocopyafile.
Becausecpdoesnothaveitsownprofile,itinheritstheprofileoftheparentshellscript,socancopyanyfilesthattheparentshellscript'sprofilecanreadandwrite.
4NovellAppArmorAdministrationGuide1.
3ImmunizingcronJobsTofindprogramsthatarerunbycron,inspectyourlocalcronconfiguration.
Unfortu-nately,cronconfigurationisrathercomplex,sotherearenumerousfilestoinspect.
Periodiccronjobsarerunfromthesefiles:/etc/crontab/etc/cron.
d/*/etc/cron.
daily/*/etc/cron.
hourly/*/etc/cron.
monthly/*/etc/cron.
weekly/*Forroot'scronjobs,editthetaskswithcrontab-eandlistroot'scrontaskswithcrontab-l.
Youmustberootforthesetowork.
Onceyoufindtheseprograms,youcanusetheAddProfileWizardtocreateprofilesforthem.
RefertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
1.
4ImmunizingNetworkApplicationsAnautomatedmethodforfindingnetworkserverdaemonsthatshouldbeprofiledistousetheaa-unconfinedtool.
YoucanalsosimplyviewareportofthisinformationintheYaSTmodule(refertoSection"ApplicationAuditReport"(page97)forinstruc-tions).
Theaa-unconfinedtoolusesthecommandnetstat-nlptoinspectyouropenportsfrominsideyourcomputer,detecttheprogramsassociatedwiththoseports,andinspectthesetofNovellAppArmorprofilesthatyouhaveloaded.
aa-unconfinedthenreportstheseprogramsalongwiththeNovellAppArmorprofileassociatedwitheachprogramorreports"none"iftheprogramisnotconfined.
NOTEIfyoucreateanewprofile,youmustrestarttheprogramthathasbeenprofiledtohaveitbeeffectivelyconfinedbyAppArmor.
ImmunizingPrograms5Belowisasampleaa-unconfinedoutput:2325/sbin/portmapnotconfined3702/usr/sbin/sshdconfinedby'/usr/sbin/sshd(enforce)'4040/usr/sbin/ntpdconfinedby'/usr/sbin/ntpd(enforce)'4373/usr/lib/postfix/masterconfinedby'/usr/lib/postfix/master(enforce)'4505/usr/sbin/httpd2-preforkconfinedby'/usr/sbin/httpd2-prefork(enforce)'5274/sbin/dhcpcdnotconfined5592/usr/bin/sshnotconfined7146/usr/sbin/cupsdconfinedby'/usr/sbin/cupsd(complain)'Thefirstportionisanumber.
ThisnumberistheprocessIDnumber(PID)ofthelisteningprogram.
ThesecondportionisastringthatrepresentstheabsolutepathofthelisteningprogramThefinalportionindicatestheprofileconfiningtheprogram,ifany.
NOTEaa-unconfinedrequiresrootprivilegesandshouldnotberunfromashellthatisconfinedbyanAppArmorprofile.
aa-unconfineddoesnotdistinguishbetweenonenetworkinterfaceandanother,soitreportsallunconfinedprocesses,eventhosethatmightbelisteningtoaninternalLANinterface.
Findingusernetworkclientapplicationsisdependentonyouruserpreferences.
Theaa-unconfinedtooldetectsandreportsnetworkportsopenedbyclientapplications,butonlythoseclientapplicationsthatarerunningatthetimetheaa-unconfinedanalysisisperformed.
Thisisaproblembecausenetworkservicestendtoberunningallthetime,whilenetworkclientapplicationstendonlytoberunningwhentheuserisinterestedinthem.
ApplyingNovellAppArmorprofilestousernetworkclientapplicationsisalsodependentonuserpreferences.
Therefore,weleaveprofilingofusernetworkclientapplicationsasanexercisefortheuser.
6NovellAppArmorAdministrationGuideToaggressivelyconfinedesktopapplications,theaa-unconfinedcommandsupportsaparanoidoption,whichreportsallprocessesrunningandthecorrespondingApp-Armorprofilesthatmightormightnotbeassociatedwitheachprocess.
TheusercanthendecidewhethereachoftheseprogramsneedsanAppArmorprofile.
Ifyouhavenewormodifiedprofiles,youcansubmitthemtotheapparmor-gener-al@forge.
novell.
com[mailto:apparmor-general@forge.
novell.
com]mailinglistalongwithausecasefortheapplicationbehaviorthatyouexercised.
TheAppArmorteamreviewsandmaysubmittheworkintoopenSUSE.
Wecannotguaranteethateveryprofilewillbeincluded,butwemakeasincereefforttoincludeasmuchaspossiblesothatenduserscancontributetothesecurityprofilesthatshipinopenSUSE.
Alternatively,usetheAppArmorprofilerepositorytomakeyourprofilesavailabletootherusersandtodownloadprofilescreatedbyotherAppArmorusersandtheAppArmordevelopers.
RefertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23)formoreinformationonhowtousetheAppArmorprofilerepository.
1.
4.
1ImmunizingWebApplicationsTofindWebapplications,investigateyourWebserverconfiguration.
TheApacheWebserverishighlyconfigurableandWebapplicationscanbestoredinmanydirectories,dependingonyourlocalconfiguration.
openSUSE,bydefault,storesWebapplicationsin/srv/www/cgi-bin/.
Tothemaximumextentpossible,eachWebapplicationshouldhaveanNovellAppArmorprofile.
Onceyoufindtheseprograms,youcanusetheAppArmorAddProfileWizardtocreateprofilesforthem.
RefertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
BecauseCGIprogramsareexecutedbytheApacheWebserver,theprofileforApacheitself,usr.
sbin.
httpd2-preforkforApache2onopenSUSE,mustbemodifiedtoaddexecutepermissionstoeachoftheseprograms.
Forinstance,addingtheline/srv/www/cgi-bin/my_hit_counter.
plrpxgrantsApachepermissiontoexecutethePerlscriptmy_hit_counter.
plandrequiresthattherebeadedicatedprofileformy_hit_counter.
pl.
Ifmy_hit_counter.
pldoesnothaveaded-icatedprofileassociatedwithit,theruleshouldsay/srv/www/cgi-bin/my_hit_counter.
plrixtocausemy_hit_counter.
pltoinherittheusr.
sbin.
httpd2-preforkprofile.
ImmunizingPrograms7SomeusersmightfinditinconvenienttospecifyexecutepermissionforeveryCGIscriptthatApachemightinvoke.
Instead,theadministratorcangrantcontrolledaccesstocollectionsofCGIscripts.
Forinstance,addingtheline/srv/www/cgi-bin/*.
{pl,py,pyc}rixallowsApachetoexecuteallfilesin/srv/www/cgi-bin/endingin.
pl(Perlscripts)and.
pyor.
pyc(Pythonscripts).
Asabove,theixpartoftherulecausesPythonscriptstoinherittheApacheprofile,whichisappropriateifyoudonotwanttowriteindividualprofilesforeachPythonscript.
NOTEIfyouwantthesubprocessconfinementmodule(apache2-mod-apparmor)functionalitywhenWebapplicationshandleApachemodules(mod_perlandmod_php),usetheChangeHatfeatureswhenyouaddaprofileinYaSToratthecommandline.
Totakeadvantageofthesubprocessconfinement,refertoSection5.
1,"ApacheChangeHat"(page76).
ProfilingWebapplicationsthatusemod_perlandmod_phprequiresslightlydifferenthandling.
Inthiscase,the"program"isascriptinterpreteddirectlybythemodulewithintheApacheprocess,sonoexechappens.
Instead,theNovellAppArmorversionofApachecallschange_hat()usingasubprofile(a"hat")correspondingtothenameoftheURIrequested.
NOTEThenamepresentedforthescripttoexecutemightnotbetheURI,dependingonhowApachehasbeenconfiguredforwheretolookformodulescripts.
IfyouhaveconfiguredyourApachetoplacescriptsinadifferentplace,thedif-ferentnamesappearinlogfilewhenNovellAppArmorcomplainsaboutaccessviolations.
SeeChapter6,ManagingProfiledApplications(page87).
8NovellAppArmorAdministrationGuideFormod_perlandmod_phpscripts,thisisthenameofthePerlscriptorthePHPpagerequested.
Forexample,addingthissubprofileallowsthelocaltime.
phppagetoexecuteandaccessthelocalsystemtime:/usr/bin/httpd2-prefork{#.
.
.
^/cgi-bin/localtime.
php{/etc/localtimer,/srv/www/cgi-bin/localtime.
phpr,/usr/lib/locale/**r,}}Ifnosubprofilehasbeendefined,theNovellAppArmorversionofApacheappliestheDEFAULT_URIhat.
ThissubprofileisbasicallysufficienttodisplayanHTMLWebpage.
TheDEFAULT_URIhatthatNovellAppArmorprovidesbydefaultisthefollow-ing:^DEFAULT_URI{/usr/sbin/suexec2ixr,/var/log/apache2/**rwl,/home/*/public_html/**r,/srv/www/htdocs/**r,/srv/www/icons/*.
{gif,jpg,png}r,/usr/share/apache2/**r,}TouseasingleNovellAppArmorprofileforallWebpagesandCGIscriptsservedbyApache,agoodapproachistoedittheDEFAULT_URIsubprofile.
1.
4.
2ImmunizingNetworkAgentsTofindnetworkserverdaemonsandnetworkclients(suchasfetchmail,Firefox,amaroKorBanshee)thatshouldbeprofiled,youshouldinspecttheopenportsonyourmachine,considertheprogramsthatareansweringonthoseports,andprovideprofilesforasmanyofthoseprogramsaspossible.
Ifyouprovideprofilesforallprogramswithopennetworkports,anattackercannotgettothefilesystemonyourmachinewithoutpassingthroughaNovellAppArmorprofilepolicy.
Scanyourserverforopennetworkportsmanuallyfromoutsidethemachineusingascanner,suchasnmap,orfrominsidethemachineusingthenetstat--inet-n-pcommand.
Theninspectthemachinetodeterminewhichprogramsareansweringonthediscoveredopenports.
ImmunizingPrograms9TIPRefertothemanpageofthenetstatcommandforadetailedreferenceofallpossibleoptions.
10NovellAppArmorAdministrationGuide2ProfileComponentsandSyntaxYouarereadytobuildNovellAppArmorprofilesafteryouselecttheprogramstoprofile.
Todoso,itisimportanttounderstandthecomponentsandsyntaxofprofiles.
AppArmorprofilescontainseveralbuildingblocksthathelpbuildsimpleandreusableprofilecode:#includefiles,abstractions,programchunks,andcapabilityentries.
#includestatementsareusedtopullinpartsofotherAppArmorprofilestosimplifythestructureofnewprofiles.
Abstractionsare#includestatementsgroupedbycommonapplicationtasks.
Programchunksarechunksofprofilesthatarespecifictoprogramsuites.
CapabilityentriesareprofileentriesforanyofthePOSIX.
1eLinuxcapabilities.
Forhelpdeterminingtheprogramstoprofile,refertoSection1.
2,"DeterminingPro-gramstoImmunize"(page4).
TostartbuildingAppArmorprofileswithYaST,proceedtoChapter3,BuildingandManagingProfileswithYaST(page27).
TobuildprofilesusingtheAppArmorcommandlineinterface,proceedtoChapter4,BuildingProfilesfromtheCommandLine(page49).
ProfileComponentsandSyntax112.
1BreakingaNovellAppArmorProfileintoItsPartsNovellAppArmorprofilecomponentsarecalledNovellAppArmorrules.
CurrentlytherearethreemaintypesofNovellAppArmorrules,pathentries,capabilityentries,andnetworkentries.
Pathentriesspecifywhattheprocesscanaccessinthefilesystemandcapabilityentriesprovideamorefine-grainedcontroloverwhataconfinedprocessisallowedtodothroughothersystemcallsthatrequireprivileges.
Includesareatypeofmetaruleordirectivesthatpullinpathandcapabilityentriesfromotherfiles.
Theeasiestwayofexplainingwhataprofileconsistsofandhowtocreateoneistoshowthedetailsofasampleprofile,inthiscaseforahypotheticalapplicationcalled/usr/bin/foo:#include#acommentnamingtheapplicationtoconfine/usr/bin/foo{#includecapabilitysetgid,networkinettcp,/bin/mountux,/dev/{,u}randomr,/etc/ld.
so.
cacher,/etc/foo.
confr,/etc/foo/*r,/lib/ld-*.
so*mr,/lib/lib*.
so*mr,/proc/[0-9]**r,/usr/lib/**mr,/tmp/r,/tmp/foo.
pidwr,/tmp/foo.
*lrw,/@{HOME}/.
foo_filerw,/@{HOME}/.
foo_lockkw,#acommentaboutfoo'ssubprofile,bar.
^bar{/lib/ld-*.
so*mr,/usr/bin/barpx,/var/spool/*rwl,12NovellAppArmorAdministrationGuide}}Thisloadsafilecontainingvariabledefinitions.
Thenormalizedpathtotheprogramthatisconfined.
Thecurlybraces({})serveasacontainerforincludestatements,subprofiles,pathentries,capabilityentries,andnetworkentries.
ThisdirectivepullsincomponentsofAppArmorprofilestosimplifyprofiles.
Capabilityentrystatementsenableeachofthe29POSIX.
1edraftcapabilities.
Adirectivedeterminingthekindofnetworkaccessallowedtotheapplication.
Fordetails,refertoSection2.
1.
1,"NetworkAccessControl"(page14).
Thecurlybraces({})makethisruleapplytothepathbothwithandwithoutthecontentenclosedbythebraces.
Apathentryspecifyingwhatareasofthefilesystemtheprogramcanaccess.
Thefirstpartofapathentryspecifiestheabsolutepathofafile(includingregularexpressionglobbing)andthesecondpartindicatespermissibleaccessmodes(rforread,wforwrite,andxforexecute).
Awhitespaceofanykind(spacesortabs)canprecedepathnamesorseparatethepathnamefromtheaccessmodes.
Spacesbetweentheaccessmodeandthetrailingcommaisoptional.
FindacomprehensiveoverviewoftheavailableaccessmodesinSection2.
1.
3,"FilePermissionAccessModes"(page17).
Thisvariableexpandstoavaluethatcanbechangedwithoutchangingtheentireprofile.
Thissectionreferencesasubprofileoftheapplication,alsoknownasa"hat".
FormoredetailsonAppArmor'sChangeHatfeature,refertoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
TIP:UsingVariablesinProfilesWiththecurrentAppArmortools,variablesaspresentedintheaboveexamplecanonlybeusedwhenmanuallyeditingandmaintainingaprofile.
Atypicalexamplewhenvariablescomeinhandyarenetworkscenariosinwhichuserhomedirectoriesarenotmountedinthestandardlocation/home/username,butunderacustomlocation.
FindthevariabledefinitionsforthisProfileComponentsandSyntax13usecase(@{HOME}and@{HOMEDIRS})inthe/etc/apparmor.
d/tunables/homefile.
Whenaprofileiscreatedforaprogram,theprogramcanaccessonlythefiles,modes,andPOSIXcapabilitiesspecifiedintheprofile.
TheserestrictionsareinadditiontothenativeLinuxaccesscontrols.
Example:TogainthecapabilityCAP_CHOWN,theprogrammusthavebothaccesstoCAP_CHOWNunderconventionalLinuxaccesscontrols(typically,bearoot-ownedprocess)andhavethecapabilitychowninitsprofile.
Similarly,tobeabletowritetothefile/foo/bartheprogrammusthaveboththecorrectuserIDandmodebitssetinthefilesattributes(seethechmodandchownmanpages)andhave/foo/barwinitsprofile.
AttemptstoviolateNovellAppArmorrulesarerecordedin/var/log/audit/audit.
logiftheauditpackageisinstalledorotherwisein/var/log/messages.
Inmanycases,NovellAppArmorrulespreventanattackfromworkingbecauseneces-saryfilesarenotaccessibleand,inallcases,NovellAppArmorconfinementrestrictsthedamagethattheattackercandotothesetoffilespermittedbyNovellAppArmor.
2.
1.
1NetworkAccessControlAppArmorallowsmediationofnetworkaccessbasedontheaddresstypeandfamily.
Thefollowingillustratesthenetworkaccessrulesyntax:network[[][][]]Supporteddomains:inet,ax25,ipx,appletalk,netrom,bridge,x25,inet6,rose,netbeui,security,key,packet,ash,econet,atmsvc,sna,irda,pppox,wanpipe,bluetoothSupportedtypes:stream,dgram,seqpacket,rdm,raw,packetSupportedprotocols:tcp,udp,icmpTheAppArmortoolssupportonlyfamilyandtypespecification.
TheAppArmormoduleemitsonlynetworkdomaintypein"accessdenied"messages.
Andonlytheseareoutputbytheprofilegenerationtools,bothYaSTandcommandline.
14NovellAppArmorAdministrationGuideThefollowingexamplesillustratepossiblenetwork-relatedrulestobeusedinAppArmorprofiles.
NotethatthesyntaxofthetwolastonesisnotcurrentlysupportedbytheAppArmortools.
network,networkinet,networkinet6,networkinetstream,networkinettcp,networktcp,Allowallnetworking.
Norestrictionsappliedwithregardstodomain,type,orprotocol.
AllowgeneraluseofIPv4networking.
AllowgeneraluseofIPv6networking.
AllowtheuseofIPv4TCPnetworking.
AllowtheuseofIPv4TCPnetworking,paraphrasingtheruleabove.
AllowtheuseofbothIPv4andIPv6TCPnetworking.
2.
1.
2PathsandGlobbingAppArmorexplicitlydistinguishesdirectorypathnamesfromfilepathnames.
Useatrailing/foranydirectorypaththatneedstobeexplicitlydistinguished:/some/random/example/*rAllowreadaccesstofilesinthe/some/random/exampledirectory.
/some/random/example/rAllowreadaccesstothedirectoryonly.
/some/**/rGivereadaccesstoanydirectoriesbelow/some.
/some/random/example/**rGivereadaccesstofilesanddirectoriesunder/some/random/example.
/some/random/example/**[^/]rGivereadaccesstofilesunder/some/random/example.
Explicitlyexcludedirectories([^/]).
ProfileComponentsandSyntax15Globbing(orregularexpressionmatching)iswhenyoumodifythedirectorypathusingwildcardstoincludeagroupoffilesorsubdirectories.
Fileresourcescanbespecifiedwithaglobbingsyntaxsimilartothatusedbypopularshells,suchascsh,Bash,andzsh.
Substitutesforanynumberofanycharacters,except/.
*Example:Anarbitrarynumberoffilepathelements.
Substitutesforanynumberofcharacters,including/.
**Example:Anarbitrarynumberofpathelements,includingentiredirectories.
Substitutesforanysinglecharacter,except/.
Substitutesforthesinglecharactera,b,orc.
[abc]Example:arulethatmatches/home[01]/*/.
planallowsaprogramtoaccess.
planfilesforusersinboth/home0and/home1.
Substitutesforthesinglecharactera,b,orc.
[a-c]Expandstooneruletomatchabandoneruletomatchcd.
{ab,cd}Example:arulethatmatches/{usr,www}/pages/**grantsaccesstoWebpagesinboth/usr/pagesand/www/pages.
Substitutesforanycharacterexcepta.
[^a]16NovellAppArmorAdministrationGuide2.
1.
3FilePermissionAccessModesFilepermissionaccessmodesconsistofcombinationsofthefollowingelevenmodes:ReadmoderWritemode(mutuallyexclusivetoa)wAppendmode(mutuallyexclusivetow)aFilelockingmodekDiscreteprofileexecutemodepxDiscreteprofileexecutemode—cleanexecPxUnconstrainedexecutemodeuxUnconstrainedexecutemode—cleanexecUxInheritexecutemodeixAllowPROT_EXECwithmmap(2)callsmLinkmodelReadMode(r)Allowstheprogramtohavereadaccesstotheresource.
Readaccessisrequiredforshellscriptsandotherinterpretedcontentanddeterminesifanexecutingprocesscancoredumporbeattachedtowithptrace(2)(ptrace(2)isusedbyutilitieslikestrace(1),ltrace(1),andgdb(1)).
WriteMode(w)Allowstheprogramtohavewriteaccesstotheresource.
Filesmusthavethisper-missioniftheyaretobeunlinked(removed).
AppendMode(a)Allowsaprogramtowritetotheendofafile.
Incontrasttothewmode,theappendmodedoesnotincludetheabilitytooverwritedata,torename,ortoremoveafile.
ProfileComponentsandSyntax17Theappendpermissionistypicallyusedwithapplicationswhoneedtobeabletowritetologfiles,butwhichshouldnotbeabletomanipulateanyexistingdatainthelogfiles.
Astheappendpermissionisjustasubsetofthepermissionsassociatedwiththewritemode,thewandapermissionflagscannotbeusedtogetherandaremutuallyexclusive.
FileLockingMode(k)Theapplicationcantakefilelocks.
FormerversionsofAppArmorallowedfilestobelockedifanapplicationhadaccesstothem.
Byusingaseparatefilelockingmode,AppArmormakessurelockingisrestrictedonlytothosefileswhichneedfilelockingandtightenssecurityaslockingcanbeusedinseveraldenialofserviceattackscenarios.
DiscreteProfileExecuteMode(px)ThismoderequiresthatadiscretesecurityprofileisdefinedforaresourceexecutedatanAppArmordomaintransition.
Ifthereisnoprofiledefined,theaccessisdenied.
WARNING:UsingtheDiscreteProfileExecuteModepxdoesnotscrubtheenvironmentofvariablessuchasLD_PRELOAD.
Asaresult,thecallingdomainmayhaveanundueamountofinfluenceoverthecalleditem.
IncompatiblewithUx,ux,Px,andix.
DiscreteProfileExecuteMode(Px)—CleanExecPxallowsthenamedprogramtoruninpxmode,butAppArmorinvokestheLinuxkernel'sunsafe_execroutinestoscrubtheenvironment,similartosetuidpro-grams.
Seeld.
so(8)forsomeinformationaboutsetuidandsetgidenvironmentscrubbing.
IncompatiblewithUx,ux,px,andix.
UnconstrainedExecuteMode(ux)AllowstheprogramtoexecutetheresourcewithoutanyAppArmorprofileappliedtotheexecutedresource.
Requireslistingexecutemodeaswell.
Thismodeisusefulwhenaconfinedprogramneedstobeabletoperformaprivi-legedoperation,suchasrebootingthemachine.
Byplacingtheprivilegedsectioninanotherexecutableandgrantingunconstrainedexecutionrights,itispossibleto18NovellAppArmorAdministrationGuidebypassthemandatoryconstraintsimposedonallconfinedprocesses.
Formorein-formationaboutwhatisconstrained,seetheapparmor(7)manpage.
WARNING:UsingUnconstrainedExecuteMode(ux)Useuxonlyinveryspecialcases.
ItenablesthedesignatedchildprocessestoberunwithoutanyAppArmorprotection.
uxdoesnotscrubtheenvi-ronmentofvariablessuchasLD_PRELOAD.
Asaresult,thecallingdomainmayhaveanundueamountofinfluenceoverthecalledresource.
UsethismodeonlyifthechildabsolutelymustberununconfinedandLD_PRELOADmustbeused.
Anyprofileusingthismodeprovidesnegligiblesecurity.
Useatyourownrisk.
ThismodeisincompatiblewithUx,px,Px,andix.
UnconstrainedExecuteMode(Ux)—CleanExecUxallowsthenamedprogramtoruninuxmode,butAppArmorinvokestheLinuxkernel'sunsafe_execroutinestoscrubtheenvironment,similartosetuidpro-grams.
Seeld.
so(8)forsomeinformationaboutsetuidandsetgidenvironmentscrubbing.
WARNING:UsingUnconstrainedExecuteMode(Ux)UseUxonlyinveryspecialcases.
ItenablesthedesignatedchildprocessestorunwithoutanyAppArmorprotection.
Usethismodeonlyifthechildabsolutelymustberununconfined.
Useatyourownrisk.
Incompatiblewithux,px,Px,andix.
InheritExecuteMode(ix)ixpreventsthenormalAppArmordomaintransitiononexecve(2)whentheprofiledprogramexecutesthenamedprogram.
Instead,theexecutedresourcein-heritsthecurrentprofile.
Thismodeisusefulwhenaconfinedprogramneedstocallanotherconfinedpro-gramwithoutgainingthepermissionsofthetarget'sprofileorlosingthepermissionsofthecurrentprofile.
Thereisnoversiontoscrubtheenvironmentbecauseixexecutionsdonotchangeprivileges.
IncompatiblewithUx,ux,Px,andpx.
Impliesm.
ProfileComponentsandSyntax19AllowExecutableMapping(m)Thismodeallowsafiletobemappedintomemoryusingmmap(2)'sPROT_EXECflag.
Thisflagmarksthepagesexecutable.
Itisusedonsomearchitecturestopro-videnonexecutabledatapages,whichcancomplicateexploitattempts.
AppArmorusesthismodetolimitwhichfilesawell-behavedprogram(orallprogramsonarchitecturesthatenforcenonexecutablememoryaccesscontrols)mayuseasli-braries,tolimittheeffectofinvalid-Lflagsgiventold(1)andLD_PRELOAD,LD_LIBRARY_PATH,giventold.
so(8).
LinkModeThelinkmodemediatesaccesstohardlinks.
Whenalinkiscreated,thetargetfilemusthavethesameaccesspermissionsasthelinkcreated(withtheexceptionthatthedestinationdoesnotneedlinkaccess).
WhenchoosingoneoftheUxorPxfilepermissionaccessmodes,takeintoaccountthatthefollowingenvironmentvariablesareremovedfromtheenvironmentbeforethechildprocessinheritsit.
Asaconsequence,applicationsorprocessesrelyingonanyofthesevariablesdonotworkanymoreiftheprofileappliedtothemcarriesUxorPxflags:GCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILE20NovellAppArmorAdministrationGuideLD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIR2.
2#includeStatements#includestatementsaredirectivesthatpullincomponentsofotherNovellAppArmorprofilestosimplifyprofiles.
Includefilesfetchaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Bydefault,AppArmoradds/etc/apparmor.
dtothepathinthe#includestatement.
AppArmorexpectstheincludefilestobelocatedin/etc/apparmor.
d.
Unlikeotherprofilestatements(butsimilartoCprograms),#includelinesdonotendwithacomma.
Toassistyouinprofilingyourapplications,NovellAppArmorprovidestwoclassesof#includes:abstractionsandprogramchunks.
ProfileComponentsandSyntax212.
2.
1AbstractionsAbstractionsare#includesthataregroupedbycommonapplicationtasks.
Thesetasksincludeaccesstoauthenticationmechanisms,accesstonameserviceroutines,commongraphicsrequirements,andsystemaccounting.
Fileslistedintheseabstractionsarespecifictothenamedtask.
Programsthatrequireoneofthesefilesusuallyrequiresomeoftheotherfileslistedintheabstractionfile(dependingonthelocalconfigurationaswellasthespecificrequirementsoftheprogram).
Findabstractionsin/etc/apparmor.
d/abstractions.
2.
2.
2ProgramChunksTheprogram-chunksdirectory(/etc/apparmor.
d/program-chunks)containssomechunksofprofilesthatarespecifictoprogramsuitesandnotgenerallyusefuloutsideofthesuite,thusareneversuggestedforuseinprofilesbytheprofilewizards(aa-logprofandaa-genprof).
Currentlyprogramchunksareonlyavailableforthepostfixprogramsuite.
2.
3CapabilityEntries(POSIX.
1e)CapabilitiesstatementsaresimplythewordcapabilityfollowedbythenameofthePOSIX.
1ecapabilityasdefinedinthecapabilities(7)manpage.
2.
4UsingtheLocalAppArmorProfileRepositoryAppArmorshipsasetofprofilesenabledbydefaultandcreatedbytheAppArmorde-velopersandkeptunderthe/etc/apparmor.
d.
Inadditiontotheseprofiles,open-SUSEshipsprofilesforindividualapplicationstogetherwiththerespectiveapplication.
TheseprofilesarenotenabledbydefaultandresideunderanotherdirectorythanthestandardAppArmorprofiles,/etc/apparmor/profiles/extras.
TheAppArmortools,bothYaSTandaa-genprofandaa-logprof,supporttheuseofalocalrepository.
Wheneveryoustarttocreateanewprofilefromscratchandthereal-22NovellAppArmorAdministrationGuidereadyisoneinactiveprofileinyourlocalrepository,youareaskedwhetheryouwouldliketousetheexistinginactiveonefrom/etc/apparmor/profiles/extrasandwhetheryouwanttobaseyoureffortsonit.
Ifyoudecidetousethisprofile,itgetscopiedovertothedirectoryofprofilesenabledbydefault(/etc/apparmor.
d)andloadedwheneverAppArmorisstarted.
Anyfurtherfurtheradjustmentswillbedonetotheactiveprofileunder/etc/apparmor.
d.
2.
5UsingtheExternalAppArmorProfileRepositoryInadditiontotheprofilesshippingwithopenSUSE,AppArmorsupportstheuseofanexternalprofilerepository.
ThisrepositoryismaintainedbyNovellandallowsyoutodownloadprofilesgeneratedbyNovellandotherAppArmorusersaswellasuploadingyourown.
Findtheprofilerepositoryathttp://apparmor.
opensuse.
org.
NOTE:UsingtheAppArmorProfileRepositoryWhenusingtheprofilerepositoryinyourdeployment,bearinmindthattheprofilesmaintainedintherepositoryareprimarilytargetedatprofiledevelopersandmightprobablyneedfine-tuningbeforetheysuityourparticularneeds.
Pleasetestthedownloadedprofilesextensivelybeforedeployingthemtoyourlivesetupandadjustthemifnecessary.
Theprofilerepositoryservestwomainpurposes:1.
Allowuserstobrowseprofilescreatedbyotherusersandpullthemfromtheservertouseontheirownsystems.
2.
Allowuserstouploadtheirprofilestobeabletoeasilyusethemondifferentma-chines.
Avalidloginontheprofilerepositoryserverisrequiredforuploadingprofiles.
Justdownloadingprofilesfromtheserverdoesnotrequirealogin.
ProfileComponentsandSyntax232.
5.
1SettingupProfileRepositorySupportOnceproperlyconfigured,boththeYaSTandthecommandlinetoolssupporttheuseofanexternalprofilerepository.
TheinitialconfigurationtakesplacewhenyoustarttheYaSTAddProfileWizard,theUpdateProfileWizard,aa-genprof,oraa-logproftocreateorupdateaprofilethatalreadyexistsontherepositoryserver:1Determinewhethertouseornottousetheprofilerepositoryatall.
2Enabletherepositoryforprofiledownloads.
3Onceyouhavecreatedormodifiedaprofile,determinewhetherthetoolsshouldbeabletouploadyourprofiletotherepository.
Ifyouchosetouploadprofilestotherepository,enteryourcredentialsfortherepositoryserver.
Theconfigurationoftherepositoryisdonebyeditingtwoconfigurationfiles,/etc/apparmor/logprof.
confand/etc/apparmor/respository.
conf.
The/etc/apparmor/logprof.
conffilecontainsasectioncalled[repository].
distrodeterminestheversionofopenSUSEusedonyoursystemforwhichtheAppArmortoolsshouldsearchprofilesontheserver.
urlholdstheserverURLandpreferred_usertellstheAppArmortoolstopreferprofilescreatedbythenovelluser.
Thoseprofileswerecreated,testedandapprovedbymembersoftheSUSEdevelopmentteam.
.
.
.
[repository]distro=opensuse10.
3url=http://apparmor.
opensuse.
org/backend/apipreferred_user=novell.
.
.
The/etc/apparmor/repository.
conffileiscreatedduringtheconfigurationprocesswiththeAppArmortools.
Itcontainsyourauthenticationdataandspecifieswhichactionstoenablewithregardstotheprofilerepository.
Ifyouoptforprofiledownloadanddonotwanttobeabletouploadyourownprofilesenabledissettoyeswhileuploadissettono.
[repository]24NovellAppArmorAdministrationGuideenabled=yesupload=yesuser=tuxpass=XXXXXOnceinitiallyconfiguredthroughtheAppArmortools,theconfigurationcanonlybechangedmanually.
2.
5.
2DownloadingaProfileWhilecreatingaprofilefromscratchorupdatinganexistingprofilebyprocessingrejectmessagesinthelog,theAppArmortoolssearchtherepositoryforamatchingprofile.
Ifthesearchissuccessful,theprofileorthelistofprofilesisdisplayedandyoucanviewthemandchoosetheonethatbestmatchesyoursetup.
Assoonasyouhavechosenaprofile,itgetscopiedtothelocalmachine(tothe/etc/apparmor.
ddirectory)andactivated.
Alternatively,youcanchoosetoignoretheprofileontherepositoryandcreateyourownonefromscratch.
2.
5.
3UploadingYourownProfileAfteraprofilehasbeencreatedorupdated,theAppArmortoolsthataprofilealsopresentintherepositoryhasbeenchangedorthatanewonehasbeencreated.
Ifyoursystemisconfiguredtouploadprofilestotherepository,youarepromptedtoprovideaChangeLogtodocumentyourchangesbeforethechangesareuploadedtotheserver.
Thesechangesareonlysyncedtotherepository,butnottothecreatoroftheoriginalprofile.
2.
6ImportantFilenamesandDirectoriesThefollowinglistcontainsthemostimportantfilesanddirectoriesusedbytheApp-Armorframework.
Ifyouintendtomanageandtroubleshootyourprofilesmanually,makesurethatyouknowaboutthesefilesanddirectories:/sys/kernel/security/apparmor/profilesVirtualizedfilerepresentingthecurrentlyloadedsetofprofiles.
ProfileComponentsandSyntax25/etc/apparmor/LocationofAppArmorconfigurationfiles.
/etc/apparmor/profiles/extras/AlocalrepositoryofprofilesshippedwithAppArmor,butnotenabledbydefault.
/etc/apparmor.
d/Locationofprofiles,namedwiththeconventionofreplacingthe/inpathswith.
(notfortheroot/)soprofilesareeasiertomanage.
Forexample,theprofilefortheprogram/usr/sbin/ntpdisnamedusr.
sbin.
ntpd.
/etc/apparmor.
d/abstractions/Locationofabstractions.
/etc/apparmor.
d/program-chunks/Locationofprogramchunks.
/proc/*/attr/currentCheckthisfiletoreviewtheconfinementstatusofaprocessandtheprofilethatisusedtoconfinetheprocess.
ThepsauxZcommandretrievesthisinformationautomatically.
26NovellAppArmorAdministrationGuide3BuildingandManagingProfileswithYaSTYaSTprovidesaneasywaytobuildprofilesandmanageNovellAppArmor.
Itpro-videstwointerfaces:afullygraphicaloneandatext-basedone.
Thetext-basedinterfaceconsumeslessresourcesandbandwidth,makingitabetterchoiceforremoteadminis-trationorfortimeswhenalocalgraphicalenvironmentisinconvenient.
Althoughtheinterfaceshavedifferingappearances,theyofferthesamefunctionalityinsimilarways.
AnotheralternativeistouseAppArmorcommands,whichcancontrolAppArmorfromaterminalwindoworthroughremoteconnections.
ThecommandlinetoolsaredescribedinChapter4,BuildingProfilesfromtheCommandLine(page49).
StartYaSTfromthemainmenuandenteryourrootpasswordwhenpromptedforit.
Alternatively,startYaSTbyopeningaterminalwindow,logginginasroot,anden-teringyast2forthegraphicalmodeoryastforthetext-basedmode.
BuildingandManagingProfileswithYaST27Figure3.
1YaSTControlsforAppArmorTherightframeshowstheAppArmoroptions:AddProfileWizardFordetailedsteps,refertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
ManuallyAddProfileAddaNovellAppArmorprofileforanapplicationonyoursystemwithoutthehelpofthewizard.
Fordetailedsteps,refertoSection3.
2,"ManuallyAddingaProfile"(page37).
EditProfileEditsanexistingNovellAppArmorprofileonyoursystem.
Fordetailedsteps,refertoSection3.
3,"EditingProfiles"(page38).
DeleteProfileDeletesanexistingNovellAppArmorprofilefromyoursystem.
Fordetailedsteps,refertoSection3.
4,"DeletingaProfile"(page43).
28NovellAppArmorAdministrationGuideUpdateProfileWizardFordetailedsteps,refertoSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
AppArmorReportsFordetailedsteps,refertoSection6.
3,"ConfiguringReports"(page91).
AppArmorControlPanelFordetailedsteps,refertoSection3.
6,"ManagingNovellAppArmorandSecurityEventStatus"(page45).
3.
1AddingaProfileUsingtheWizardAddProfileWizardisdesignedtosetupNovellAppArmorprofilesusingtheAppArmorprofilingtools,aa-genprof(generateprofile)andaa-logprof(updateprofilesfromlearningmodelogfile).
Formoreinformationaboutthesetools,refertoSection4.
6.
3,"SummaryofProfilingTools"(page56).
1Stoptheapplicationbeforeprofilingittoensurethatapplicationstart-upisincludedintheprofile.
Todothis,makesurethattheapplicationordaemonisnotrunning.
Forexample,enterrcPROGRAMstop(or/etc/init.
d/PROGRAMstop)inaterminalwindowwhileloggedinasroot,replacingPROGRAMwiththenameoftheprogramtoprofile.
2StartYaSTandselectNovellAppArmor>AddProfileWizard.
BuildingandManagingProfileswithYaST293Enterthenameoftheapplicationorbrowsetothelocationoftheprogram.
4ClickCreate.
ThisrunsanAppArmortoolnamedaa-autodep,whichperformsastaticanalysisoftheprogramtoprofileandloadsanapproximateprofileintotheAppArmormodule.
Formoreinformationaboutaa-autodep,refertoSection"aa-autodep—CreatingApproximateProfiles"(page56).
Dependingonwhethertheprofileyouareabouttocreatealreadyexistseitherinthelocalprofilerepository(seeSection2.
4,"UsingtheLocalAppArmorProfileRepository"(page22))orintheexternalprofilerepository(seeSec-tion2.
5,"UsingtheExternalAppArmorProfileRepository"(page23))orwhetheritdoesnotexistyet,proceedwithoneofthefollowingoptions:Determinewhetheryouwanttouseorfine-tuneanalreadyexistingprofilefromyourlocalprofilerepository,asoutlinedinStep5(page30).
Determinewhetheryouwanttouseoffine-tuneanalreadyexistingprofilefromtheexternalprofilerepository,asoutlinedinStep6(page31).
CreatetheprofilefromscratchandproceedwithStep7(page31)andbeyond.
5Iftheprofilealreadyexistsinthelocalprofilerepositoryunder/etc/apparmor/profiles/extra,YaSTinformsyouthatthereisaninactive30NovellAppArmorAdministrationGuideprofilewhichyoucaneitheruseasabaseforyourowneffortsorwhichyoucanjustacceptasis.
Alternatively,youcanchoosenottousethelocalversionatallandstartcre-atingtheprofilefromscratch.
Inanycase,proceedwithStep7(page31).
6Iftheprofilealreadyexistsintheexternalprofilerepositoryandthisisthefirsttimeyoutriedtocreateaprofilethatalreadyexistsintherepository,configureyouraccesstotheserveranddeterminehowtouseit:6aDeterminewhetheryouwanttoenableaccesstotheexternalrepositoryorpostponethisdecision.
IncaseyouhaveselectedEnableRepository,deter-minetheaccessmode(download/upload)inanextstep.
Incaseyouwanttopostponethedecision,selectAskMeLaterandproceeddirectlytoStep7(page31).
6bProvideusernameandpasswordforyouraccountontheprofilerepositoryserverandregisterattheserver.
6cSelecttheprofiletouseandproceedtoStep7(page31).
7Runtheapplicationtoprofile.
8Performasmanyoftheapplicationfunctionsaspossiblesolearningmodecanlogthefilesanddirectoriestowhichtheprogramrequiresaccesstofunctionproperly.
Besuretoincluderestartingandstoppingtheprogramintheexercisedfunctions.
AppArmorneedstohandletheseeventsaswellasanyotherprogramfunction.
9ClickScansystemlogforAppArmoreventstoparsethelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguidethewizardingeneratingthesecurityprofile.
Ifrequeststoaddhatsappear,proceedtoChapter5,ProfilingYourWebAp-plicationsUsingChangeHat(page75).
Thequestionsfallintotwocategories:BuildingandManagingProfileswithYaST31Aresourceisrequestedbyaprofiledprogramthatisnotintheprofile(seeFigure3.
2,"LearningModeException:ControllingAccesstoSpe-cificResources"(page32)).
Allowordenyaccesstoaspecificresource.
Aprogramisexecutedbytheprofiledprogramandthesecuritydomaintransitionhasnotbeendefined(seeFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33)).
Defineexecutepermissionsforanentry.
Eachofthesecasesresultsinaseriesofquestionsthatyoumustanswertoaddtheresourcetotheprofileortoaddtheprogramtotheprofile.
Foranex-ampleofeachcase,seeFigure3.
2,"LearningModeException:ControllingAccesstoSpecificResources"(page32)andFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33).
Subsequentstepsdescribeyouroptionsinansweringthesequestions.
NOTE:VaryingProcessingOptionsDependingonthetypeofentryprocessed,theavailableoptionsvary.
Figure3.
2LearningModeException:ControllingAccesstoSpecificResources32NovellAppArmorAdministrationGuideFigure3.
3LearningModeException:DefiningExecutePermissionsforanEntry10TheAddProfileWizardbeginssuggestingdirectorypathentriesthathavebeenaccessedbytheapplicationprofiled(asseeninFigure3.
2,"LearningModeException:ControllingAccesstoSpecificResources"(page32))orrequiresyoutodefineexecutepermissionsforentries(asseeninFigure3.
3,"LearningModeException:DefiningExecutePermissionsforanEntry"(page33)).
ForFigure3.
2:LearningModeException:ControllingAccesstoSpecificResources:Selecttheoptionthatsatisfiestherequestforaccess,whichcouldbeasuggestedinclude,aparticularglobbedversionofthepath,ortheactualpathname.
Dependingonthesituation,theseoptionsareavail-able:#includeThesectionofaNovellAppArmorprofilethatreferstoanincludefile.
Includefilesgiveaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Itisgoodpracticetoselectincludeswhensug-gested.
BuildingandManagingProfileswithYaST33GlobbedVersionAccessedbyclickingGlob.
Forinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
ActualPathnameLiteralpaththattheprogramneedstoaccesstorunproperly.
Afterselectingadirectorypath,processitasanentrytotheNovellApp-ArmorprofilebyclickingAlloworDeny.
Ifyouarenotsatisfiedwiththedirectorypathentryasitisdisplayed,youcanalsoGloborEditit.
Thefollowingoptionsareavailabletoprocessthelearningmodeentriesandbuildtheprofile:AllowGranttheprogramaccesstothespecifieddirectorypathentries.
TheAddProfileWizardsuggestsfilepermissionaccess.
Formoreinfor-mationaboutthis,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DenyClickDenytopreventtheprogramfromaccessingthespecifiedpaths.
GlobClickingthismodifiesthedirectorypath(usingwildcards)toincludeallfilesinthesuggesteddirectory.
Double-clickingitgrantsaccesstoallfilesandsubdirectoriesbeneaththeoneshown.
Formoreinfor-mationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtModifytheoriginaldirectorypathwhileretainingthefilenameexten-sion.
Asingleclickcauses/etc/apache2/file.
exttobecome/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefilename.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirectoriesthatendwiththe.
extextension.
Whenyoudouble-clickit,accessisgrantedtoallfileswiththeparticularexten-sionandsubdirectoriesbeneaththeoneshown.
34NovellAppArmorAdministrationGuideEditEditthehighlightedline.
Theneweditedlineappearsatthebottomofthelist.
AbortAbortaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishCloseaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
ClickAlloworDenyforeachlearningmodeentry.
ThesehelpbuildtheNovellAppArmorprofile.
NOTEThenumberoflearningmodeentriescorrespondstothecomplex-ityoftheapplication.
ForFigure3.
3:LearningModeException:DefiningExecutePermissionsforanEntry:Fromthefollowingoptions,selecttheonethatsatisfiestherequestforaccess.
Fordetailedinformationabouttheoptionsavailable,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
InheritStayinthesamesecurityprofile(parent'sprofile).
ProfileRequireaseparateprofiletoexistfortheexecutedprogram.
Whenselectingthisoption,alsoselectwhetherAppArmorshouldsanitizetheenvironmentwhenswitchingprofilesbyremovingcertainenvi-ronmentvariablesthatcanmodifytheexecutionbehaviorofthechildprocess.
Unlessthesevariablesareabsolutelyrequiredtoproperlyexecutethechildprocess,alwayschoosethemoresecure,sanitizedoption.
BuildingandManagingProfileswithYaST35UnconfinedExecutetheprogramwithoutasecurityprofile.
Whenprompted,haveAppArmorsanitizetheenvironmenttoavoidaddingsecurityrisksbyinheritingcertainenvironmentvariablesfromtheparentprocess.
WARNING:RisksofRunningUnconfinedUnlessabsolutelynecessary,donotrununconfined.
ChoosingtheUnconfinedoptionexecutesthenewprogramwithoutanyprotectionfromAppArmor.
DenyClickDenytopreventtheprogramfromaccessingthespecifiedpaths.
AbortAbortaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishCloseaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
11Repeatthepreviousstepsifyouneedtoexecutemorefunctionalityoftheapplication.
Whenyouaredone,clickFinish.
Choosetoapplyyourchangestothelocalprofileset.
Ifyouhavepreviouslychosentouploadyourprofiletotheexternalprofilerepository,provideabriefchangelogentrydescribingyourworkanduploadtheprofile.
Ifyouhadpostponedthedecisiononwhethertouploadtheprofileornot,YaSTasksyouagainandyoucancreateanaccounttheuploadtheprofilenowornotuploaditatall.
AssoonasyouexittheProfileCreationWizard,theprofileissavedbothlo-callyandontherepositoryserver,ifyouhavechosentouploadit.
TheprofileisthenloadedintotheAppArmormodule.
36NovellAppArmorAdministrationGuide3.
2ManuallyAddingaProfileNovellAppArmorenablesyoutocreateaNovellAppArmorprofilebymanuallyaddingentriesintotheprofile.
Selecttheapplicationforwhichtocreateaprofilethenadden-tries.
1StartYaSTandselectNovellAppArmor>ManuallyAddProfile.
2Browseyoursystemtofindtheapplicationforwhichtocreateaprofile.
3Whenyoufindtheapplication,selectitandclickOpen.
Abasic,emptyprofileappearsintheAppArmorProfileDialogwindow.
4InAppArmorProfileDialog,add,edit,ordeleteAppArmorprofileentriesbyclickingthecorrespondingbuttonsandreferringtoSection3.
3.
1,"AddinganEntry"(page40),Section3.
3.
2,"EditinganEntry"(page42),orSection3.
3.
3,"DeletinganEntry"(page43).
5Whenfinished,clickDone.
BuildingandManagingProfileswithYaST373.
3EditingProfilesAppArmorenablesyoutoeditNovellAppArmorprofilesmanuallybyadding,editing,ordeletingentries.
Toeditaprofile,proceedasfollows:1StartYaSTandselectNovellAppArmor>EditProfile.
2Fromthelistofprofiledapplications,selecttheprofiletoedit.
3ClickNext.
TheAppArmorProfileDialogwindowdisplaystheprofile.
38NovellAppArmorAdministrationGuide4IntheAppArmorProfileDialogwindow,add,edit,ordeleteNovellAppArmorprofileentriesbyclickingthecorrespondingbuttonsandreferringtoSection3.
3.
1,"AddinganEntry"(page40),Section3.
3.
2,"EditinganEntry"(page42),orSection3.
3.
3,"DeletinganEntry"(page43).
5Whenyouarefinished,clickDone.
6Inthepop-upthatappears,clickYestoconfirmyourchangestotheprofileandreloadtheAppArmorprofileset.
TIP:SyntaxCheckinginAppArmorAppArmorcontainsasyntaxcheckthatnotifiesyouofanysyntaxerrorsinprofilesyouaretryingtoprocesswiththeYaSTAppArmortools.
Ifanerroroccurs,edittheprofilemanuallyasrootandreloadtheprofilesetwithrcapparmorreload.
BuildingandManagingProfileswithYaST393.
3.
1AddinganEntryTheAddEntryoptioncanbefoundinSection3.
2,"ManuallyAddingaProfile"(page37)orSection3.
3,"EditingProfiles"(page38).
WhenyouselectAddEntry,alistshowsthetypesofentriesyoucanaddtotheNovellAppArmorprofile.
Fromthelist,selectoneofthefollowing:FileInthepop-upwindow,specifytheabsolutepathofafile,includingthetypeofac-cesspermitted.
Whenfinished,clickOK.
Youcanuseglobbingifnecessary.
Forglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DirectoryInthepop-upwindow,specifytheabsolutepathofadirectory,includingthetypeofaccesspermitted.
Youcanuseglobbingifnecessary.
Whenfinished,clickOK.
Forglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
40NovellAppArmorAdministrationGuideCapabilityInthepop-upwindow,selecttheappropriatecapabilities.
Thesearestatementsthatenableeachofthe32POSIX.
1ecapabilities.
RefertoSection2.
1,"BreakingaNovellAppArmorProfileintoItsParts"(page12)formoreinformationaboutcapabilities.
Whenfinishedmakingyourselections,clickOK.
IncludeInthepop-upwindow,browsetothefilestouseasincludes.
IncludesaredirectivesthatpullincomponentsofotherNovellAppArmorprofilestosimplifyprofiles.
Formoreinformation,refertoSection2.
2,"#includeStatements"(page21).
BuildingandManagingProfileswithYaST41HatInthepop-upwindow,specifythenameofthesubprofile(hat)toaddtoyourcurrentprofileandclickCreateHat.
Formoreinformation,refertoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
3.
3.
2EditinganEntryWhenyouselectEditEntry,thefilebrowserpop-upwindowopens.
Fromhere,edittheselectedentry.
Inthepop-upwindow,specifytheabsolutepathofafile,includingthetypeofaccesspermitted.
Youcanuseglobbingifnecessary.
Whenfinished,clickOK.
42NovellAppArmorAdministrationGuideForglobbinginformation,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Forfileaccesspermissioninformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
3.
3.
3DeletinganEntryTodeleteanentryinagivenprofile,selectDeleteEntry.
AppArmorremovestheselectedprofileentry.
3.
4DeletingaProfileAppArmorenablesyoutodeleteanAppArmorprofilemanually.
Simplyselecttheapplicationforwhichtodeleteaprofilethendeleteitasfollows:1StartYaSTandselectNovellAppArmor>DeleteProfile.
2Selecttheprofiletodelete.
3ClickNext.
4Inthepop-upthatopens,clickYestodeletetheprofileandreloadtheAppArmorprofileset.
BuildingandManagingProfileswithYaST433.
5UpdatingProfilesfromLogEntriesTheNovellAppArmorprofilewizardusesaa-logprof,thetoolthatscanslogfilesandenablesyoutoupdateprofiles.
aa-logproftracksmessagesfromtheNovellAppArmormodulethatrepresentexceptionsforallprofilesrunningonyoursystem.
Theseexcep-tionsrepresentthebehavioroftheprofiledapplicationthatisoutsideoftheprofiledefinitionfortheprogram.
Youcanaddthenewbehaviortotherelevantprofilebyselectingthesuggestedprofileentry.
TIP:SupportfortheExternalProfileRepositorySimilartotheAddProfileWizard,theUpdateProfileWizardalsosupportsprofileexchangewiththeexternalrepositoryserver.
ForbackgroundinformationontheuseoftheexternalAppArmorprofilerepository,refertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23).
Fordetailsonhowtoconfigureaccessandaccessmodetotheserver,checktheproceduredescribedunderSection3.
1,"AddingaProfileUsingtheWizard"(page29).
1StartYaSTandselectNovellAppArmor>UpdateProfileWizard.
RunningUpdateProfileWizard(aa-logprof)parsesthelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguideaa-logproftogeneratethesecurityprofile.
Theexactprocedureisthesameaswithcreatinga44NovellAppArmorAdministrationGuidenewprofile.
RefertoStep9(page31)inSection3.
1,"AddingaProfileUsingtheWizard"(page29)fordetails.
2Whenyouaredone,clickFinish.
Inthefollowingpop-up,clickYestoexittheAddProfileWizard.
TheprofileissavedandloadedintotheNovellAppArmormodule.
3.
6ManagingNovellAppArmorandSecurityEventStatusYoucanchangethestatusofAppArmorbyenablingordisablingit.
EnablingAppArmorprotectsyoursystemfrompotentialprogramexploitation.
DisablingAppArmor,evenifyourprofileshavebeensetup,removesprotectionfromyoursystem.
Youcandeter-minehowandwhenyouarenotifiedwhensystemsecurityeventsoccur.
NOTEForeventnotificationtowork,youmustsetupamailserveronyoursystemthatcansendoutgoingmailusingthesinglemailtransferprotocol(SMTP),suchaspostfixorexim.
ToconfigureeventnotificationorchangethestatusofAppArmor,startYaSTandselectNovellAppArmor>NovellAppArmorControlPanel.
BuildingandManagingProfileswithYaST45FromtheAppArmorConfigurationscreen,determinewhetherNovellAppArmorandsecurityeventnotificationarerunningbylookingforastatusmessagethatreadsenabledorconfigurethemodeofindividualprofiles.
TochangethestatusofNovellAppArmor,continueasdescribedinSection3.
6.
1,"ChangingNovellAppArmorStatus"(page46).
Tochangethemodeofindividualprofiles,continueasdescribedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Toconfiguresecurityeventnotification,continueasdescribedinSection6.
2,"ConfiguringSecurityEventNotification"(page88).
3.
6.
1ChangingNovellAppArmorStatusWhenyouchangethestatusofAppArmor,setittoenabledordisabled.
WhenAppArmorisenabled,itisinstalled,running,andenforcingtheAppArmorsecuritypolicies.
1StartYaSTandselectNovellAppArmor>AppArmorControlPanel.
2EnableAppArmorbycheckingEnableAppArmorordisableAppArmorbydes-electingit.
3ClickDoneintheAppArmorConfigurationwindow.
46NovellAppArmorAdministrationGuide4ClickFile>QuitintheYaSTControlCenter.
3.
6.
2ChangingtheModeofIndividualProfilesAppArmorcanapplyprofilesintwodifferentmodes.
Incomplainorlearningmode,violationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile,aredetected.
Theviolationsarepermitted,butalsologged.
ThismodeisconvenientfordevelopingprofilesandisusedbytheAppArmortoolsforgeneratingprofiles.
Loadingaprofileinenforcemodeenforcesthepolicydefinedintheprofileandreportspolicyviolationattemptstosyslogd.
TheProfileModesdialogallowsyoutoviewandeditthemodeofcurrentlyloadedAppArmorprofiles.
Thisfeatureisusefulfordeterminingthestatusofyoursystemduringprofiledevelopment.
Duringthecourseofsystemicprofiling(seeSection4.
6.
2,"SystemicProfiling"(page54)),youcanusethistooltoadjustandmonitorthescopeoftheprofilesforwhichyouarelearningbehavior.
Toeditanapplication'sprofilemode,proceedasfollows:1StartYaSTandselectNovellAppArmor>AppArmorControlPanel.
2IntheConfigureProfileModessection,selectConfigure.
3Selecttheprofileforwhichtochangethemode.
4SelectToggleModetosetthisprofiletocomplainmodeortoenforcemode.
5ApplyyoursettingsandleaveYaSTwithDone.
Tochangethemodeofallprofiles,useSetAlltoEnforceorSetAlltoComplain.
TIP:ListingtheProfilesAvailableBydefault,onlyactiveprofilesarelisted—anyprofilethathasamatchingap-plicationinstalledonyoursystem.
Tosetupaprofilebeforeinstallingthere-spectiveapplication,clickShowAllProfilesandselecttheprofiletoconfigurefromthelistthatappears.
BuildingandManagingProfileswithYaST474BuildingProfilesfromtheCommandLineNovellAppArmorprovidestheabilitytouseacommandlineinterfaceratherthanagraphicalinterfacetomanageandconfigureyoursystemsecurity.
TrackthestatusofNovellAppArmorandcreate,delete,ormodifyAppArmorprofilesusingtheAppArmorcommandlinetools.
TIP:BackgroundInformationBeforestartingtomanageyourprofilesusingtheAppArmorcommandlinetools,checkoutthegeneralintroductiontoAppArmorgiveninChapter1,ImmunizingPrograms(page1)andChapter2,ProfileComponentsandSyntax(page11).
4.
1CheckingtheAppArmorModuleStatusAnAppArmormodulecanbeinanyoneofthreestates:UnloadedTheAppArmormoduleisnotloadedintothekernel.
RunningTheAppArmormoduleisloadedintothekernelandisenforcingAppArmorpro-grampolicies.
BuildingProfilesfromtheCommandLine49StoppedTheAppArmormoduleisloadedintothekernel,butnopoliciesareenforced.
DetectthestateoftheAppArmormodulebyinspecting/sys/kernel/security/apparmor/profiles.
Ifcat/sys/kernel/security/apparmor/profilesreportsalistofprofiles,AppArmorisrunning.
Ifitisemptyandreturnsnothing,AppArmorisstopped.
Ifthefiledoesnotexist,AppArmorisunloaded.
ManageAppArmorthroughthescriptrcapparmor,whichcanperformthefollowingoperations:rcapparmorstartBehaviordependsontheAppArmormodulestate.
Ifitisunloaded,startloadsthemoduleandstartsit,puttingitintherunningstate.
Ifitisstopped,startcausesthemoduletorescantheAppArmorprofilesusuallyfoundin/etc/apparmor.
dandputsthemoduleintherunningstate.
Ifthemoduleisalreadyrunning,startreportsawarningandtakesnoaction.
rcapparmorstopStopstheAppArmormoduleifitisrunningbyremovingallprofilesfromkernelmemory,effectivelydisablingallaccesscontrols,andputtingthemoduleintothestoppedstate.
IftheAppArmormoduleisunloadedoralreadystopped,stoptriestounloadtheprofilesagain,butnothinghappens.
rcapparmorrestartCausestheAppArmormoduletorescantheprofilesin/etc/apparmor.
dwithoutunconfiningrunningprocesses.
Freshlycreatedprofilesareenforcedandrecentlydeletedonesareremovedfromthe/etc/apparmor.
ddirectory.
rcapparmorkillUnconditionallyremovestheAppArmormodulefromthekernel.
Thisisunsafe,becauseunloadingmodulesfromtheLinuxkernelisunsafe.
Thiscommandisprovidedonlyfordebuggingandemergencieswhenthemodulemightneedtoberemoved.
50NovellAppArmorAdministrationGuideWARNINGAppArmorisapowerfulaccesscontrolsystemanditispossibletolockyourselfoutofyourownmachinetothepointwhereyoumustbootthemachinefromarescuemedium(suchasthefirstmediumofopenSUSE)toregaincontrol.
Topreventsuchaproblem,alwaysensurethatyouhavearunning,uncon-fined,rootloginonthemachinebeingconfiguredwhenyourestarttheAppArmormodule.
Ifyoudamageyoursystemtothepointwhereloginsarenolongerpossible(forexample,bybreakingtheprofileassociatedwiththeSSHdaemon),youcanrepairthedamageusingyourrunningrootpromptthenrestarttheAppArmormodule.
4.
2BuildingAppArmorProfilesTheAppArmormoduleprofiledefinitionsarestoredinthe/etc/apparmor.
ddi-rectoryasplaintextfiles.
Foradetaileddescriptionofthesyntaxofthesefiles,refertoChapter2,ProfileComponentsandSyntax(page11).
Allfilesinthe/etc/apparmor.
ddirectoryareinterpretedasprofilesandareloadedassuch.
Renamingfilesinthatdirectoryisnotaneffectivewayofpreventingprofilesfrombeingloaded.
Youmustremoveprofilesfromthisdirectorytopreventthemfrombeingreadandevaluatedeffectively.
Youcanuseatexteditor,suchasvim,toaccessandmakechangestotheseprofiles.
Thefollowingoptionscontaindetailedstepsforbuildingprofiles:AddingorCreatingAppArmorProfilesRefertoSection4.
3,"AddingorCreatinganAppArmorProfile"(page52)EditingAppArmorProfilesRefertoSection4.
4,"EditinganAppArmorProfile"(page52)DeletingAppArmorProfilesRefertoSection4.
5,"DeletinganAppArmorProfile"(page52)BuildingProfilesfromtheCommandLine514.
3AddingorCreatinganAppArmorProfileToaddorcreateanAppArmorprofileforanapplication,youcanuseasystemicorstand-aloneprofilingmethod,dependingonyourneeds.
LearnmoreaboutthesetwoapproachesinSection4.
6,"TwoMethodsofProfiling"(page53).
4.
4EditinganAppArmorProfileThefollowingstepsdescribetheprocedureforeditinganAppArmorprofile:1Ifyouarenotcurrentlyloggedinasroot,entersuinaterminalwindow.
2Entertherootpasswordwhenprompted.
3Gototheprofiledirectorywithcd/etc/apparmor.
d/.
4Enterlstoviewallprofilescurrentlyinstalled.
5Opentheprofiletoeditinatexteditor,suchasvim.
6Makethenecessarychangesthensavetheprofile.
7RestartAppArmorbyenteringrcapparmorrestartinaterminalwindow.
4.
5DeletinganAppArmorProfileThefollowingstepsdescribetheprocedurefordeletinganAppArmorprofile.
1Ifyouarenotcurrentlyloggedinasroot,entersuinaterminalwindow.
2Entertherootpasswordwhenprompted.
3GototheAppArmordirectorywithcd/etc/apparmor.
d/.
52NovellAppArmorAdministrationGuide4EnterlstoviewalltheAppArmorprofilesthatarecurrentlyinstalled.
5Deletetheprofilewithrmprofilename.
6RestartAppArmorbyenteringrcapparmorrestartinaterminalwindow.
4.
6TwoMethodsofProfilingGiventhesyntaxforAppArmorprofilesinChapter2,ProfileComponentsandSyntax(page11),youcouldcreateprofileswithoutusingthetools.
However,theeffortinvolvedwouldbesubstantial.
Toavoidsuchahassle,usetheAppArmortoolstoautomatethecreationandrefinementofprofiles.
TherearetwowaystoapproachAppArmorprofilecreation.
Toolsareavailableforbothmethods.
Stand-AloneProfilingAmethodsuitableforprofilingsmallapplicationsthathaveafiniteruntime,suchasuserclientapplicationslikemailclients.
Formoreinformation,refertoSec-tion4.
6.
1,"Stand-AloneProfiling"(page54).
SystemicProfilingAmethodsuitableforprofilinglargenumbersofprogramsallatonceandforprofilingapplicationsthatmayrunfordays,weeks,orcontinuouslyacrossreboots,suchasnetworkserverapplicationslikeWebserversandmailservers.
Formoreinformation,refertoSection4.
6.
2,"SystemicProfiling"(page54).
AutomatedprofiledevelopmentbecomesmoremanageablewiththeAppArmortools:1Decidewhichprofilingmethodsuitsyourneeds.
2Performastaticanalysis.
Runeitheraa-genproforaa-autodep,dependingontheprofilingmethodchosen.
3Enabledynamiclearning.
Activatelearningmodeforallprofiledprograms.
BuildingProfilesfromtheCommandLine534.
6.
1Stand-AloneProfilingStand-aloneprofilegenerationandimprovementismanagedbyaprogramcalledaa-genprof.
Thismethodiseasybecauseaa-genproftakescareofeverything,butislimitedbecauseitrequiresaa-genproftorunfortheentiredurationofthetestrunofyourpro-gram(youcannotrebootthemachinewhileyouarestilldevelopingyourprofile).
Touseaa-genprofforthestand-alonemethodofprofiling,refertoSection"aa-gen-prof—GeneratingProfiles"(page59).
4.
6.
2SystemicProfilingThismethodiscalledsystemicprofilingbecauseitupdatesalloftheprofilesonthesystematonce,ratherthanfocusingontheoneorfewtargetedbyaa-genproforstand-aloneprofiling.
Withsystemicprofiling,profileconstructionandimprovementaresomewhatlessautomated,butmoreflexible.
Thismethodissuitableforprofilinglong-runningapplicationswhosebehaviorcontinuesafterrebootingoralargenumberofprogramsallatonce.
BuildanAppArmorprofileforagroupofapplicationsasfollows:1Createprofilesfortheindividualprogramsthatmakeupyourapplication.
Althoughthisapproachissystemic,AppArmoronlymonitorsthoseprogramswithprofilesandtheirchildren.
TogetAppArmortoconsideraprogram,youmustatleasthaveaa-autodepcreateanapproximateprofileforit.
Tocreatethisapproximateprofile,refertoSection"aa-autodep—CreatingApproximatePro-files"(page56).
2Putrelevantprofilesintolearningorcomplainmode.
Activatelearningorcomplainmodeforallprofiledprogramsbyenteringaa-complain/etc/apparmor.
d/*inaterminalwindowwhileloggedinasroot.
ThisfunctionalityisalsoavailablethroughtheYaSTProfileModemodule,describedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Wheninlearningmode,accessrequestsarenotblockedeveniftheprofiledictatesthattheyshouldbe.
Thisenablesyoutorunthroughseveraltests(asshownin54NovellAppArmorAdministrationGuideStep3(page55))andlearntheaccessneedsoftheprogramsoitrunsproperly.
Withthisinformation,youcandecidehowsecuretomaketheprofile.
RefertoSection"aa-complain—EnteringComplainorLearningMode"(page57)formoredetailedinstructionsforusinglearningorcomplainmode.
3Exerciseyourapplication.
Runyourapplicationandexerciseitsfunctionality.
Howmuchtoexercisetheprogramisuptoyou,butyouneedtheprogramtoaccesseachfilerepresentingitsaccessneeds.
Becausetheexecutionisnotbeingsupervisedbyaa-genprof,thisstepcangoonfordaysorweeksandcanspancompletesystemreboots.
4Analyzethelog.
Insystemicprofiling,runaa-logprofdirectlyinsteadoflettingaa-genprofrunit(asinstand-aloneprofiling).
Thegeneralformofaa-logprofis:aa-logprof[-d/path/to/profiles][-f/path/to/logfile]RefertoSection"aa-logprof—ScanningtheSystemLog"(page67)formoreinformationaboutusingaa-logprof.
5RepeatStep3(page55)andStep4(page55).
Thisgeneratesoptimumprofiles.
Aniterativeapproachcapturessmallerdatasetsthatcanbetrainedandreloadedintothepolicyengine.
Subsequentiterationsgeneratefewermessagesandrunfaster.
6Edittheprofiles.
Youmightwanttoreviewtheprofilesthathavebeengenerated.
Youcanopenandedittheprofilesin/etc/apparmor.
d/usingvim.
7Returntoenforcemode.
Thisiswhenthesystemgoesbacktoenforcingtherulesoftheprofiles,notjustlogginginformation.
Thiscanbedonemanuallybyremovingtheflags=(complain)textfromtheprofilesorautomaticallybyusingtheaa-enforcecommand,whichworksidenticallytotheaa-complaincom-mand,exceptitsetstheprofilestoenforcemode.
ThisfunctionalityisalsoBuildingProfilesfromtheCommandLine55availablethroughtheYaSTProfileModemodule,describedinSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47).
Toensurethatallprofilesaretakenoutofcomplainmodeandputintoenforcemode,enteraa-enforce/etc/apparmor.
d/*.
8Rescanallprofiles.
TohaveAppArmorrescanalloftheprofilesandchangetheenforcementmodeinthekernel,enterrcapparmorrestart.
4.
6.
3SummaryofProfilingToolsAlloftheAppArmorprofilingutilitiesareprovidedbytheapparmor-utilsRPMpackageandarestoredin/usr/sbin.
Eachtoolhasadifferentpurpose.
aa-autodep—CreatingApproximateProfilesThiscreatesanapproximateprofilefortheprogramorapplicationselected.
Youcangenerateapproximateprofilesforbinaryexecutablesandinterpretedscriptprograms.
Theresultingprofileiscalled"approximate"becauseitdoesnotnecessarilycontainalloftheprofileentriesthattheprogramneedstobeproperlyconfinedbyAppArmor.
Theminimumaa-autodepapproximateprofilehasatleastabaseincludedirective,whichcontainsbasicprofileentriesneededbymostprograms.
Forcertaintypesofprograms,aa-autodepgeneratesamoreexpandedprofile.
Theprofileisgeneratedbyrecursivelycallingldd(1)ontheexecutableslistedonthecommandline.
Togenerateanapproximateprofile,usetheaa-autodepprogram.
Theprogramargumentcanbeeitherthesimplenameoftheprogram,whichaa-autodepfindsbysearchingyourshell'spathvariable,oritcanbeafullyqualifiedpath.
Theprogramitselfcanbeofanytype(ELFbinary,shellscript,Perlscript,etc.
).
aa-autodepgeneratesanapprox-imateprofiletoimprovethroughthedynamicprofilingthatfollows.
Theresultingapproximateprofileiswrittentothe/etc/apparmor.
ddirectoryusingtheAppArmorprofilenamingconventionofnamingtheprofileaftertheabsolutepathoftheprogram,replacingtheforwardslash(/)charactersinthepathwithperiod(.
)characters.
Thegeneralformofaa-autodepistoenterthefollowinginaterminalwindowwhenloggedinasroot:56NovellAppArmorAdministrationGuideaa-autodep[-d/path/to/profiles][program1program2.
.
.
]Ifyoudonotentertheprogramnameornames,youarepromptedforthem.
/path/to/profilesoverridesthedefaultlocationof/etc/apparmor.
d,shouldyoukeepprofilesinalocationotherthanthedefault.
Tobeginprofiling,youmustcreateprofilesforeachmainexecutableservicethatispartofyourapplication(anythingthatmightstartwithoutbeingachildofanotherprogramthatalreadyhasaprofile).
Findingallsuchprogramsdependsontheapplicationinquestion.
Hereareseveralstrategiesforfindingsuchprograms:DirectoriesIfalltheprogramstoprofileareinonedirectoryandtherearenootherprogramsinthatdirectory,thesimplecommandaa-autodep/path/to/your/programs/*createsbasicprofilesforallprogramsinthatdirectory.
pscommandYoucanrunyourapplicationandusethestandardLinuxpscommandtofindallprocessesrunning.
Thenmanuallyhuntdownthelocationoftheseprogramsandruntheaa-autodepforeachone.
Iftheprogramsareinyourpath,aa-autodepfindsthemforyou.
Iftheyarenotinyourpath,thestandardLinuxcommandfindmightbehelpfulinfindingyourprograms.
Executefind/-name'my_application'-printtodetermineanapplication'spath(my_applicationbeinganexampleapplication).
Youmayusewildcardsifappropriate.
aa-complain—EnteringComplainorLearningModeThecomplainorlearningmodetool(aa-complain)detectsviolationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile.
Theviolationsarepermitted,butalsologged.
Toimprovetheprofile,turncomplainmodeon,runtheprogramthroughasuiteofteststogeneratelogeventsthatcharacterizetheprogram'saccessneeds,thenpostprocessthelogwiththeAppArmortoolstotransformlogeventsintoimprovedprofiles.
Manuallyactivatingcomplainmode(usingthecommandline)addsaflagtothetopoftheprofilesothat/bin/foobecomes/bin/fooflags=(complain).
Tousecomplainmode,openaterminalwindowandenteroneofthefollowinglinesasroot:BuildingProfilesfromtheCommandLine57Iftheexampleprogram(program1)isinyourpath,use:aa-complain[program1program2.
.
.
]Iftheprogramisnotinyourpath,specifytheentirepathasfollows:aa-complain/sbin/program1Iftheprofilesarenotin/etc/apparmor.
d,usethefollowingtooverridethedefaultlocation:aa-complain/path/to/profiles/program1Specifytheprofileforprogram1asfollows:aa-complain/etc/apparmor.
d/sbin.
program1Eachoftheabovecommandsactivatesthecomplainmodefortheprofilesorprogramslisted.
Iftheprogramnamedoesnotincludeitsentirepath,aa-complainsearches$PATHfortheprogram.
Forinstance,aa-complain/usr/sbin/*findsprofilesassoci-atedwithalloftheprogramsin/usr/sbinandputsthemintocomplainmode.
aa-complain/etc/apparmor.
d/*putsalloftheprofilesin/etc/apparmor.
dintocomplainmode.
TIP:TogglingProfileModewithYaSTYaSToffersagraphicalfront-endfortogglingcomplainandenforcemode.
SeeSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47)forinfor-mation.
aa-enforce—EnteringEnforceModeTheenforcemodedetectsviolationsofAppArmorprofilerules,suchastheprofiledprogramaccessingfilesnotpermittedbytheprofile.
Theviolationsareloggedandnotpermitted.
Thedefaultisforenforcemodetobeenabled.
Tologtheviolationsonly,butstillpermitthem,usecomplainmode.
Enforcetoggleswithcomplainmode.
Manuallyactivatingenforcemode(usingthecommandline)addsaflagtothetopoftheprofilesothat/bin/foobecomes/bin/fooflags=(enforce).
Touseenforcemode,openaterminalwindowandenteroneofthefollowinglinesasroot.
58NovellAppArmorAdministrationGuideIftheexampleprogram(program1)isinyourpath,use:aa-enforce[program1program2.
.
.
]Iftheprogramisnotinyourpath,specifytheentirepath,asfollows:aa-enforce/sbin/program1Iftheprofilesarenotin/etc/apparmor.
d,usethefollowingtooverridethedefaultlocation:aa-enforce/path/to/profiles/program1Specifytheprofileforprogram1asfollows:aa-enforce/etc/apparmor.
d/sbin.
program1Eachoftheabovecommandsactivatestheenforcemodefortheprofilesandprogramslisted.
Ifyoudonotentertheprogramorprofilenames,youarepromptedtoenterone.
/path/to/profilesoverridesthedefaultlocationof/etc/apparmor.
d.
Theargumentcanbeeitheralistofprogramsoralistofprofiles.
Iftheprogramnamedoesnotincludeitsentirepath,aa-enforcesearches$PATHfortheprogram.
TIP:TogglingProfileModewithYaSTYaSToffersagraphicalfront-endfortogglingcomplainandenforcemode.
SeeSection3.
6.
2,"ChangingtheModeofIndividualProfiles"(page47)forinfor-mation.
aa-genprof—GeneratingProfilesaa-genprofisAppArmor'sprofilegeneratingutility.
Itrunsaa-autodeponthespecifiedprogram,creatinganapproximateprofile(ifaprofiledoesnotalreadyexistforit),setsittocomplainmode,reloadsitintoAppArmor,marksthelog,andpromptstheusertoexecutetheprogramandexerciseitsfunctionality.
Itssyntaxisasfollows:aa-genprof[-d/path/to/profiles]programBuildingProfilesfromtheCommandLine59TocreateaprofileforthetheApacheWebserverprogramhttpd2-prefork,dothefol-lowingasroot:1Enterrcapache2stop.
2Next,enteraa-genprofhttpd2-prefork.
Nowaa-genprofdoesthefollowing:1.
Resolvesthefullpathofhttpd2-preforkusingyourshell'spathvariables.
Youcanalsospecifyafullpath.
OnopenSUSE,thedefaultfullpathis/usr/sbin/httpd2-prefork.
2.
Checkstoseeifthereisanexistingprofileforhttpd2-prefork.
Ifthereisone,itupdatesit.
Ifnot,itcreatesoneusingtheaa-autodepasdescribedinSection4.
6.
3,"SummaryofProfilingTools"(page56).
3.
Putstheprofileforthisprogramintolearningorcomplainmodesothatprofileviolationsareloggedbutarepermittedtoproceed.
Alogeventlookslikethis(see/var/log/audit/audit.
log):type=APPARMOR_ALLOWEDmsg=audit(1189682639.
184:20816):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/index.
html"pid=27471profile="null-complain-profile"Ifyouarenotrunningtheauditdaemon,theAppArmoreventsareloggedto/var/log/messages:Sep1313:20:30K23kernel:audit(1189682430.
672:20810):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.
tpl"pid=30405profile="/usr/sbin/httpd2-prefork///phpsysinfo/"Theyalsocanbeviewedusingthedmesgcommand:audit(1189682430.
672:20810):operation="file_mmap"requested_mask="r"denied_mask="r"name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.
tpl"pid=30405profile="/usr/sbin/httpd2-prefork///phpsysinfo/"4.
Marksthelogwithabeginningmarkeroflogeventstoconsider.
Forexam-ple:60NovellAppArmorAdministrationGuideSep1317:48:52figwitroot:GenProf:e2ff78636296f16d0b5301209a04430d3Whenpromptedbythetool,runtheapplicationtoprofileinanotherterminalwindowandperformasmanyoftheapplicationfunctionsaspossible.
Thus,thelearningmodecanlogthefilesanddirectoriestowhichtheprogramrequiresaccessinordertofunctionproperly.
Forexample,inanewterminalwindow,enterrcapache2start.
4Selectfromthefollowingoptionsthatareavailableintheaa-logprofterminalwindowafteryouhaveexecutedtheprogramfunction:Srunsaa-logprofonthesystemlogfromwhereitwasmarkedwhenaa-genprofwasstartedandreloadstheprofile.
Ifsystemeventsexistinthelog,AppArmorparsesthelearningmodelogfiles.
Thisgeneratesaseriesofquestionsthatyoumustanswertoguideaa-genprofingeneratingthesecurityprofile.
Fexitsthetoolandreturnstothemainmenu.
NOTEIfrequeststoaddhatsappear,proceedtoChapter5,ProfilingYourWebApplicationsUsingChangeHat(page75).
5Answertwotypesofquestions:Aresourceisrequestedbyaprofiledprogramthatisnotintheprofile(seeExample4.
1,"LearningModeException:ControllingAccesstoSpecificResources"(page62)).
Aprogramisexecutedbytheprofiledprogramandthesecuritydomaintransitionhasnotbeendefined(seeExample4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"(page63)).
Eachofthesecategoriesresultsinaseriesofquestionsthatyoumustanswertoaddtheresourceorprogramtotheprofile.
Example4.
1,"LearningModeExcep-tion:ControllingAccesstoSpecificResources"(page62)andExample4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"BuildingProfilesfromtheCommandLine61(page63)provideexamplesofeachone.
Subsequentstepsdescribeyouroptionsinansweringthesequestions.
Dealingwithexecuteaccessesiscomplex.
Youmustdecidehowtoproceedwiththisentryregardingwhichexecutepermissiontypetogranttothisentry:Example4.
1LearningModeException:ControllingAccesstoSpecificResourcesReadinglogentriesfrom/var/log/audit/audit.
log.
UpdatingAppArmorprofilesin/etc/apparmor.
d.
Profile:/usr/sbin/xinetdProgram:xinetdExecute:/usr/lib/cups/daemon/cups-lpdSeverity:unknown[(I)nherit]/(P)rofile/(U)nconfined/(D)eny/Abo(r)t/(F)inishInherit(ix)Thechildinheritstheparent'sprofile,runningwiththesameaccesscontrolsastheparent.
Thismodeisusefulwhenaconfinedprogramneedstocallanotherconfinedprogramwithoutgainingthepermissionsofthetarget'sprofileorlosingthepermissionsofthecurrentprofile.
Thismodeisoftenusedwhenthechildprogramisahelperapplication,suchasthe/usr/bin/mailclientusinglessasapagerortheMozilla*WebbrowserusingAdobeAcrobat*todisplayPDFfiles.
Profile(px)Thechildrunsusingitsownprofile,whichmustbeloadedintotheker-nel.
Iftheprofileisnotpresent,attemptstoexecutethechildfailwithpermissiondenied.
Thisismostusefuliftheparentprogramisinvokingaglobalservice,suchasDNSlookupsorsendingmailwithyoursystem'sMTA.
Choosetheprofilewithcleanexec(Px)optiontoscrubtheenvironmentofenvironmentvariablesthatcouldmodifyexecutionbehaviorwhenpassedtothechildprocess.
Unconfined(ux)ThechildrunscompletelyunconfinedwithoutanyAppArmorprofileappliedtotheexecutedresource.
62NovellAppArmorAdministrationGuideChoosetheunconfinedwithcleanexec(Ux)optiontoscrubtheenviron-mentofenvironmentvariablesthatcouldmodifyexecutionbehaviorwhenpassedtothechildprocess.
Thisoptionintroducesasecurityvul-nerabilitythatcouldbeusedtoexploitAppArmor.
Onlyuseitasalastresort.
mmap(m)ThispermissiondenotesthattheprogramrunningundertheprofilecanaccesstheresourceusingthemmapsystemcallwiththeflagPROT_EXEC.
Thismeansthatthedatamappedinitcanbeexecuted.
Youarepromptedtoincludethispermissionifitisrequestedduringaprofilingrun.
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
Example4.
2,"LearningModeException:DefiningExecutePermissionsforanEntry"(page63)showsAppArmorsuggestingdirectorypathentriesthathavebeenaccessedbytheapplicationbeingprofiled.
Itmightalsorequireyoutodefineexecutepermissionsforentries.
Example4.
2LearningModeException:DefiningExecutePermissionsforanEntryAdding/bin/psixtoprofile.
Profile:/usr/sbin/xinetdPath:/etc/hosts.
allowNewMode:r[1-/etc/hosts.
allow][(A)llow]/(D)eny/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishBuildingProfilesfromtheCommandLine63AppArmorprovidesoneormorepathsorincludes.
Byenteringtheoptionnumber,selectthedesiredoptionsthenproceedtothenextstep.
NOTEAlloftheseoptionsarenotalwayspresentedintheAppArmormenu.
#includeThisisthesectionofanAppArmorprofilethatreferstoanincludefile,whichprocuresaccesspermissionsforprograms.
Byusinganinclude,youcangivetheprogramaccesstodirectorypathsorfilesthatarealsorequiredbyotherprograms.
Usingincludescanreducethesizeofaprofile.
Itisgoodpracticetoselectincludeswhensuggested.
GlobbedVersionThisisaccessedbyselectingGlobasdescribedinthenextstep.
Forin-formationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
ActualPathThisistheliteralpathtowhichtheprogramneedsaccesssothatitcanrunproperly.
Afteryouselectthepathorinclude,processitasanentryintotheAppArmorprofilebyselectingAlloworDeny.
Ifyouarenotsatisfiedwiththedirectorypathentryasitisdisplayed,youcanalsoGlobit.
Thefollowingoptionsareavailabletoprocessthelearningmodeentriesandbuildtheprofile:SelectEnterAllowsaccesstotheselecteddirectorypath.
AllowAllowsaccesstothespecifieddirectorypathentries.
AppArmorsuggestsfilepermissionaccess.
Formoreinformation,refertoSection2.
1.
3,"FilePermissionAccessModes"(page17).
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
64NovellAppArmorAdministrationGuideNewPromptsyoutoenteryourownruleforthisevent,allowingyoutospecifyaregularexpression.
Iftheexpressiondoesnotactuallysatisfytheeventthatpromptedthequestioninthefirstplace,AppArmorasksforconfirmationandletsyoureentertheexpression.
GlobSelectaspecificpathorcreateageneralruleusingwildcardsthatmatchabroadersetofpaths.
Toselectanyoftheofferedpaths,enterthenumberthatisprintedinfrontofthepaththendecidehowtoproceedwiththeselecteditem.
Formoreinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtThismodifiestheoriginaldirectorypathwhileretainingthefilenameextension.
Forexample,/etc/apache2/file.
extbecomes/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefile-name.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirec-torythatendwiththe.
extextension.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
6Toviewandedityourprofileusingvim,entervim/etc/apparmor.
d/profilenameinaterminalwindow.
7RestartAppArmorandreloadtheprofilesetincludingthenewlycreatedoneusingthercapparmorrestartcommand.
Likethegraphicalfront-endforbuildingAppArmorprofiles,theYaSTAddProfileWizard,aa-genprofalsosupportstheuseofthelocalprofilerepositoryunder/etc/apparmor/profiles/extrasandtheremoteAppArmorprofilerepository.
BuildingProfilesfromtheCommandLine65Touseaprofilefromthelocalrepository,proceedasfollows:1Startaa-genprofasdescribedabove.
Ifaa-genproffindsaninactivelocalprofile,thefollowinglinesappearonyourterminalwindow:Profile:/usr/bin/opera[1-Inactivelocalprofilefor/usr/bin/opera][(V)iewProfile]/(U)seProfile/(C)reateNewProfile/Abo(r)t/(F)inish2Ifyouwanttojustusethisprofile,hitU(UseProfile)andfollowtheprofilegenerationprocedureoutlinedabove.
Ifyouwanttoexaminetheprofilebeforeactivatingit,hitV(ViewProfile).
Ifyouwanttoignoretheexistingprofile,hitC(CreateNewProfile)andfollowtheprofilegenerationprocedureoutlinedabovetocreatetheprofilefromscratch.
3Leaveaa-genprofbyhittingF(Finish)whenyouaredoneandsaveyourchanges.
TousetheremoteAppArmorprofilerepositorywithaa-genprof,proceedasfollows:1Startaa-genprofasdescribedabove.
Ifaa-genprofdetectsasuitableprofileontherepositoryserver,thefollowinglinesappearonyourterminalwindow:Repository:http://apparmor.
opensuse.
org/backend/apiWouldyouliketoenableaccesstotheprofilerepository(E)nableRepository/(D)isableRepository/AskMe(L)ater2HitE(EnableRepository)toenabletherepository.
3Determinewhetheryouwanttoaa-genproftouploadanyprofilestothereposi-toryserver:Wouldyouliketouploadnewlycreatedandchangedprofilestotheprofilerepository66NovellAppArmorAdministrationGuide(Y)es/(N)o/AskMe(L)aterHitY(Yes),ifyouwanttoenableprofileuploadorselectN(No),ifyouwantaa-genproftojustpullprofilesfromtherepository,butnottouploadany.
4Createanewuserontheprofilerepositoryservertobeabletouploadprofiles.
Provideusernameandpassword.
5Determinewhetheryouwanttousetheprofiledownloadedfromtheserverorwhetheryouwouldjustliketoreviewit:Profile:/usr/bin/opera[1-novell][(V)iewProfile]/(U)seProfile/(C)reateNewProfile/Abo(r)t/(F)inishIfyouwanttojustusethisprofile,hitU(UseProfile)andfollowtheprofilegenerationprocedureoutlinedabove.
Ifyouwanttoexaminetheprofilebeforeactivatingit,hitV(ViewProfile).
Ifyouwanttoignoretheexistingprofile,hitC(CreateNewProfile)andfollowtheprofilegenerationprocedureoutlinedabovetocreatetheprofilefromscratch.
6Leaveaa-genprofbyhittingF(Finish)whenyouaredoneandsavetheprofile.
Ifyouoptedforuploadingyourprofile,provideashortchangelogandpushittotherepository.
aa-logprof—ScanningtheSystemLogaa-logprofisaninteractivetoolusedtoreviewthelearningorcomplainmodeoutputfoundinthelogentriesin/var/log/audit/audit.
logor/var/log/messages(ifauditdisnotrunning)andgeneratenewentriesinAppArmorsecurityprofiles.
Whenyourunaa-logprof,itbeginstoscanthelogfilesproducedinlearningorcomplainmodeand,iftherearenewsecurityeventsthatarenotcoveredbytheexistingprofileset,itgivessuggestionsformodifyingtheprofile.
ThelearningorcomplainmodetracesBuildingProfilesfromtheCommandLine67programbehaviorandentersitinthelog.
aa-logprofusesthisinformationtoobserveprogrambehavior.
Ifaconfinedprogramforksandexecutesanotherprogram,aa-logprofseesthisandaskstheuserwhichexecutionmodeshouldbeusedwhenlaunchingthechildprocess.
Theexecutionmodesix,px,Px,ux,andUxareoptionsforstartingthechildprocess.
Ifaseparateprofileexistsforthechildprocess,thedefaultselectionispx.
Ifonedoesnotexist,theprofiledefaultstoix.
Childprocesseswithseparateprofileshaveaa-autodeprunonthemandareloadedintoAppArmor,ifitisrunning.
Whenaa-logprofexits,profilesareupdatedwiththechanges.
IftheAppArmormoduleisrunning,theupdatedprofilesarereloadedand,ifanyprocessesthatgeneratedsecu-rityeventsarestillrunninginthenull-complain-profile,thoseprocessesaresettorunundertheirproperprofiles.
TIP:SupportfortheExternalProfileRepositorySimilartotheaa-genprof,aa-logprofalsosupportsprofileexchangewiththeexternalrepositoryserver.
Forbackgroundinformationontheuseoftheexter-nalAppArmorprofilerepository,refertoSection2.
5,"UsingtheExternalAppArmorProfileRepository"(page23).
Fordetailsonhowtoconfigureaccessandaccessmodetotheserver,checktheproceduredescribedunderSection"aa-genprof—GeneratingProfiles"(page59).
Torunaa-logprof,enteraa-logprofintoaterminalwindowwhileloggedinasroot.
Thefollowingoptionscanbeusedforaa-logprof:aa-logprof-d/path/to/profile/directory/Specifiesthefullpathtothelocationoftheprofilesiftheprofilesarenotlocatedinthestandarddirectory,/etc/apparmor.
d/.
aa-logprof-f/path/to/logfile/Specifiesthefullpathtothelocationofthelogfileifthelogfileisnotlocatedinthedefaultdirectory,/var/log/audit/audit.
logor/var/log/messages(ifauditdisnotrunning).
aa-logprof-m"stringmarkerinlogfile"Marksthestartingpointforaa-logproftolookinthesystemlog.
aa-logprofignoresalleventsinthesystemlogbeforethespecifiedmark.
Ifthemarkcontainsspaces,itmustbesurroundedbyquotestoworkcorrectly.
Forexample:68NovellAppArmorAdministrationGuideaa-logprof-m"17:04:21"orlogprof-me2ff78636296f16d0b5301209a04430daa-logprofscansthelog,askingyouhowtohandleeachloggedevent.
EachquestionpresentsanumberedlistofAppArmorrulesthatcanbeaddedbypressingthenumberoftheitemonthelist.
Bydefault,aa-logproflooksforprofilesin/etc/apparmor.
d/andscansthelogin/var/log/messages.
Inmanycases,runningaa-logprofasrootisenoughtocreatetheprofile.
However,theremightbetimeswhenyouneedtosearcharchivedlogfiles,suchasiftheprogramexerciseperiodexceedsthelogrotationwindow(whenthelogfileisarchivedandanewlogfileisstarted).
Ifthisisthecase,youcanenterzcat-f`ls-1tr/var/log/messages*`|aa-logprof-f-.
aa-logprofExample1Thefollowingisanexampleofhowaa-logprofaddresseshttpd2-preforkaccessingthefile/etc/group.
[]indicatesthedefaultoption.
Inthisexample,theaccessto/etc/groupispartofhttpd2-preforkaccessingnameservices.
Theappropriateresponseis1,whichincludesapredefinedsetofAppArmorrules.
Selecting1to#includethenameservicepackageresolvesallofthefuturequestionspertainingtoDNSlookupsandalsomakestheprofilelessbrittleinthatanychangestoDNSconfigurationandtheassociatednameserviceprofilepackagecanbemadejustonce,ratherthanneedingtorevisemanyprofiles.
Profile:/usr/sbin/httpd2-preforkPath:/etc/groupNewMode:r[1-#include]2-/etc/group[(A)llow]/(D)eny/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishSelectoneofthefollowingresponses:BuildingProfilesfromtheCommandLine69SelectEnterTriggersthedefaultaction,whichis,inthisexample,allowingaccesstothespecifieddirectorypathentry.
AllowAllowsaccesstothespecifieddirectorypathentries.
AppArmorsuggestsfileper-missionaccess.
Formoreinformationaboutthis,refertoSection2.
1.
3,"FilePer-missionAccessModes"(page17).
DenyPreventstheprogramfromaccessingthespecifieddirectorypathentries.
AppArmorthencontinuestothenextevent.
NewPromptsyoutoenteryourownruleforthisevent,allowingyoutospecifywhateverformofregularexpressionyouwant.
Iftheexpressionentereddoesnotactuallysatisfytheeventthatpromptedthequestioninthefirstplace,AppArmorasksforconfirmationandletsyoureentertheexpression.
GlobSelecteitheraspecificpathorcreateageneralruleusingwildcardsthatmatchesonabroadersetofpaths.
Toselectanyoftheofferedpaths,enterthenumberthatisprintedinfrontofthepathsthendecidehowtoproceedwiththeselecteditem.
Formoreinformationaboutglobbingsyntax,refertoSection2.
1.
2,"PathsandGlobbing"(page15).
Globw/ExtThismodifiestheoriginaldirectorypathwhileretainingthefilenameextension.
Forexample,/etc/apache2/file.
extbecomes/etc/apache2/*.
ext,addingthewildcard(asterisk)inplaceofthefilename.
Thisallowstheprogramtoaccessallfilesinthesuggesteddirectorythatendwiththe.
extextension.
AbortAbortsaa-logprof,losingallrulechangesenteredsofarandleavingallprofilesunmodified.
FinishClosesaa-logprof,savingallrulechangesenteredsofarandmodifyingallprofiles.
70NovellAppArmorAdministrationGuideaa-logprofExample2Forexample,whenprofilingvsftpd,seethisquestion:Profile:/usr/sbin/vsftpdPath:/y2k.
jpgNewMode:r[1-/y2k.
jpg](A)llow/[(D)eny]/(N)ew/(G)lob/Globw/(E)xt/Abo(r)t/(F)inishSeveralitemsofinterestappearinthisquestion.
First,notethatvsftpdisaskingforapathentryatthetopofthetree,eventhoughvsftpdonopenSUSEservesFTPfilesfrom/srv/ftpbydefault.
Thisisbecausehttpd2-preforkuseschrootand,fortheportionofthecodeinsidethechrootjail,AppArmorseesfileaccessesintermsofthechrootenvironmentratherthantheglobalabsolutepath.
TheseconditemofinterestisthatyoumightwanttograntFTPreadaccesstoallJPEGfilesinthedirectory,soyoucoulduseGlobw/Extandusethesuggestedpathof/*.
jpg.
Doingsocollapsesallpreviousrulesgrantingaccesstoindividual.
jpgfilesandforestallsanyfuturequestionspertainingtoaccessto.
jpgfiles.
Finally,youmightwanttograntmoregeneralaccesstoFTPfiles.
IfyouselectGlobinthelastentry,aa-logprofreplacesthesuggestedpathof/y2k.
jpgwith/*.
Alter-natively,youmightwanttograntevenmoreaccesstotheentiredirectorytree,inwhichcaseyoucouldusetheNewpathoptionandenter/**.
jpg(whichwouldgrantaccesstoall.
jpgfilesintheentiredirectorytree)or/**(whichwouldgrantaccesstoallfilesinthedirectorytree).
Theseitemsdealwithreadaccesses.
Writeaccessesaresimilar,exceptthatitisgoodpolicytobemoreconservativeinyouruseofregularexpressionsforwriteaccesses.
Dealingwithexecuteaccessesismorecomplex.
FindanexampleinExample4.
1,"LearningModeException:ControllingAccesstoSpecificResources"(page62).
Inthefollowingexample,the/usr/bin/mailmailclientisbeingprofiledandaa-logprofhasdiscoveredthat/usr/bin/mailexecutes/usr/bin/lessasahelperapplicationto"page"longmailmessages.
Consequently,itpresentsthisprompt:/usr/bin/nail->/usr/bin/less(I)nherit/(P)rofile/(U)nconfined/(D)enyBuildingProfilesfromtheCommandLine71TIPTheactualexecutablefilefor/usr/bin/mailturnsouttobe/usr/bin/nail,whichisnotatypographicalerror.
Theprogram/usr/bin/lessappearstobeasimpleoneforscrollingthroughtextthatismorethanonescreenlongandthatisinfactwhat/usr/bin/mailisusingitfor.
However,lessisactuallyalargeandpowerfulprogramthatmakesuseofmanyotherhelperapplications,suchastarandrpm.
TIPRunlessonatarfileoranRPMfileanditshowsyoutheinventoryofthesecontainers.
Youdonotwanttorunrpmautomaticallywhenreadingmailmessages(thatleadsdi-rectlytoaMicrosoft*Outlook–stylevirusattack,becauserpmhasthepowertoinstallandmodifysystemprograms),so,inthiscase,thebestchoiceistouseInherit.
Thisresultsinthelessprogramexecutedfromthiscontextrunningundertheprofilefor/usr/bin/mail.
Thishastwoconsequences:Youneedtoaddallofthebasicfileaccessesfor/usr/bin/lesstotheprofilefor/usr/bin/mail.
Youcanavoidaddingthehelperapplications,suchastarandrpm,tothe/usr/bin/mailprofilesothatwhen/usr/bin/mailruns/usr/bin/lessinthiscontext,thelessprogramisfarlessdangerousthanitwouldbewithoutApp-Armorprotection.
Inothercircumstances,youmightinsteadwanttousetheProfileoption.
Thishastwoeffectsonaa-logprof:Therulewrittenintotheprofileusespx,whichforcesthetransitiontothechild'sownprofile.
aa-logprofconstructsaprofileforthechildandstartsbuildingit,inthesamewaythatitbuilttheparentprofile,byassigningeventsforthechildprocesstothechild'sprofileandaskingtheaa-logprofuserquestions.
72NovellAppArmorAdministrationGuideIfaconfinedprogramforksandexecutesanotherprogram,aa-logprofseesthisandaskstheuserwhichexecutionmodeshouldbeusedwhenlaunchingthechildprocess.
Theexecutionmodesofinherit,profile,unconfinedoranoptiontodenytheexecutionarepresented.
Ifaseparateprofileexistsforthechildprocess,thedefaultselectionisprofile.
Ifaprofiledoesnotexist,thedefaultisinherit.
Theinheritoption,orix,isdescribedinSection2.
1.
3,"FilePermissionAccessModes"(page17).
Theprofileoptionindicatesthatthechildprogramshouldruninitsownprofile—asecondaryquestionaskswhethertosanitizetheenvironmentthatthechildprograminheritsfromtheparent.
Ifyouchoosetosanitizetheenvironment,thisplacestheexe-cutionmodifierPxinyourAppArmorprofile.
Ifyouselectnottosanitize,pxisplacedintheprofileandnoenvironmentsanitizingoccurs.
Thedefaultfortheexecutionmodeispxifyouselectprofileexecutionmode.
Theunconfinedexecutionmodeisnotrecommendedandshouldonlybeusedincaseswherethereisnootheroptiontogenerateaprofileforaprogramreliably.
Selectingunconfinedopensawarningdialogaskingforconfirmationofthechoice.
IfyouaresureandchooseYes,aseconddialogaskwhethertosanitizetheenvironment.
ChoosingYesusestheexecutionmodeUxinyourprofile.
ChoosingNousestheexecutionmodeuxforyourprofile.
ThedefaultvalueselectedisUxforunconfinedexecutionmode.
IMPORTANT:RunningUnconfinedChoosinguxisverydangerousandprovidesnoenforcementofpolicyfromasecurityperspectiveofresultingexecutionbehaviorofthechildprogram.
aa-unconfined—IdentifyingUnprotectedProcessesTheaa-unconfinedcommandexaminesopennetworkportsonyoursystem,comparesthattothesetofprofilesloadedonyoursystem,andreportsnetworkservicesthatdonothaveAppArmorprofiles.
ItrequiresrootprivilegesandthatitnotbeconfinedbyanAppArmorprofile.
aa-unconfinedmustberunasroottoretrievetheprocessexecutablelinkfromthe/procfilesystem.
Thisprogramissusceptibletothefollowingraceconditions:AnunlinkedexecutableismishandledBuildingProfilesfromtheCommandLine73Aprocessthatdiesbetweennetstat(8)andfurtherchecksismishandledNOTEThisprogramlistsprocessesusingTCPandUDPonly.
Inshort,thisprogramisunsuitableforforensicsuseandisprovidedonlyasanaidtoprofilingallnet-work-accessibleprocessesinthelab.
74NovellAppArmorAdministrationGuide5ProfilingYourWebApplicationsUsingChangeHatANovellAppArmorprofilerepresentsthesecuritypolicyforanindividualprograminstanceorprocess.
Itappliestoanexecutableprogram,butifaportionoftheprogramneedsdifferentaccesspermissionsthanotherportions,theprogramcan"changehats"touseadifferentsecuritycontext,distinctivefromtheaccessofthemainprogram.
Thisisknownasahatorsubprofile.
ChangeHatenablesprogramstochangetoorfromahatwithinaNovellAppArmorprofile.
Itenablesyoutodefinesecurityatafinerlevelthantheprocess.
Thisfeaturerequiresthateachapplicationbemade"ChangeHataware"meaningthatitismodifiedtomakearequesttotheNovellAppArmormoduletoswitchsecuritydomainsatarbitrarytimesduringtheapplicationexecution.
TwoexamplesforChangeHat-awareapplicationsaretheApacheWebserverandTomcat.
Aprofilecanhaveanarbitrarynumberofsubprofiles,butthereareonlytwolevels:asubprofilecannothavefurthersub-subprofiles.
Asubprofileiswrittenasaseparateprofileandnamedasthecontainingprofilefollowedbythesubprofilename,separatedbya^.
Subprofilesmustbestoredinthesamefileastheparentprofile.
Notethatthesecurityofhatsisconsiderablyweakerthanthatoffullprofiles.
Thatistosay,ifanattackercanfindjusttherightkindofbuginaprogram,theymaybeabletoescapefromahatintothecontainingprofile.
Thisisbecausethesecurityofhatsisdeterminedbyasecretkeyhandledbythecontainingprocess,andthecoderunninginthehatmustnothaveaccesstothekey.
Thuschange_hatismostusefulinconjunctionwithapplicationservers,wherealanguageinterpreter(suchasPERL,PHP,orJava)isisolatingpiecesofcodesuchthattheydonothavedirectaccesstothememoryofthecontainingprocess.
ProfilingYourWebApplicationsUsingChangeHat75Therestofthischapterdescribesusingchange_hatinconjunctionwithApache,tocontainwebservercomponentsrunusingmod_perlandmod_php.
Similarapproachescanbeusedwithanyapplicationserverbyprovidinganapplicationmodulesimilartothemod_apparmordescribednextinSection5.
2.
2,"LocationandDirectoryDirectives"(page84).
NOTE:ForMoreInformationFormoreinformation,seethechange_hatmanpage.
5.
1ApacheChangeHatNovellAppArmorprovidesamod_apparmormodule(packageapache2-mod_apparmor)fortheApacheprogram.
ThismodulemakestheApacheWebserverChangeHataware.
InstallitalongwithApache.
WhenApacheisChangeHataware,itchecksforthefollowingcustomizedNovellAppArmorsecurityprofilesintheordergivenforeveryURIrequestthatitreceives.
URI-specifichat(forexample,^phpsysinfo/templates/classic/images/bar_left.
gif)DEFAULT_URIHANDLING_UNTRUSTED_INPUTNOTE:ApacheConfigurationIfyouinstallapache2-mod_apparmorwithoutNovellAppArmor,makesurethattheApacheloadmodulehasacommandintheconfigurationfilethatloadsthemod_apparmormodulebyaddingapparmortothelistofmodulestoloadin/etc/sysconfig/apache2:APACHE_MODULES="apparmor"Alternatively,addthefollowinglinetoyourApacheconfigurationfile:LoadModulemod_apparmormodules/mod_apparmor.
so76NovellAppArmorAdministrationGuide5.
1.
1ManagingChangeHat-AwareApplicationsAswithmostoftheNovellAppArmortools,youcanusetwomethodsformanagingChangeHat,YaSTorthecommandlineinterface.
ManagingChangeHat-awareapplica-tionsfromthecommandlineismuchmoreflexible,buttheprocessisalsomorecom-plicated.
Bothmethodsallowyoutomanagethehatsforyourapplicationandpopulatethemwithprofileentries.
ThefollowingstepsareademonstrationthataddshatstoanApacheprofileusingYaST.
IntheAddProfileWizard,theNovellAppArmorprofilingutilitiespromptyoutocreatenewhatsfordistinctURIrequests.
ChoosingtocreateanewhatallowsyoutocreateindividualprofilesforeachURI.
Youcancreateverytightrulesforeachrequest.
IftheURIthatisprocesseddoesnotrepresentsignificantprocessingorotherwisedoesnotrepresentasignificantsecurityrisk,safelyselectUseDefaultHattoprocessthisURIinthedefaulthat,whichisthedefaultsecurityprofile.
ThisexamplecreatesanewhatfortheURIphpsysinfoanditssubsequentaccesses.
Usingtheprofilingutilities,delegatewhattoaddtothisnewhat.
Theresultinghatbe-comesatight-securitycontainerthatencompassesalltheprocessingontheserverthatoccurswhenthephpsysinfoURIispassedtotheApacheWebserver.
TheURIrunstheapplicationphpsysinfo(refertohttp://phpsysinfo.
sourceforge.
netformoreinformation).
Thephpsysinfopackageisassumedtobeinstalledin/srv/www/htdocs/phpsysinfoinaclean(new)installationofopenSUSEandAppArmor.
1Oncephpsysinfoisinstalled,youarereadytoaddhatstotheApacheprofile.
FromtheNovellAppArmorGUI,selectAddProfileWizard.
ProfilingYourWebApplicationsUsingChangeHat772InApplicationtoProfile,enterhttpd2-prefork.
3ClickCreateProfile.
4RestartApachebyenteringrcapache2restartinaterminalwindow.
Restartanyprogramyouareprofilingatthispoint.
78NovellAppArmorAdministrationGuide5Openhttp://localhost/phpsysinfo/inaWebbrowserwindow.
Thebrowserwindowshoulddisplaynetworkusageandsysteminformation.
NOTE:DataCachingToensurethatthisrequestisprocessedbytheserverandyoudonotreviewcacheddatainyourbrowser,refreshthepage.
Todothis,clickthebrowserRefreshbuttontomakesurethatApacheprocessesthere-questforthephpsysinfoURI.
6ClickScanSystemLogforEntriestoAddtoProfiles.
NovellAppArmorlaunchestheaa-logproftool,whichscanstheinformationlearnedinthepreviousstep.
Itbeginstopromptyouwithprofilequestions.
7aa-logproffirstpromptswithAddRequestedHatorUseDefaultHatbecauseitnoticedthatthephpsysinfoURIwasaccessed.
SelectAddRequestedHat.
8ClickAllow.
ChoosingAddRequestedHatinthepreviousstepcreatesanewhatintheprofileandspecifiesthattheresultsofsubsequentquestionsaboutthescript'sactionsareaddedtothenewlycreatedhatratherthanthedefaulthatforthisapplication.
ProfilingYourWebApplicationsUsingChangeHat79Inthenextscreen,NovellAppArmordisplaysanexternalprogramthatthescriptexecuted.
Youcanspecifythattheprogramshouldrunconfinedbythephpsys-infohat(chooseInherit),confinedbyaseparateprofile(chooseProfile),orthatitshouldrununconfinedorwithoutanysecurityprofile(chooseUnconfined).
ForthecaseoftheProfileoption,anewprofileiscreatedfortheprogramifonedoesnotalreadyexist.
NOTE:SecurityConsiderationsSelectingUnconfinedcancreateasignificantsecurityholeandshouldbedonewithcaution.
8aSelectInheritforthe/bin/bashpath.
Thisadds/bin/bash(accessedbyApache)tothephpsysinfohatprofilewiththenecessarypermissions.
8bClickAllow.
9Theremainingquestionspromptyoutogeneratenewhatsandaddentriestoyourprofileanditshats.
TheprocessofaddingentriestoprofilesiscoveredindetailintheSection3.
1,"AddingaProfileUsingtheWizard"(page29).
Whenallprofilingquestionsareanswered,clickFinishtosaveyourchangesandexitthewizard.
80NovellAppArmorAdministrationGuideThefollowingisanexamplephpsysinfohat.
Example5.
1ExamplephpsysinfoHat/usr/sbin/httpd2-prefork{.
.
.
^phpsysinfo{#include#include/bin/basenameixr,/bin/bashixr,/bin/dfixr,/bin/grepixr,/bin/mountUx,/bin/sedixr,/dev/bus/usb/r,/dev/bus/usb/**r,/dev/nullw,/dev/ttyrw,/dev/urandomr,/etc/SuSE-releaser,/etc/ld.
so.
cacher,/etc/lsb-releaser,/etc/lsb-release.
d/r,/lib/ld-2.
6.
1.
soixr,/proc/**r,/sbin/lspciixr,/srv/www/htdocs/phpsysinfo/**r,/sys/bus/pci/**r,/sys/bus/scsi/devices/r,/sys/devices/**r,/usr/bin/cutixr,/usr/bin/getoptixr,/usr/bin/headixr,/usr/bin/lsb_releaseixr,/usr/bin/lsscsiixr,/usr/bin/trixr,/usr/bin/whoixr,/usr/lib/lib*so*mr,/usr/lib/locale/**r,/usr/sbin/lsusbixr,/usr/share/locale/**r,/usr/share/pci.
idsr,/usr/share/usb.
idsr,/var/log/apache2/access_logw,/var/run/utmpkr,}}ProfilingYourWebApplicationsUsingChangeHat81NOTE:HatandParentProfileRelationshipTheprofile^phpsysinfoisonlyvalidinthecontextofaprocessrunningundertheparentprofilehttpd2-prefork.
5.
1.
2AddingHatsandEntriestoHatsWhenyouusetheEditProfiledialog(forinstructions,refertoSection3.
3,"EditingProfiles"(page38))orwhenyouaddanewprofileusingManuallyAddProfile(forinstructions,refertoSection3.
2,"ManuallyAddingaProfile"(page37)),youaregiventheoptionofaddinghats(subprofiles)toyourNovellAppArmorprofiles.
AddaChangeHatsubprofilefromtheAppArmorProfileDialogwindowasinthefollowing.
1FromtheAppArmorProfileDialogwindow,clickAddEntrythenselectHat.
TheEnterHatNamedialogboxopens:82NovellAppArmorAdministrationGuide2EnterthenameofthehattoaddtotheNovellAppArmorprofile.
ThenameistheURIthat,whenaccessed,receivesthepermissionssetinthehat.
3ClickCreateHat.
YouarereturnedtotheAppArmorProfileDialogscreen.
4Afteraddingthenewhat,clickDone.
NOTE:ForMoreInformationForanexampleofanNovellAppArmorprofile,refertoExample5.
1,"ExamplephpsysinfoHat"(page81).
5.
2ConfiguringApacheformod_apparmorApacheisconfiguredbyplacingdirectivesinplaintextconfigurationfiles.
Themainconfigurationfileisusuallyhttpd.
conf.
WhenyoucompileApache,youcanindicatethelocationofthisfile.
DirectivescanbeplacedinanyoftheseconfigurationfilestoalterthewayApachebehaves.
Whenyoumakechangestothemainconfigurationfiles,youneedtostartorrestartApachesothechangesarerecognized.
5.
2.
1VirtualHostDirectivesVirtualhostdirectivescontrolwhetherrequeststhatcontaintrailingpathnameinforma-tionfollowinganactualfilenameorthatrefertoanonexistentfileinanexistingdirec-toryareacceptedorrejected.
ForApachedocumentationonvirtualhostdirectives,referProfilingYourWebApplicationsUsingChangeHat83tohttp://httpd.
apache.
org/docs-2.
2/mod/core.
html#virtualhost.
TheChangeHat-specificconfigurationkeywordisAADefaultHatName.
ItisusedsimilarlytoAAHatName,forexample,AADefaultHatNameMy_Funky_Default_Hat.
Theconfigurationoptionisactuallybasedonaserverdirective,whichenablesyoutousethekeywordoutsideofotheroptions,settingitforthedefaultserver.
VirtualhostsareconsideredinternallywithinApachetobeseparate"servers,"soyoucansetadefaulthatnameforthedefaultserveraswellasoneforeachvirtualhost,ifdesired.
Whenarequestcomesin,thefollowingstepsreflectthesequenceinwhichmod_apparmorattemptstoapplyhats.
1.
AlocationordirectoryhatasspecifiedbytheAAHatNamekeyword2.
AhatnamedbytheentireURIpath3.
AdefaultserverhatasspecifiedbytheAADefaultHatNamekeyword4.
DEFAULT_URI(ifnoneofthoseexist,itgoesbacktothe"parent"Apachehat)5.
2.
2LocationandDirectoryDirectivesLocationanddirectorydirectivesspecifyhatnamesintheprogramconfigurationfilesotheprogramcallsthehatregardingitssecurity.
ForApache,youcanfinddocumen-tationaboutthelocationanddirectorydirectivesathttp://httpd.
apache.
org/docs-2.
0/sections.
html.
Thelocationdirectiveexamplebelowspecifiesthat,foragivenlocation,mod_apparmorshoulduseaspecifichat:AAHatNameMY_HAT_NAMEThistriestouseMY_HAT_NAMEforanyURIbeginningwith/foo/(/foo/,/foo/bar,/foo/cgi/path/blah_blah/blah,etc.
).
Thedirectorydirectiveworkssimilarlytothelocationdirective,exceptitreferstoapathinthefilesystemasinthefollowingexample:84NovellAppArmorAdministrationGuide#NotelackoftrailingslashAAHatNameimmunix.
comExample:Theprogramphpsysinfoisusedtoillustratealocationdirectiveinthefollowingexample.
Thetarballcanbedownloadedfromhttp://phpsysinfo.
sourceforge.
com.
1Afterdownloadingthetarball,installitinto/srv/www/htdocs/phpsysinfo.
2Create/etc/apache2/conf.
d/phpsysinfo.
confandaddthefollowingtexttoit:AAHatNamephpsysinfoThefollowinghatshouldthenworkforphpsysinfo:/usr/sbin/httpd2-prefork{.
.
.
^phpsysinfo{#include#include/bin/basenameixr,/bin/bashixr,/bin/dfixr,/bin/grepixr,/bin/mountUx,/bin/sedixr,/dev/bus/usb/r,/dev/bus/usb/**r,/dev/nullw,/dev/ttyrw,/dev/urandomr,/etc/SuSE-releaser,/etc/ld.
so.
cacher,/etc/lsb-releaser,/etc/lsb-release.
d/r,/lib/ld-2.
6.
1.
soixr,/proc/**r,/sbin/lspciixr,/srv/www/htdocs/phpsysinfo/**r,/sys/bus/pci/**r,/sys/bus/scsi/devices/r,ProfilingYourWebApplicationsUsingChangeHat85/sys/devices/**r,/usr/bin/cutixr,/usr/bin/getoptixr,/usr/bin/headixr,/usr/bin/lsb_releaseixr,/usr/bin/lsscsiixr,/usr/bin/trixr,/usr/bin/whoixr,/usr/lib/lib*so*mr,/usr/lib/locale/**r,/usr/sbin/lsusbixr,/usr/share/locale/**r,/usr/share/pci.
idsr,/usr/share/usb.
idsr,/var/log/apache2/access_logw,/var/run/utmpkr,}}3ReloadNovellAppArmorprofilesbyenteringrcapparmorrestartataterminalwindowasroot.
4RestartApachebyenteringrcapache2restartataterminalwindowasroot.
5Enterhttp://hostname/phpsysinfo/intoabrowsertoreceivethesysteminformationthatphpsysinfodelivers.
6Locateconfigurationerrorsbygoingto/var/log/audit/audit.
logorrunningdmesgandlookingforanyrejectionsintheoutput.
86NovellAppArmorAdministrationGuide6ManagingProfiledApplicationsAftercreatingprofilesandimmunizingyourapplications,openSUSEbecomesmoreefficientandbetterprotectedifyouperformNovellAppArmorprofilemaintenance,whichinvolvesanalyzinglogfilesandrefiningyourprofilesaswellasbackingupyoursetofprofilesandkeepingitup-to-date.
Youcandealwiththeseissuesbeforetheybecomeaproblembysettingupeventnotificationbye-mail,runningperiodicreports,updatingprofilesfromsystemlogentriesbyrunningtheaa-logproftoolthroughYaST,anddealingwithmaintenanceissues.
6.
1MonitoringYourSecuredApplicationsApplicationsthatareconfinedbyNovellAppArmorsecurityprofilesgeneratemessageswhenapplicationsexecuteinunexpectedwaysoroutsideoftheirspecifiedprofile.
Thesemessagescanbemonitoredbyeventnotification,periodicreportgeneration,orintegrationintoathird-partyreportingmechanism.
Forreportingandalerting,AppArmorusesauserspacedaemon(/usr/sbin/aa-eventd).
Thisdaemonmonitorslogtraffic,sendsoutnotifications,andrunsscheduledreports.
ItdoesnotrequireanyenduserconfigurationanditisstartedautomaticallyaspartofthesecurityeventnotificationthroughtheYaSTApp-ArmorControlPanelorbytheconfigurationofscheduledreportsintheYaSTAppArmorReportsmodule.
ManagingProfiledApplications87Apartfromtransparentlyenablinganddisablingaa-eventdwiththeYaSTmodules,youcanmanuallytoggleitsstatuswiththercaaeventdinitscript.
TheAppArmoreventdaemonisnotrequiredforproperfunctioningoftheprofilingprocess(suchasenforcementorlearning).
Itisjustrequiredforreporting.
FindmoredetailsonsecurityeventnotificationinSection6.
2,"ConfiguringSecurityEventNotification"(page88)andonscheduledreportsinSection6.
3,"ConfiguringReports"(page91).
IfyoupreferasimplewayofbeingnotifiedofanyAppArmorrejecteventsthatdoesnotrequireyoutocheckyoure-mailsoranylogfiles,usetheAppArmorDesktopMonitorappletthatintegratesintotheGNOMEdesktop.
RefertoSection6.
4,"Config-uringandUsingtheAppArmorDesktopMonitorApplet"(page111)fordetails.
6.
2ConfiguringSecurityEventNotificationSecurityeventnotificationisaNovellAppArmorfeaturethatinformsyouwhensystemicNovellAppArmoractivityoccurs.
Activateitbyselectinganotificationfrequency(receivingdailynotification,forexample).
Enterane-mailaddress,soyoucanbenoti-fiedbye-mailwhenNovellAppArmorsecurityeventsoccur.
Selectoneofthefollowingnotificationtypes:TerseTersenotificationsummarizesthetotalnumberofsystemeventswithoutprovidingdetails.
Forexample:jupiter.
example.
comhashad41securityeventssinceMonSep1014:53:162007.
SummaryNotificationSummarynotificationdisplaystheloggedNovellAppArmorsecurityeventsandliststhenumberofindividualoccurrences,includingthedateofthelastoccurrence.
Forexample:AppArmor:PERMITTINGaccesstocapability'setgid'(httpd2-prefork(6347)profile/usr/sbin/httpd2-preforkactive/usr/sbin/httpd2-prefork)2times,thelatestatSatOct916:05:542004.
88NovellAppArmorAdministrationGuideVerboseNotificationVerbosenotificationdisplaysunmodified,loggedNovellAppArmorsecurityevents.
Ittellsyoueverytimeaneventoccursandwritesanewlineintheverboselog.
Thesesecurityeventsincludethedateandtimetheeventoccurred,whentheappli-cationprofilepermitsandrejectsaccess,andthetypeoffilepermissionaccessthatispermittedorrejected.
Verbosenotificationalsoreportsseveralmessagesthattheaa-logproftool(seeSection"aa-logprof—ScanningtheSystemLog"(page67))usestointerpretprofiles.
Forexample:type=APPARMOR_DENIEDmsg=audit(1189428793.
218:2880):operation="file_permission"requested_mask="w"denied_mask="w"name="/var/log/apache2/error_log"pid=22969profile="/usr/sbin/httpd2-prefork"NOTEYoumustsetupamailserverthatcansendoutgoingmailusingtheSMTPprotocol(forexample,postfixorexim)foreventnotificationtowork.
1IntheEnableSecurityEventNotificationsectionoftheAppArmorConfigurationwindow,clickConfigure.
2IntheSecurityEventNotificationwindow,enableTerse,Summary,orVerboseeventnotification.
ManagingProfiledApplications892aIneachapplicablenotificationtypesection,enterthee-mailaddressesofthosewhoshouldreceivenotificationinthefieldprovided.
Ifnotificationisenabled,youmustenterane-mailaddress.
Separatemultiplee-mailaddresseswithcommas.
2bForeachnotificationtypeenabled,selectthefrequencyofnotification.
Selectanotificationfrequencyfromthefollowingoptions:Disabled1minute5minutes10minutes15minutes30minutes1hour1day1week2cForeachselectednotificationtype,selectthelowestseveritylevelforwhichanotificationshouldbesent.
Securityeventsareloggedandthenotificationsaresentatthetimeindicatedbytheintervalwheneventsareequaltoorgreaterthantheselectedseveritylevel.
Iftheintervalis1day,thenotificationissentdaily,ifsecurityeventsoccur.
NOTE:SeverityLevelsNovellAppArmorsendsouteventmessagesforthingsthatareintheseveritydatabaseandabovethelevelselected.
Severitylevelsarenumbered1through10,with10beingthemostseveresecurityincident.
The/etc/severity.
dbfiledefinestheseveritylevelofpotentialsecurityevents.
Theseveritylevelsaredeterminedbythe90NovellAppArmorAdministrationGuideimportanceofdifferentsecurityevents,suchascertainresourcesaccessedorservicesdenied.
3ClickOK.
4ClickDoneintheNovellAppArmorConfigurationwindow.
5ClickFile>QuitintheYaSTControlCenter.
Afterconfiguringsecurityeventnotification,readthereportsanddeterminewhethereventsrequirefollowup.
FollowupmayincludetheproceduresoutlinedinSection6.
5,"ReactingtoSecurityEventRejections"(page112).
6.
3ConfiguringReportsNovellAppArmor'sreportingfeatureaddsflexibilitybyenhancingthewayuserscanviewsecurityeventdata.
Thereportingtoolperformsthefollowing:Createson-demandreportsExportsreportsSchedulesperiodicreportsforarchivingE-mailsperiodicreportsFiltersreportdatabydateFiltersreportdatabyotheroptions,suchasprogramnameUsingreports,youcanreadimportantNovellAppArmorsecurityeventsreportedinthelogfileswithoutmanuallysiftingthroughthemessagesonlyusefultotheaa-logproftool.
Narrowdownthesizeofthereportbyfilteringbydaterangeorprogramname.
Youcanalsoexportanhtmlorcsvfile.
ThefollowingarethethreetypesofreportsavailableinNovellAppArmor:ManagingProfiledApplications91ExecutiveSecuritySummaryAcombinedreport,consistingofoneormoresecurityincidentreportsfromoneormoremachines.
Thisreportcanprovideasingleviewofsecurityeventsonmultiplemachines.
Formoredetails,refertoSection"ExecutiveSecuritySummary"(page101).
ApplicationAuditReportAnauditingtoolthatreportswhichapplicationserversarerunningandwhethertheapplicationsareconfinedbyAppArmor.
Applicationserversareapplicationsthatacceptincomingnetworkconnections.
Formoredetails,refertoSection"Ap-plicationAuditReport"(page97).
SecurityIncidentReportAreportthatdisplaysapplicationsecurityforasinglehost.
Itreportspolicyviola-tionsforlocallyconfinedapplicationsduringaspecifictimeperiod.
Youcaneditandcustomizethisreportoraddnewversions.
Formoredetails,refertoSection"SecurityIncidentReport"(page99).
TousetheNovellAppArmorreportingfeatures,proceedwiththefollowingsteps:1OpenYaST>NovellAppArmor.
2InNovellAppArmor,clickAppArmorReports.
TheAppArmorSecurityEventReportswindowappears.
FromtheReportswindow,selectanoptionandproceedtotherespectivesectionforinstructions:92NovellAppArmorAdministrationGuideViewArchiveDisplaysallreportsthathavebeenrunandstoredin/var/log/apparmor/reports-archived/.
SelectthereportyouwanttoseeindetailandclickView.
ForViewArchiveinstructions,proceedtoSection6.
3.
1,"ViewingArchivedReports"(page94).
RunNowProducesaninstantversionoftheselectedreporttype.
Ifyouselectasecu-rityincidentreport,itcanbefurtherfilteredinvariousways.
ForRunNowinstructions,proceedtoSection6.
3.
2,"RunNow:RunningOn-DemandReports"(page102).
AddCreatesascheduledsecurityincidentreport.
ForAddinstructions,proceedtoSection6.
3.
3,"AddingNewReports"(page105).
EditEditsascheduledsecurityincidentreport.
DeleteDeletesascheduledsecurityincidentreport.
Allstockorcannedreportscannotbedeleted.
ManagingProfiledApplications93BackReturnsyoutotheNovellAppArmormainscreen.
AbortReturnsyoutotheNovellAppArmormainscreen.
NextPerformsthesamefunctionastheRunNowbutton.
6.
3.
1ViewingArchivedReportsViewReportsenablesyoutospecifythelocationofacollectionofreportsfromoneormoresystems,includingtheabilitytofilterbydateornamesofprogramsaccessedanddisplaythemalltogetherinonereport.
1FromtheAppArmorSecurityEventReportwindow,selectViewArchive.
2Selectthereporttypetoview.
Togglebetweenthedifferenttypes:SIR(SecurityIncidentReport),AppAud(ApplicationAudit),andESS(ExecutiveSecuritySummary).
94NovellAppArmorAdministrationGuide3YoucanalterthedirectorylocationofthearchivedreportsinLocationofArchivedReports.
SelectAccepttousethecurrentdirectoryorselectBrowsetofindanewreportlocation.
Thedefaultdirectoryis/var/log/apparmor/reports-archived.
4Toviewallthereportsinthearchive,selectViewAll.
Toviewaspecificreport,selectareportfilelistedintheReportfieldthenselectView.
5ForApplicationAuditandExecutiveSecuritySummaryreports,proceedtoStep9(page97).
6TheReportConfigurationDialogopensforSecurityIncidentreports.
7TheReportConfigurationdialogenablesyoutofilterthereportsselectedinthepreviousscreen.
Enterthedesiredfilterdetails.
Thefieldsare:DateRangeTodisplayreportsforacertaintimeperiod,selectFilterByDateRange.
Enterthestartandenddatesthatdefinethescopeofthereport.
ManagingProfiledApplications95ProgramNameWhenyouenteraprogramnameorpatternthatmatchesthenameofthebi-naryexecutableoftheprogramofinterest,thereportdisplayssecurityeventsthathaveoccurredforaspecificprogram.
ProfileNameWhenyouenterthenameoftheprofile,thereportdisplaysthesecurityeventsthataregeneratedforthespecifiedprofile.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberPIDnumberisanumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatpro-cess).
SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandabovearethenincludedinthereports.
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichprofilespreventaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeTheModeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsareall(allmodeswithoutfiltering),r(read),w(write),l(link),x(execute),andm(mmap).
ExportTypeEnablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Youcanenterapathforyourexportedreportbytypingthefullpathinthefieldpro-vided.
96NovellAppArmorAdministrationGuideLocationtoStoreLogEnablesyoutochangethelocationatwhichtostoretheexportedreport.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
8Toseethereport,filteredasdesired,selectNext.
Oneofthethreereportsdisplays.
9Referthefollowingsectionsfordetailedinformationabouteachtypeofreport.
Fortheapplicationauditreport,refertoSection"ApplicationAuditReport"(page97).
Forthesecurityincidentreport,refertoSection"SecurityIncidentReport"(page99).
Fortheexecutivesummaryreport,refertoSection"ExecutiveSecuritySummary"(page101).
ApplicationAuditReportAnapplicationauditreportisanauditingtoolthatreportswhichapplicationserversarerunningandwhethertheyareconfinedbyAppArmor.
ManagingProfiledApplications97Thefollowingfieldsareprovidedinanapplicationauditreport:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
DateThedateduringwhichsecurityeventsoccurred.
ProgramThenameandpathoftheexecutingprocess.
ProfileTheabsolutenameofthesecurityprofilethatisappliedtotheprocess.
PIDAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
StateThisfieldrevealswhethertheprogramlistedintheprogramfieldisconfined.
Ifitisnotconfined,youmightconsidercreatingaprofileforit.
98NovellAppArmorAdministrationGuideTypeThisfieldrevealsthetypeofconfinementthesecurityeventrepresents.
Itsayseithercomplainorenforce.
Iftheapplicationisnotconfined(state),notypeofconfinementisreported.
SecurityIncidentReportAsecurityincidentreportdisplayssecurityeventsofinteresttoanadministrator.
TheSIRreportspolicyviolationsforlocallyconfinedapplicationsduringthespecifiedtimeperiod.
Italsoreportspolicyexceptionsandpolicyenginestatechanges.
Thesetwotypesofsecurityeventsaredefinedasfollows:PolicyExceptionsWhenanapplicationrequestsaresourcethatisnotdefinedwithinitsprofile,ase-curityeventistriggered.
Areportisgeneratedthatdisplayssecurityeventsofinteresttoanadministrator.
TheSIRreportspolicyviolationsforlocallyconfinedapplica-tionsduringthespecifiedtimeperiod.
TheSIRreportspolicyexceptionsandpolicyenginestatechanges.
PolicyEngineStateChangesEnforcespolicyforapplicationsandmaintainsitsownstate,includingwhenenginesstartorstop,whenapolicyisreloaded,andwhenglobalsecurityfeatureareenabledordisabled.
ManagingProfiledApplications99ThefieldsintheSIRreporthavethefollowingmeanings:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
DateThedateduringwhichsecurityeventsoccurred.
ProgramThenameoftheexecutingprocess.
ProfileTheabsolutenameofthesecurityprofilethatisappliedtotheprocess.
PIDAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
SeveritySeveritylevelsofeventsarereportedfromtheseveritydatabase.
Theseveritydatabasedefinestheimportanceofpotentialsecurityeventsandnumbersthem1through10,10beingthemostseveresecurityincident.
Theseveritylevelsarede-100NovellAppArmorAdministrationGuideterminedbythethreatorimportanceofdifferentsecurityevents,suchascertainresourcesaccessedorservicesdenied.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichtheprofilepreventsaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ExecutiveSecuritySummaryAcombinedreportconsistingofoneormorehigh-levelreportsfromoneormorema-chines.
Thisreportcanprovideasingleviewofsecurityeventsonmultiplemachinesifeachmachine'sdataiscopiedtothereportarchivedirectory,whichis/var/log/apparmor/reports-archived.
OnelineoftheESSreportrepresentsarangeofSIRreports.
ManagingProfiledApplications101Thefollowingfieldsareprovidedinanexecutivesecuritysummary:HostThemachineprotectedbyAppArmorforwhichthesecurityeventsarereported.
StartDateThefirstdateinarangeofdatesduringwhichsecurityeventsarereported.
EndDateThelastdateinarangeofdatesduringwhichsecurityeventsarereported.
NumRejectsInthedaterangegiven,thetotalnumberofsecurityeventsthatarerejectedaccessattempts.
NumEventsInthedaterangegiven,thetotalnumberofsecurityevents.
Ave.
SevThisistheaverageoftheseveritylevelsreportedinthedaterangegiven.
Unknownseveritiesaredisregardedinthisfigure.
HighSevThisistheseverityofthehighestseverityeventreportedinthedaterangegiven.
6.
3.
2RunNow:RunningOn-DemandReportsTheRunNowreportfeatureenablesyoutoinstantlyextractreportinformationfromtheNovellAppArmoreventlogswithoutwaitingforscheduledevents.
Ifyouneedhelpnavigatingtothemainreportscreen,seeSection6.
3,"ConfiguringReports"(page91).
Performthefollowingstepstorunareportfromthelistofreports:1SelectthereporttoruninstantlyfromthelistofreportsintheScheduleReportswindow.
2SelectRunNoworNext.
Thenextscreendependsonwhichreportyouselectedinthepreviousstep.
Asanexample,selectasecurityincidentreport.
102NovellAppArmorAdministrationGuide3TheReportConfigurationDialogopensforsecurityincidentreports.
4TheReportConfigurationDialogenablesyoutofilterthereportsselectedinthepreviousscreen.
Enterthedesiredfilterdetails.
Thefollowingfilteroptionsareavailable:DateRangeTolimitreportstoacertaintimeperiod,selectFilterByDateRange.
Enterthestartandenddatesthatdeterminethescopeofthereport.
ProgramNameWhenyouenteraprogramnameorpatternthatmatchesthenameofthebi-naryexecutablefortheprogramofinterest,thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameWhenyouenterthenameoftheprofile,thereportdisplaysthesecurityeventsthataregeneratedforthespecifiedprofile.
Youcanusethistoseewhatisconfinedbyaspecificprofile.
PIDNumberAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
ManagingProfiledApplications103SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtoreporttheresourcestowhichprofilespreventaccess.
AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
ExportTypeEnablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypinginthefullpathinthefieldprovided.
LocationtoStoreLogEnablesyoutochangethelocationthattheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
5Toseethereport,filteredasdesired,selectNext.
Oneofthethreereportsdisplays.
Referthefollowingsectionsfordetailedinformationabouteachtypeofreport.
Fortheapplicationauditreport,refertoSection"ApplicationAuditReport"(page97).
Forthesecurityincidentreport,refertoSection"SecurityIncidentReport"(page99).
104NovellAppArmorAdministrationGuideFortheexecutivesummaryreport,refertoSection"ExecutiveSecuritySummary"(page101).
6.
3.
3AddingNewReportsAddingnewreportsenablesyoutocreateascheduledsecurityincidentreportthatdis-playsNovellAppArmorsecurityeventsaccordingtoyourpresetfilters.
WhenareportissetupinScheduleReports,itperiodicallylaunchesareportofNovellAppArmorsecurityeventsthathaveoccurredonthesystem.
Youcanconfigureadaily,weekly,monthly,orhourlyreporttorunforaspecifiedpe-riod.
Youcansetthereporttodisplayrejectionsforcertainseveritylevelsortofilterbyprogramname,profilename,severitylevel,ordeniedresources.
ThisreportcanbeexportedtoanHTML(HypertextMarkupLanguage)orCSV(CommaSeparatedValues)fileformat.
NOTEReturntothebeginningofthissectionifyouneedhelpnavigatingtothemainreportscreen(seeSection6.
3,"ConfiguringReports"(page91)).
Toaddanewscheduledsecurityincidentreport,proceedasfollows:1ClickAddtocreateanewsecurityincidentreport.
ThefirstpageofAddScheduledSIRopens.
ManagingProfiledApplications1052Fillinthefieldswiththefollowingfilteringinformation,asnecessary:ReportNameSpecifythenameofthereport.
Usenamesthateasilydistinguishdifferentreports.
DayofMonthSelectanydayofthemonthtoactivatemonthlyfilteringinreports.
IfyouselectAll,monthlyfilteringisnotperformed.
DayofWeekSelectthedayoftheweekonwhichtoscheduleweeklyreports,ifdesired.
IfyouselectALL,weeklyfilteringisnotperformed.
Ifmonthlyreportingisselected,thisfielddefaultstoALL.
HourandMinuteSelectthetime.
Thisspecifiesthehourandminutethatyouwouldlikethereportstorun.
Ifyoudonotchangethetime,selectedreportsrunsatmidnight.
Ifneithermonthnordayofweekareselected,thereportrunsdailyatthespecifiedtime.
E-MailTargetYouhavetheabilitytosendthescheduledsecurityincidentreportviae-mailtouptothreerecipients.
Justenterthee-mailaddressesforthosewhorequirethesecurityincidentinformation.
ExportTypeThisoptionenablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypinginthefullpathinthefieldprovided.
LocationtoStoreLogEnablesyoutochangethelocationthattheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
3ClickNexttoproceedtothesecondpageofAddScheduledSIR.
106NovellAppArmorAdministrationGuide4Fillinthefieldswiththefollowingfilteringinformation,asnecessary:ProgramNameYoucanspecifyaprogramnameorpatternthatmatchesthenameofthebinaryexecutablefortheprogramofinterest.
Thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameYoucanspecifythenameoftheprofileforwhichthereportshoulddisplaysecurityevents.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberAnumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtocreateareportofresourcestowhichprofilespreventaccess.
SeveritySelectthelowestseveritylevelofsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
ManagingProfiledApplications107AccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
5ClickSavetosavethisreport.
NovellAppArmorreturnstotheScheduledReportsmainwindowwherethenewlyscheduledreportappearsinthelistofreports.
6.
3.
4EditingReportsFromtheAppArmorReportsscreen,youcanselectandeditareport.
Thethreepre-configuredreports(stockreports)cannotbeeditedordeleted.
NOTEReturntothebeginningofthissectionifyouneedhelpnavigatingtothemainreportscreen(seeSection6.
3,"ConfiguringReports"(page91)).
Performthefollowingstepstomodifyareportfromthelistofreports:1FromthelistofreportsintheScheduleReportswindow,selectthereporttoedit.
Thisexampleassumesthatyouhaveselectedasecurityincidentreport.
2ClickEdittoeditthesecurityincidentreport.
ThefirstpageoftheEditScheduledSIRdisplays.
108NovellAppArmorAdministrationGuide3Modifythefollowingfilteringinformation,asnecessary:DayofMonthSelectanydayofthemonthtoactivatemonthlyfilteringinreports.
IfyouselectAll,monthlyfilteringisnotperformed.
DayofWeekSelectthedayoftheweekonwhichtoscheduletheweeklyreports.
IfyouselectAll,weeklyfilteringisnotperformed.
Ifmonthlyreportingisselected,thisdefaultstoAll.
HourandMinuteSelectthetime.
Thisspecifiesthehourandminutethatyouwouldlikethereportstorun.
Ifyoudonotchangethetime,theselectedreportrunsatmidnight.
Ifneitherthedayofthemonthnordayoftheweekisselected,thereportrunsdailyatthespecifiedtime.
E-MailTargetYouhavetheabilitytosendthescheduledsecurityincidentreportviae-mailtouptothreerecipients.
Justenterthee-mailaddressesforthosewhorequirethesecurityincidentinformation.
ExportTypeThisoptionenablesyoutoexportaCSV(commaseparatedvalues)orHTMLfile.
TheCSVfileseparatespiecesofdatainthelogentrieswithcommasusingastandarddataformatforimportingintotable-orientedapplications.
Enterapathforyourexportedreportbytypingthefullpathinthefieldpro-vided.
LocationtoStoreLogEnablesyoutochangethelocationwheretheexportedreportisstored.
Thedefaultlocationis/var/log/apparmor/reports-exported.
Whenyouchangethislocation,selectAccept.
SelectBrowsetobrowsethefilesystem.
4ClickNexttoproceedtothenextEditScheduledSIRpage.
ThesecondpageofEditScheduledReportsopens.
ManagingProfiledApplications1095Modifythefieldswiththefollowingfilteringinformation,asnecessary:ProgramNameYoucanspecifyaprogramnameorpatternthatmatchesthenameofthebinaryexecutablefortheprogramofinterest.
Thereportdisplayssecurityeventsthathaveoccurredforthespecifiedprogramonly.
ProfileNameYoucanspecifythenameoftheprofileforwhichtodisplaysecurityevents.
Youcanusethistoseewhatisbeingconfinedbyaspecificprofile.
PIDNumberProcessIDnumberisanumberthatuniquelyidentifiesonespecificprocessorrunningprogram(thisnumberisvalidonlyduringthelifetimeofthatprocess).
DetailAsourcetowhichtheprofilehasdeniedaccess.
Thisincludescapabilitiesandfiles.
Youcanusethisfieldtocreateareportofresourcestowhichprofilespreventaccess.
SeveritySelectthelowestseveritylevelforsecurityeventstoincludeinthereport.
Theselectedseveritylevelandaboveareincludedinthereports.
110NovellAppArmorAdministrationGuideAccessTypeTheaccesstypedescribeswhatisactuallyhappeningwiththesecurityevent.
TheoptionsarePERMITTING,REJECTING,orAUDITING.
ModeThemodeisthepermissionthattheprofilegrantstotheprogramorprocesstowhichitisapplied.
Theoptionsarer(read),w(write),l(link),andx(execute).
6SelectSavetosavethechangestothisreport.
NovellAppArmorreturnstotheScheduledReportsmainwindowwherethescheduledreportappearsinthelistofreports.
6.
3.
5DeletingReportsDeleteaReportenablesyoutopermanentlyremoveareportfromthelistofNovellAppArmorscheduledreports.
Todeleteareport,followtheseinstructions:1Toremoveareportfromthelistofreports,highlightthereportandclickDelete.
2Fromtheconfirmationpop-up,selectCancelifyoudonotwanttodeletetheselectedreport.
Ifyouaresureyouwanttoremovethereportpermanentlyfromthelistofreports,selectDelete.
6.
4ConfiguringandUsingtheAppArmorDesktopMonitorAppletTheLinuxauditframeworkcontainsadispatcherthatcansendAppArmoreventstoanyconsumerapplicationviadbus.
TheGNOMEAppArmorDesktopMonitorappletisoneexampleofanapplicationthatgathersAppArmoreventsviadbus.
Toconfigureaudittousethedbusdispatcher,justsetthedispatcherinyourauditconfigurationin/etc/audit/auditd.
conftoapparmor-dbusandrestartauditd:dispatcher=/usr/bin/apparmor-dbusManagingProfiledApplications111Oncethedbusdispatcherisconfiguredcorrectly,addtheAppArmorDesktopMonitortotheGNOMEpanelbyright-clickingthepanelandselectingAddtoPanel>AppArmorDesktopMonitor.
AssoonasaREJECTeventislogged,theapplet'spaneliconchangesappearanceandyoucanclicktheapplettoseethenumberofrejecteventsperconfinedapplication.
Toviewtheexactlogmessages,refertotheauditlogunder/var/log/audit/audit.
log.
ReacttoanyREJECTeventsasdescribedinSection6.
5,"Re-actingtoSecurityEventRejections"(page112).
6.
5ReactingtoSecurityEventRejectionsWhenyoureceiveasecurityeventrejection,examinetheaccessviolationanddetermineifthateventindicatedathreatorwaspartofnormalapplicationbehavior.
Application-specificknowledgeisrequiredtomakethedetermination.
Iftherejectedactionispartofnormalapplicationbehavior,runaa-logprofatthecommandlineortheUpdateProfileWizardinNovellAppArmortoupdateyourprofile.
Iftherejectedactionisnotpartofnormalapplicationbehavior,thisaccessshouldbeconsideredapossibleintrusionattempt(thatwasprevented)andthisnotificationshouldbepassedtothepersonresponsibleforsecuritywithinyourorganization.
6.
6MaintainingYourSecurityProfilesInaproductionenvironment,youshouldplanonmaintainingprofilesforallofthede-ployedapplications.
Thesecuritypoliciesareanintegralpartofyourdeployment.
Youshouldplanontakingstepstobackupandrestoresecuritypolicyfiles,planforsoftwarechanges,andallowanyneededmodificationofsecuritypoliciesthatyourenvironmentdictates.
6.
6.
1BackingUpYourSecurityProfilesBecauseyoutakethetimetomakeprofiles,itmakessensetobackthemup.
Backingupprofilesmightsaveyoufromhavingtoreprofileallyourprogramsafteradiskcrash.
Also,ifprofilesarechanged,youcaneasilyrestoreprevioussettingsbyusingthebackedupfiles.
112NovellAppArmorAdministrationGuideBackupprofilesbycopyingtheprofilefilestoaspecifieddirectory.
1Youshouldfirstarchivethefilesintoonefile.
Todothis,openaterminalwindowandenterthefollowingasroot:tarzclpfprofiles.
tgz/etc/apparmor.
dThesimplestmethodtoensurethatyoursecuritypolicyfilesareregularlybackedupistoincludethedirectory/etc/apparmor.
dinthelistofdirectoriesthatyourbackupsystemarchives.
2YoucanalsousescporafilemanagerlikeKonquerororNautilustostorethefilesonsomekindofstoragemedia,thenetwork,oranothercomputer.
6.
6.
2ChangingYourSecurityProfilesMaintenanceofsecurityprofilesincludeschangingthemifyoudecidethatyoursystemrequiresmoreorlesssecurityforitsapplications.
TochangeyourprofilesinNovellAppArmor,refertoSection3.
3,"EditingProfiles"(page38).
6.
6.
3IntroducingNewSoftwareintoYourEnvironmentWhenyouaddanewapplicationversionorpatchtoyoursystem,youshouldalwaysupdatetheprofiletofityourneeds.
Youhaveseveraloptionsthatdependonyourcompany'ssoftwaredeploymentstrategy.
Youcandeployyourpatchesandupgradesintoatestorproductionenvironment.
Thefollowingexplainshowtodothiswitheachmethod.
Ifyouintendtodeployapatchorupgradeinatestenvironment,thebestmethodforupdatingyourprofilesisoneofthefollowing:RuntheprofilingwizardbyselectingAddProfileWizardinYaST.
Thiscreatesanewprofilefortheaddedorpatchedapplication.
Forstep-by-stepinstructions,refertoSection3.
1,"AddingaProfileUsingtheWizard"(page29).
Runaa-genprofbytypingaa-genprofinaterminalwhileloggedinasroot.
Fordetailedinstructions,refertoSection"aa-genprof—GeneratingProfiles"(page59).
ManagingProfiledApplications113Ifyouintendtodeployapatchorupgradedirectlyintoaproductionenvironment,thebestmethodforupdatingyourprofilesisoneofthefollowing:Monitorthesystemfrequentlytodetermineifanynewrejectionsshouldbeaddedtotheprofileandupdateasneededusingaa-logprof.
Fordetailedinstructions,refertoSection"aa-logprof—ScanningtheSystemLog"(page67).
RuntheYaSTUpdateProfileWizardtolearnthenewbehavior(highsecurityriskasallaccessesareallowedandlogged,notrejected).
Forstep-by-stepinstructions,refertoSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
114NovellAppArmorAdministrationGuide7SupportThischapteroutlinesmaintenance-relatedtasks.
LearnhowtoupdateNovellApp-ArmorandgetalistofavailablemanpagesprovidingbasichelpforusingthecommandlinetoolsprovidedbyNovellAppArmor.
UsethetroubleshootingsectiontolearnaboutsomecommonproblemsencounteredwithNovellAppArmorandtheirsolutions.
ReportdefectsorenhancementrequestsforNovellAppArmorfollowingtheinstructionsinthischapter.
7.
1UpdatingNovellAppArmorOnlineUpdatesforNovellAppArmorpackagesareprovidedinthesamewayasanyotherupdateforopenSUSE.
RetrieveandapplythemexactlylikeforanyotherpackagethatshipsaspartofopenSUSE.
7.
2UsingtheManPagesTherearemanpagesavailableforyouruse.
Inaterminal,entermanapparmortoopentheapparmormanpage.
Manpagesaredistributedinsectionsnumbered1through8.
Eachsectionisspecifictoacategoryofdocumentation:Support115Table7.
1ManPages:SectionsandCategoriesCategorySectionUsercommands1Systemcalls2Libraryfunctions3Devicedriverinformation4Configurationfileformats5Games6Highlevelconcepts7Administratorcommands8Thesectionnumbersareusedtodistinguishmanpagesfromeachother.
Forexample,exit(2)describestheexitsystemcall,whileexit(3)describestheexitClibraryfunction.
TheNovellAppArmormanpagesare:unconfined(8)autodep(1)complain(1)enforce(1)genprof(1)logprof(1)change_hat(2)logprof.
conf(5)116NovellAppArmorAdministrationGuideapparmor.
conf(5)apparmor.
d(5)apparmor.
vim(5)apparmor(7)apparmor_parser(8)7.
3ForMoreInformationFindmoreinformationabouttheAppArmorproductontheNovellAppArmorproductpageatNovell:http://www.
novell.
com/products/apparmor/.
FindtheproductdocumentationforNovellAppArmor,includingthisdocument,athttp://www.
novell.
com/documentation/apparmor/orintheinstalledsystemin/usr/share/doc/manual.
TherearespecificmailinglistsforAppArmorthatuserscanposttoorjointocommu-nicatewithdevelopers.
apparmor-general@forge.
novell.
com[mailto:apparmor-general@forge.
novell.
com]ThisisamailinglistforendusersofAppArmor.
ItisagoodplaceforquestionsabouthowtouseAppArmortoprotectyourapplications.
apparmor-dev@forge.
novell.
com[mailto:apparmor-dev@forge.
novell.
com]ThisisadevelopermailinglistforAppArmordevelopersandcommunitymembers.
ThislistisforquestionsaboutdevelopmentofcoreAppArmorfeatures—thekernelmoduleandtheprofilingtools.
IfyouareinterestedinreviewingthecodeforAppArmorandcontributingreviewsorpatches,thiswouldbethelistforyou.
apparmor-announce@forge.
novell.
com[mailto:apparmor-announce@forge.
novell.
com]Thisisalowtrafficlistannouncingtheavailabilityofnewreleasesorfeatures.
Support1177.
4TroubleshootingThissectionliststhemostcommonproblemsanderrormessagesthatmayoccurusingNovellAppArmor.
7.
4.
1HowtoReacttooddApplicationBehaviorIfyounoticeoddapplicationbehaviororanyothertypeofapplicationproblem,youshouldfirstchecktherejectmessagesinthelogfilestoseeifAppArmoristoocloselyconstrictingyourapplication.
Tocheckrejectmessages,startYaST>NovellAppArmorandgotoAppArmorReports.
SelectViewArchiveandAppAudfortheapplicationauditreport.
Youcanfilterdatesandtimestonarrowdownthespecificperiodswhentheunexpectedapplicationbehavioroccurred.
IfyoudetectrejectmessagesthatindicatethatyourapplicationorserviceistoocloselyrestrictedbyAppArmor,updateyourprofiletoproperlyhandleyourusecaseoftheapplication.
DothiswiththeUpdateProfileProfileWizardinYaST,asdescribedinSection3.
5,"UpdatingProfilesfromLogEntries"(page44).
IfyoudecidetorunyourapplicationorservicewithoutAppArmorprotection,removetheapplication'sprofilefrom/etc/apparmor.
dormoveittoanotherlocation.
7.
4.
2MyProfilesdonotSeemtoWorkAnymore…IfyouhavebeenusingpreviousversionsofAppArmorandhaveupdatedyoursystem,butkeptyouroldsetofprofiles,youmightnoticesomeapplicationsbehavingstrangelyornotworkingatallwhichseemedtoworkperfectlybeforeyouupdated.
ThisversionofAppArmorintroducesasetofnewfeaturestotheprofilesyntaxandtheAppArmortoolsthatmightcausetroublewitholderversionsoftheAppArmorprofiles.
Thefeaturesconcernedare:FileLocking118NovellAppArmorAdministrationGuideNetworkAccessControlTheSYS_PTRACECapabilityDirectoryPathAccessThecurrentversionofAppArmormediatesfilelockingandintroducesanewpermissionmode(k)forthis.
Applicationsrequestingfilelockingpermissionmightmisbehaveorfailaltogetherifconfinedbyolderprofileswhichdonotexplicitlycontainpermissionstolockfiles.
Ifyoususpectthisbeingthecase,checkthelogfileunder/var/log/audit/audit.
logforentrieslikethefollowing:type=APPARMOR_DENIEDmsg=audit(1188913493.
299:9304):operation="file_lock"requested_mask="k"denied_mask="k"name="/home/tux/.
qt/.
qtrc.
lock"pid=25736profile="/usr/bin/opera"UpdatetheprofileusingtheYaSTUpdateProfileWizardortheaa-logprofcom-mandasoutlinedbelow.
Thenewnetworkaccesscontrolsyntaxbasedonthenetworkfamilyandtypespecifi-cation,describedinSection2.
1.
1,"NetworkAccessControl"(page14),mightcauseapplicationmisbehaviororevenstopapplicationsfromworking.
Ifyounoticeanetwork-relatedapplicationbehavingstrangely,checkthelogfileunder/var/log/audit/audit.
logforentrieslikethefollowing:type=APPARMOR_DENIEDmsg=audit(1188894313.
206:9123):operation="socket_create"family="inet"sock_type="raw"protocol=1pid=23810profile="/bin/ping"Thislogentrymeansthatourexampleapplication,/bin/pinginthiscase,failedtogetAppArmor'spermissiontoopenanetworkconnection.
Thispermissionhastobeexplicitlystatedtomakesurethatanapplicationhasnetworkaccess.
Toupdatetheprofiletothenewsyntax,usetheYaSTUpdateProfileWizardortheaa-logprofcommandasoutlinedbelow.
ThecurrentkernelrequirestheSYS_PTRACEcapability,ifaprocesstriestoaccessfilesin/proc/pid/fd/*.
Newprofilesneedanentryforthefileandthecapabilitywhereoldprofilesonlyneededthefileentry.
Forexample:/proc/*/fd/**rw,intheoldsyntaxwouldtranslatetothefollowingrulesinthenewsyntax:capabilitySYS_PTRACE,/proc/*/fd/**rw,Support119Toupdatetheprofiletothenewsyntax,usetheYaSTUpdateProfileWizardortheaa-logprofcommandasoutlinedbelow.
WiththisversionofAppArmor,afewchangeshavebeenmadetotheprofilerulesyntaxtobetterdistinguishdirectoryfromfileaccess.
Therefore,somerulesmatchingbothfileanddirectorypathsinthepreviousversionmightnowjustmatchafilepath.
ThiscouldleadtoAppArmornotbeingabletoaccessacrucialdirectoryatallandthustriggermisbehaviorofyourapplicationandvariouslogmessages.
Thefollowingexam-pleshighlightthemostimportantchangestothepathsyntax.
Usingtheoldsyntax,thefollowingrulewouldallowaccesstofilesanddirectoriesin/proc/net.
Itwouldallowdirectoryaccessonlytoreadtheentriesinthedirectory,butnotgiveaccesstofilesordirectoriesunderthedirectory,e.
g.
/proc/net/dir/foowouldbematchedbytheasterisk(*),butasfooisafileordirectoryunderdir,itcannotbeaccessed.
/proc/net/*r,Togetthesamebehaviorusingthenewsyntax,youneedtworulesinsteadofone.
Thefirstallowsaccesstofileunder/proc/netandthesecondallowsaccesstodirectoriesunder/proc/net.
Directoryaccesscanonlybeusedforlistingthecontents,nottoactuallyaccessfilesordirectoriesunderneaththedirectory.
/proc/net/*r,/proc/net/*/r,Thefollowingruleworkssimilarlybothundertheoldandthenewsyntaxandallowsaccesstobothfilesanddirectoriesunder/proc/net:/proc/net/**r,Todistinguishfilefromdirectoryaccessusingtheaboveexpressioninthenewsyntax,usethefollowingtworules.
Thefirstoneonlyallowstorecursivelyaccessdirectoriesunder/proc/netwhilethesecondoneexplicitlyallowsforrecursivefileaccessonly.
/proc/net/**/r,/proc/net/**[^/]r,Thefollowingruleworkssimilarlybothundertheoldandthenewsyntaxandallowsaccesstobothfilesanddirectoriesbeginningwithfoounder/proc/net:/proc/net/foo**r,120NovellAppArmorAdministrationGuideTodistinguishfilefromdirectoryaccessinthenewsyntaxandusethe**globbingpattern,usethefollowingtworules.
Thefirstonewouldhavematchedbothfilesanddirectoriesintheoldsyntax,butonlymatchesfilesinthenewsyntaxduetothemissingtrailingslash.
Thesecondrulematchedneitherfilenordirectoryintheoldsyntax,butmatchesdirectoriesonlyinthenewsyntax:/proc/net/**foor,/proc/net/**foo/r,Thefollowingrulesillustratehowtheuseoftheglobbingpatternhaschanged.
Intheoldsyntax,thefirstrulewouldhavematchedbothfilesanddirectories(fourcharacters,lastcharactercouldbeanybutaslash).
Inthenewsyntax,itmatchesonlyfiles(trailingslashismissing).
Thesecondrulewouldmatchnothingintheoldprofilesyntax,butmatchesdirectoriesonlyinthenewsyntax.
Thelastrulematchesexplicitlymatchesafilecalledbarunder/proc/net/foo.
Usingtheoldsyntax,thisrulewouldhaveappliedtobothfilesanddirectories:/proc/net/foor,/proc/net/foo/r,/proc/net/foo/barr,Tofindandresolveissuesrelatedtosyntaxchanges,takesometimeaftertheupdatetochecktheprofilesyouwanttokeepandproceedasfollowsforeachapplicationyoukepttheprofilefor:1MakesurethatAppArmorisrunningandthattheapplication'sprofileisloaded.
2StarttheYaSTAppArmorControlPanelandputtheapplication'sprofileintocomplainmode.
Logentriesaremadeforanyactionsviolatingthecurrentprofile,buttheprofileisnotenforcedandtheapplication'sbehaviornotrestricted.
3Runtheapplicationcoveringallthetasksyouneedthisapplicationtobeabletoperform.
4StarttheYaSTUpdateProfileWizardtoupdatetheapplication'sprofileaccordingtothelogentriesgeneratedwhilerunningtheapplication.
5Oncetheprofileisupdated,putitbackintoenforcemodeviatheYaSTAppArmorControlPanel.
UsingtheAppArmorcommandlinetools,youwouldproceedasfollows:1Puttheapplication'sprofileintocomplainmode:Support121aa-complain/path/to/application2Runtheapplication.
3Updatetheprofileaccordingtothelogentriesmadewhilerunningtheapplication:aa-logprof/path/to/application4Puttheresultingprofilebackintoenforcemode:aa-enforce/path/to/application7.
4.
3HowtoConfineKDEApplicationswithAppArmorCurrently,itisnotpossibletoconfineKDEapplicationstothesameextentasanyotherapplicationduetothewayKDEmanagesitsprocesses.
IfyouwanttoconfineKDEapplications,chooseoneofthefollowingapproaches,butnotethatnoneofthemisreallysuitedforastandardsetup:CreateaSingleProfilefortheEntireKDEDesktopAsallKDEprocessesarechildrenofoneparentprocessandAppArmorcannotdistinguishanindividualapplication'sprocessfromtherest,createonehugeprofiletoconfinetheentiredesktopallatonce.
Thisapproachisonlyfeasibleifyoursetupisaverylimited(kiosk-type)one.
MaintainingsuchaprofileforastandardKDEdesktopincludingallofitsapplicationswouldbeclosetoimpossible.
ModifyKDE'sprocesshandlingUseKDE_EXEC_SLAVES=1andKDE_IS_PRELINKED=1variablesforceKDEtomanageitsprocessesinawaythatAppArmorcandistinguishindividualappli-cationsfromeachotherandapplyprofilestothem.
Thisapproachmightslowdownyourdesktopconsiderably,asitturnsoffacrucialoptimizationforspeed.
NotethattheabovementionedenvironmentvariableshavetobesetbeforeKDM/XDM/GDMorstartxarestarted.
Onewaytoachievethiswouldbetoaddthemto/etc/security/pam_env.
conf.
122NovellAppArmorAdministrationGuide7.
4.
4HowtoResolveIssueswithApacheApacheisnotstartingproperlyoritisnotservingWebpagesandyoujustinstalledanewmoduleormadeaconfigurationchange.
WhenyouinstalladditionalApachemodules(likeapache2-mod_apparmor)ormakeconfigurationchangestoApache,youshouldprofileApacheagaintocatchanyadditionalrulesthatneedtobeaddedtotheprofile.
7.
4.
5WhyaretheReportsnotSentbyE-MailWhenthereportingfeaturegeneratesanHTMLorCSVfilethatexceedsthedefaultsize,thefileisnotsent.
Mailservershaveadefault,hardlimitfore-mailsize.
ThislimitationcanimpedeAppArmor'sabilitytosende-mailsthataregeneratedforreportingpurposes.
Ifyourmailisnotarriving,thiscouldbewhy.
Considerthemailsizelimitsandcheckthearchivesife-mailshavenotbeenreceived.
7.
4.
6HowtoExcludeCertainProfilesfromtheListofProfilesUsedAppArmoralwaysloadsandappliesallprofilesthatareavailableinitsprofiledirectory(/etc/apparmor.
d/).
Ifyoudecidenottoapplyaprofiletoacertainapplication,deletetheappropriateprofileormoveittoanotherlocationwhereAppArmorwouldnotcheckforit.
7.
4.
7CanIManageProfilesforApplicationsnotInstalledonmySystemManagingprofileswithAppArmorrequiresyoutohaveaccesstoathesystem'slogtheapplicationisrunningon.
Soyoudonotneedtoruntheapplicationonyourprofilebuildhostaslongasyouhaveaccesstothemachinethatrunstheapplication.
Youcanruntheapplicationononesystem,transferthelogs(/var/log/audit.
logor,ifauditisnotinstalled,/var/log/messages)toyourprofilebuildhostandrunaa-logprof-fpath_to_logfile.
Support1237.
4.
8HowtoSpotandfixAppArmorSyntaxErrorsManuallyeditingNovellAppArmorprofilescanintroducesyntaxerrors.
IfyouattempttostartorrestartAppArmorwithsyntaxerrorsinyourprofiles,errorresultsareshown.
Thisexampleshowsthesyntaxoftheentireparsererror.
localhost:~#rcapparmorstartLoadingAppArmorprofilesAppArmorparsererror,line2:Foundunexpectedcharacter:'h'Profile/etc/apparmor.
d/usr.
sbin.
squidfailedtoloadfailedUsingtheAppArmorYaSTtools,agraphicalerrormessageindicateswhichprofilecontainedtheerrorandrequestsyoutofixit.
Tofixasyntaxerror,logintoaterminalwindowasroot,opentheprofile,andcorrectthesyntax.
Reloadtheprofilesetwithrcapparmorreload.
7.
5ReportingBugsforAppArmorThedevelopersofAppArmorareeagertodeliverproductsofthehighestquality.
Yourfeedbackandyourbugreportshelpuskeepthequalityhigh.
WheneveryouencounterabuginAppArmor,fileabugreportagainstthisproduct:124NovellAppArmorAdministrationGuide1UseyourWebbrowsertogotohttps://bugzilla.
novell.
com/index.
cgi.
2EntertheaccountdataofyourNovellaccountandclickLoginorCreateanewNovellaccountasfollows:2aClickCreateNewAccountontheLogintoContinuepage.
2bProvideausernameandpasswordandadditionaladdressdataandclickCreateLogintoimmediatelyproceedwiththelogincreation.
orProvidedataonwhichotherNovellaccountsyoumaintaintosyncallthesetooneaccount.
3CheckwhetheraproblemsimilartoyourshasalreadybeenreportedbyclickingSearchReports.
UseaquicksearchagainstagivenproductandkeywordorusetheAdvancedSearch.
4Ifyourproblemhasalreadybeenreported,checkthisbugreportandaddextrainformationtoit,ifnecessary.
5Ifyourproblemhasnotbeenreportedyet,selectNewfromthetopnavigationbarandproceedtotheEnterBugpage.
6Selecttheproductagainstwhichtofilethebug.
Inyourcase,thiswouldbeyourproduct'srelease.
ClickSubmit.
7Selecttheproductversion,component(AppArmorinthiscase),hardwareplat-form,andseverity.
8Enterabriefheadlinedescribingyourproblemandaddamoreelaboratedescrip-tionincludinglogfiles.
Youmaycreateattachmentstoyourbugreportforscreenshots,logfiles,ortestcases.
9ClickSubmitafteryouhaveenteredallthedetailstosendyourreporttothede-velopers.
Support125ABackgroundInformationonAppArmorProfilingFormoreinformationaboutthescienceandsecurityofNovellAppArmor,refertothefollowingpapers:SubDomain:ParsimoniousServerSecuritybyCrispinCowan,SteveBeattie,GregKroah-Hartman,CaltonPu,PerryWagle,andVirgilGligorDescribestheinitialdesignandimplementationofNovellAppArmor.
PublishedintheproceedingsoftheUSENIXLISAConference,December2000,NewOrleans,LA.
Thispaperisnowoutofdate,describingsyntaxandfeaturesthataredifferentfromthecurrentNovellAppArmorproduct.
Thispapershouldbeusedonlyforscientificbackgroundandnotfortechnicaldocumentation.
DefconCapturetheFlag:DefendingVulnerableCodefromIntenseAttackbyCrispinCowan,SethArnold,SteveBeattie,ChrisWright,andJohnViegaAgoodguidetostrategicandtacticaluseofNovellAppArmortosolveseverese-curityproblemsinaveryshortperiodoftime.
PublishedintheProceedingsoftheDARPAInformationSurvivabilityConferenceandExpo(DISCEXIII),April2003,Washington,DC.
AppArmorforGeeksbySethArnoldThisdocumenttriestoconveyabetterunderstandingofthetechnicaldetailsofAppArmor.
Itisavailableathttp://en.
opensuse.
org/AppArmor_Geeks.
AppArmorTechnicalDocumentationbyAndreasGruenbacherandSethArnoldThisdocumentdiscussestheconceptanddesignofAppArmorfromaverytechnicalpointofview.
Itisavailableathttp://forgeftp.
novell.
com//apparmor/LKML_Submission-June-07/techdoc.
html.
BGNULicensesThisappendixcontainstheGNUGeneralPublicLicenseandtheGNUFreeDocumen-tationLicense.
GNUGeneralPublicLicenseVersion2,June1991Copyright(C)1989,1991FreeSoftwareFoundation,Inc.
59TemplePlace-Suite330,Boston,MA02111-1307,USAEveryoneispermittedtocopyanddistributeverbatimcopiesofthislicensedocument,butchangingitisnotallowed.
PreambleThelicensesformostsoftwarearedesignedtotakeawayyourfreedomtoshareandchangeit.
Bycontrast,theGNUGeneralPublicLicenseisintendedtoguaranteeyourfreedomtoshareandchangefreesoftware--tomakesurethesoftwareisfreeforallitsusers.
ThisGeneralPublicLicenseappliestomostoftheFreeSoftwareFoundation'ssoftwareandtoanyotherprogramwhoseauthorscommittousingit.
(SomeotherFreeSoftwareFoundationsoftwareiscoveredbytheGNULibraryGeneralPublicLicenseinstead.
)Youcanapplyittoyourprograms,too.
Whenwespeakoffreesoftware,wearereferringtofreedom,notprice.
OurGeneralPublicLicensesaredesignedtomakesurethatyouhavethefreedomtodistributecopiesoffreesoftware(andchargeforthisserviceifyouwish),thatyoureceivesourcecodeorcangetitifyouwantit,thatyoucanchangethesoftwareorusepiecesofitinnewfreeprograms;andthatyouknowyoucandothesethings.
Toprotectyourrights,weneedtomakerestrictionsthatforbidanyonetodenyyoutheserightsortoaskyoutosurrendertherights.
Theserestrictionstranslatetocertainresponsibilitiesforyouifyoudistributecopiesofthesoftware,orifyoumodifyit.
Forexample,ifyoudistributecopiesofsuchaprogram,whethergratisorforafee,youmustgivetherecipientsalltherightsthatyouhave.
Youmustmakesurethatthey,too,receiveorcangetthesourcecode.
Andyoumustshowthemthesetermssotheyknowtheirrights.
Weprotectyourrightswithtwosteps:(1)copyrightthesoftware,and(2)offeryouthislicensewhichgivesyoulegalpermissiontocopy,distributeand/ormodifythesoftware.
Also,foreachauthor'sprotectionandours,wewanttomakecertainthateveryoneunderstandsthatthereisnowarrantyforthisfreesoftware.
Ifthesoftwareismodifiedbysomeoneelseandpassedon,wewantitsrecipientstoknowthatwhattheyhaveisnottheoriginal,sothatanyproblemsintroducedbyotherswillnotreflectontheoriginalauthors'reputations.
Finally,anyfreeprogramisthreatenedconstantlybysoftwarepatents.
Wewishtoavoidthedangerthatredistributorsofafreeprogramwillindividu-allyobtainpatentlicenses,ineffectmakingtheprogramproprietary.
Topreventthis,wehavemadeitclearthatanypatentmustbelicensedforeveryone'sfreeuseornotlicensedatall.
Theprecisetermsandconditionsforcopying,distributionandmodificationfollow.
GNUGENERALPUBLICLICENSETERMSANDCONDITIONSFORCOPYING,DISTRIBUTIONANDMODIFICATION0.
ThisLicenseappliestoanyprogramorotherworkwhichcontainsanoticeplacedbythecopyrightholdersayingitmaybedistributedunderthetermsofthisGeneralPublicLicense.
The"Program",below,referstoanysuchprogramorwork,anda"workbasedontheProgram"meanseithertheProgramoranyderivativeworkundercopyrightlaw:thatistosay,aworkcontainingtheProgramoraportionofit,eitherverbatimorwithmodificationsand/ortranslatedintoanotherlanguage.
(Hereinafter,translationisincludedwithoutlimitationintheterm"modification".
)Eachlicenseeisaddressedas"you".
Activitiesotherthancopying,distributionandmodificationarenotcoveredbythisLicense;theyareoutsideitsscope.
TheactofrunningtheProgramisnotrestricted,andtheoutputfromtheProgramiscoveredonlyifitscontentsconstituteaworkbasedontheProgram(independentofhavingbeenmadebyrunningtheProgram).
WhetherthatistruedependsonwhattheProgramdoes.
1.
YoumaycopyanddistributeverbatimcopiesoftheProgram'ssourcecodeasyoureceiveit,inanymedium,providedthatyouconspicuouslyandappropriatelypublishoneachcopyanappropriatecopyrightnoticeanddisclaimerofwarranty;keepintactallthenoticesthatrefertothisLicenseandtotheabsenceofanywarranty;andgiveanyotherrecipientsoftheProgramacopyofthisLicensealongwiththeProgram.
Youmaychargeafeeforthephysicalactoftransferringacopy,andyoumayatyouroptionofferwarrantyprotectioninexchangeforafee.
2.
YoumaymodifyyourcopyorcopiesoftheProgramoranyportionofit,thusformingaworkbasedontheProgram,andcopyanddistributesuchmodificationsorworkunderthetermsofSection1above,providedthatyoualsomeetalloftheseconditions:a)Youmustcausethemodifiedfilestocarryprominentnoticesstatingthatyouchangedthefilesandthedateofanychange.
b)Youmustcauseanyworkthatyoudistributeorpublish,thatinwholeorinpartcontainsorisderivedfromtheProgramoranypartthereof,tobelicensedasawholeatnochargetoallthirdpartiesunderthetermsofthisLicense.
c)Ifthemodifiedprogramnormallyreadscommandsinteractivelywhenrun,youmustcauseit,whenstartedrunningforsuchinteractiveuseinthemostordinaryway,toprintordisplayanannouncementincludinganappropriatecopyrightnoticeandanoticethatthereisnowarranty(orelse,sayingthatyouprovideawarranty)andthatusersmayredistributetheprogramundertheseconditions,andtellingtheuserhowtoviewacopyofthisLicense.
(Exception:iftheProgramitselfisinteractivebutdoesnotnormallyprintsuchanannouncement,yourworkbasedontheProgramisnotrequiredtoprintanannouncement.
)Theserequirementsapplytothemodifiedworkasawhole.
IfidentifiablesectionsofthatworkarenotderivedfromtheProgram,andcanbereasonablyconsideredindependentandseparateworksinthemselves,thenthisLicense,anditsterms,donotapplytothosesectionswhenyoudistributethemasseparateworks.
ButwhenyoudistributethesamesectionsaspartofawholewhichisaworkbasedontheProgram,thedistributionofthewholemustbeonthetermsofthisLicense,whosepermissionsforotherlicenseesextendtotheentirewhole,andthustoeachandeverypartregardlessofwhowroteit.
Thus,itisnottheintentofthissectiontoclaimrightsorcontestyourrightstoworkwrittenentirelybyyou;rather,theintentistoexercisetherighttocontrolthedistributionofderivativeorcollectiveworksbasedontheProgram.
Inaddition,mereaggregationofanotherworknotbasedontheProgramwiththeProgram(orwithaworkbasedontheProgram)onavolumeofastorageordistributionmediumdoesnotbringtheotherworkunderthescopeofthisLicense.
3.
YoumaycopyanddistributetheProgram(oraworkbasedonit,underSection2)inobjectcodeorexecutableformunderthetermsofSections1and2aboveprovidedthatyoualsodooneofthefollowing:a)Accompanyitwiththecompletecorrespondingmachine-readablesourcecode,whichmustbedistributedunderthetermsofSections1and2aboveonamediumcustomarilyusedforsoftwareinterchange;or,b)Accompanyitwithawrittenoffer,validforatleastthreeyears,togiveanythirdparty,forachargenomorethanyourcostofphysicallyperformingsourcedistribution,acompletemachine-readablecopyofthecorrespondingsourcecode,tobedistributedunderthetermsofSections1and2aboveonamediumcustomarilyusedforsoftwareinterchange;or,c)Accompanyitwiththeinformationyoureceivedastotheoffertodistributecorrespondingsourcecode.
(Thisalternativeisallowedonlyfornoncommercialdistributionandonlyifyoureceivedtheprograminobjectcodeorexecutableformwithsuchanoffer,inaccordwithSubsectionbabove.
)Thesourcecodeforaworkmeansthepreferredformoftheworkformakingmodificationstoit.
Foranexecutablework,completesourcecodemeansallthesourcecodeforallmodulesitcontains,plusanyassociatedinterfacedefinitionfiles,plusthescriptsusedtocontrolcompilationandinstallationoftheexecutable.
However,asaspecialexception,thesourcecodedistributedneednotincludeanythingthatisnormallydistributed(ineithersourceorbinaryform)withthemajorcomponents(compiler,kernel,andsoon)oftheoperatingsystemonwhichtheexecutableruns,unlessthatcomponentitselfaccompaniestheexecutable.
Ifdistributionofexecutableorobjectcodeismadebyofferingaccesstocopyfromadesignatedplace,thenofferingequivalentaccesstocopythesourcecodefromthesameplacecountsasdistributionofthesourcecode,eventhoughthirdpartiesarenotcompelledtocopythesourcealongwiththeobjectcode.
4.
Youmaynotcopy,modify,sublicense,ordistributetheProgramexceptasexpresslyprovidedunderthisLicense.
Anyattemptotherwisetocopy,modify,sublicenseordistributetheProgramisvoid,andwillautomaticallyterminateyourrightsunderthisLicense.
However,partieswhohavereceivedcopies,orrights,fromyouunderthisLicensewillnothavetheirlicensesterminatedsolongassuchpartiesremaininfullcompliance.
130NovellAppArmorAdministrationGuide5.
YouarenotrequiredtoacceptthisLicense,sinceyouhavenotsignedit.
However,nothingelsegrantsyoupermissiontomodifyordistributetheProgramoritsderivativeworks.
TheseactionsareprohibitedbylawifyoudonotacceptthisLicense.
Therefore,bymodifyingordistributingtheProgram(oranyworkbasedontheProgram),youindicateyouracceptanceofthisLicensetodoso,andallitstermsandconditionsforcopying,dis-tributingormodifyingtheProgramorworksbasedonit.
6.
EachtimeyouredistributetheProgram(oranyworkbasedontheProgram),therecipientautomaticallyreceivesalicensefromtheoriginallicensortocopy,distributeormodifytheProgramsubjecttothesetermsandconditions.
Youmaynotimposeanyfurtherrestrictionsontherecipients'exerciseoftherightsgrantedherein.
YouarenotresponsibleforenforcingcompliancebythirdpartiestothisLicense.
7.
If,asaconsequenceofacourtjudgmentorallegationofpatentinfringementorforanyotherreason(notlimitedtopatentissues),conditionsareimposedonyou(whetherbycourtorder,agreementorotherwise)thatcontradicttheconditionsofthisLicense,theydonotexcuseyoufromtheconditionsofthisLicense.
IfyoucannotdistributesoastosatisfysimultaneouslyyourobligationsunderthisLicenseandanyotherpertinentobligations,thenasaconsequenceyoumaynotdistributetheProgramatall.
Forexample,ifapatentlicensewouldnotpermitroyalty-freeredistributionoftheProgrambyallthosewhoreceivecopiesdirectlyorindirectlythroughyou,thentheonlywayyoucouldsatisfybothitandthisLicensewouldbetorefrainen-tirelyfromdistributionoftheProgram.
Ifanyportionofthissectionisheldinvalidorunenforceableunderanyparticularcircumstance,thebalanceofthesectionisintendedtoapplyandthesectionasawholeisintendedtoapplyinothercircumstances.
Itisnotthepurposeofthissectiontoinduceyoutoinfringeanypatentsorotherpropertyrightclaimsortocontestvalidityofanysuchclaims;thissectionhasthesolepurposeofprotectingtheintegrityofthefreesoftwaredistributionsystem,whichisimplementedbypubliclicensepractices.
Manypeoplehavemadegenerouscontributionstothewiderangeofsoftwaredistributedthroughthatsysteminrelianceonconsistentapplicationofthatsystem;itisuptotheauthor/donortodecideifheorsheiswillingtodistributesoftwarethroughanyothersystemandalicenseecannotimposethatchoice.
ThissectionisintendedtomakethoroughlyclearwhatisbelievedtobeaconsequenceoftherestofthisLicense.
8.
Ifthedistributionand/oruseoftheProgramisrestrictedincertaincountrieseitherbypatentsorbycopyrightedinterfaces,theoriginalcopyrightholderwhoplacestheProgramunderthisLicensemayaddanexplicitgeographicaldistributionlimitationexcludingthosecountries,sothatdistributionispermittedonlyinoramongcountriesnotthusexcluded.
Insuchcase,thisLicenseincorporatesthelimitationasifwritteninthebodyofthisLicense.
9.
TheFreeSoftwareFoundationmaypublishrevisedand/ornewversionsoftheGeneralPublicLicensefromtimetotime.
Suchnewversionswillbesimilarinspirittothepresentversion,butmaydifferindetailtoaddressnewproblemsorconcerns.
Eachversionisgivenadistinguishingversionnumber.
IftheProgramspecifiesaversionnumberofthisLicensewhichappliestoitand"anylaterversion",youhavetheoptionoffollowingthetermsandconditionseitherofthatversionorofanylaterversionpublishedbytheFreeSoftwareFoun-dation.
IftheProgramdoesnotspecifyaversionnumberofthisLicense,youmaychooseanyversioneverpublishedbytheFreeSoftwareFoundation.
10.
IfyouwishtoincorporatepartsoftheProgramintootherfreeprogramswhosedistributionconditionsaredifferent,writetotheauthortoaskforpermission.
ForsoftwarewhichiscopyrightedbytheFreeSoftwareFoundation,writetotheFreeSoftwareFoundation;wesometimesmakeexceptionsforthis.
Ourdecisionwillbeguidedbythetwogoalsofpreservingthefreestatusofallderivativesofourfreesoftwareandofpromotingthesharingandreuseofsoftwaregenerally.
NOWARRANTY11.
BECAUSETHEPROGRAMISLICENSEDFREEOFCHARGE,THEREISNOWARRANTYFORTHEPROGRAM,TOTHEEXTENTPERMITTEDBYAPPLICABLELAW.
EXCEPTWHENOTHERWISESTATEDINWRITINGTHECOPYRIGHTHOLDERSAND/OROTHERPARTIESPROVIDETHEPROGRAM"ASIS"WITHOUTWARRANTYOFANYKIND,EITHEREXPRESSEDORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSE.
THEENTIRERISKASTOTHEQUALITYANDPERFORMANCEOFTHEPROGRAMISWITHYOU.
SHOULDTHEPROGRAMPROVEDEFECTIVE,YOUASSUMETHECOSTOFALLNECESSARYSERVICING,REPAIRORCORRECTION.
12.
INNOEVENTUNLESSREQUIREDBYAPPLICABLELAWORAGREEDTOINWRITINGWILLANYCOPYRIGHTHOLDER,ORANYOTHERPARTYWHOMAYMODIFYAND/ORREDISTRIBUTETHEPROGRAMASPERMITTEDABOVE,BELIABLETOYOUFORDAMAGES,INCLUDINGANYGENERAL,SPECIAL,INCIDENTALORCONSEQUENTIALDAMAGESARISINGOUTOFTHEUSEORINABILITYTOUSETHEPROGRAM(INCLUDINGBUTNOTLIMITEDTOLOSSOFDATAORDATABEINGRENDEREDINACCURATEORLOSSESSUSTAINEDBYYOUORTHIRDPARTIESORAFAILUREOFTHEPROGRAMTOOPERATEWITHANYOTHERPROGRAMS),EVENIFSUCHHOLDEROROTHERPARTYHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
ENDOFTERMSANDCONDITIONSHowtoApplyTheseTermstoYourNewProgramsIfyoudevelopanewprogram,andyouwantittobeofthegreatestpossibleusetothepublic,thebestwaytoachievethisistomakeitfreesoftwarewhicheveryonecanredistributeandchangeundertheseterms.
Todoso,attachthefollowingnoticestotheprogram.
Itissafesttoattachthemtothestartofeachsourcefiletomosteffectivelyconveytheexclusionofwarranty;andeachfileshouldhaveatleastthe"copyright"lineandapointertowherethefullnoticeisfound.
onelinetogivetheprogram'snameandanideaofwhatitdoes.
Copyright(C)yyyynameofauthorGNULicenses131Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNUGeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2oftheLicense,or(atyouroption)anylaterversion.
Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY;withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULARPURPOSE.
SeetheGNUGeneralPublicLicenseformoredetails.
YoushouldhavereceivedacopyoftheGNUGeneralPublicLicensealongwiththisprogram;ifnot,writetotheFreeSoftwareFoundation,Inc.
,59TemplePlace-Suite330,Boston,MA02111-1307,USA.
Alsoaddinformationonhowtocontactyoubyelectronicandpapermail.
Iftheprogramisinteractive,makeitoutputashortnoticelikethiswhenitstartsinaninteractivemode:Gnomovisionversion69,Copyright(C)yearnameofauthorGnomovisioncomeswithABSOLUTELYNOWARRANTY;fordetailstype`showw'.
Thisisfreesoftware,andyouarewelcometoredistributeitundercertainconditions;type`showc'fordetails.
Thehypotheticalcommands`showw'and`showc'shouldshowtheappropriatepartsoftheGeneralPublicLicense.
Ofcourse,thecommandsyouusemaybecalledsomethingotherthan`showw'and`showc';theycouldevenbemouse-clicksormenuitems--whateversuitsyourprogram.
Youshouldalsogetyouremployer(ifyouworkasaprogrammer)oryourschool,ifany,tosigna"copyrightdisclaimer"fortheprogram,ifnecessary.
Hereisasample;alterthenames:Yoyodyne,Inc.
,herebydisclaimsallcopyrightinterestintheprogram`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.
signatureofTyCoon,1April1989TyCoon,PresidentofViceThisGeneralPublicLicensedoesnotpermitincorporatingyourprogramintoproprietaryprograms.
Ifyourprogramisasubroutinelibrary,youmayconsideritmoreusefultopermitlinkingproprietaryapplicationswiththelibrary.
Ifthisiswhatyouwanttodo,usetheGNULesserGeneralPublicLicense[http://www.
fsf.
org/licenses/lgpl.
html]insteadofthisLicense.
GNUFreeDocumentationLicenseVersion1.
2,November2002Copyright(C)2000,2001,2002FreeSoftwareFoundation,Inc.
59TemplePlace,Suite330,Boston,MA02111-1307USAEveryoneispermittedtocopyanddistributeverbatimcopiesofthislicensedocument,butchangingitisnotallowed.
PREAMBLEThepurposeofthisLicenseistomakeamanual,textbook,orotherfunctionalandusefuldocument"free"inthesenseoffreedom:toassureeveryonetheeffectivefreedomtocopyandredistributeit,withorwithoutmodifyingit,eithercommerciallyornoncommercially.
Secondarily,thisLicensepreservesfortheauthorandpublisherawaytogetcreditfortheirwork,whilenotbeingconsideredresponsibleformodificationsmadebyothers.
ThisLicenseisakindof"copyleft",whichmeansthatderivativeworksofthedocumentmustthemselvesbefreeinthesamesense.
ItcomplementstheGNUGeneralPublicLicense,whichisacopyleftlicensedesignedforfreesoftware.
132NovellAppArmorAdministrationGuideWehavedesignedthisLicenseinordertouseitformanualsforfreesoftware,becausefreesoftwareneedsfreedocumentation:afreeprogramshouldcomewithmanualsprovidingthesamefreedomsthatthesoftwaredoes.
ButthisLicenseisnotlimitedtosoftwaremanuals;itcanbeusedforanytextualwork,regardlessofsubjectmatterorwhetheritispublishedasaprintedbook.
WerecommendthisLicenseprincipallyforworkswhosepurposeisinstructionorreference.
APPLICABILITYANDDEFINITIONSThisLicenseappliestoanymanualorotherwork,inanymedium,thatcontainsanoticeplacedbythecopyrightholdersayingitcanbedistributedunderthetermsofthisLicense.
Suchanoticegrantsaworld-wide,royalty-freelicense,unlimitedinduration,tousethatworkundertheconditionsstatedherein.
The"Document",below,referstoanysuchmanualorwork.
Anymemberofthepublicisalicensee,andisaddressedas"you".
Youacceptthelicenseifyoucopy,modifyordistributetheworkinawayrequiringpermissionundercopyrightlaw.
A"ModifiedVersion"oftheDocumentmeansanyworkcontainingtheDocumentoraportionofit,eithercopiedverbatim,orwithmodificationsand/ortranslatedintoanotherlanguage.
A"SecondarySection"isanamedappendixorafront-mattersectionoftheDocumentthatdealsexclusivelywiththerelationshipofthepublishersorauthorsoftheDocumenttotheDocument'soverallsubject(ortorelatedmatters)andcontainsnothingthatcouldfalldirectlywithinthatoverallsubject.
(Thus,iftheDocumentisinpartatextbookofmathematics,aSecondarySectionmaynotexplainanymathematics.
)Therelationshipcouldbeamatterofhistoricalconnectionwiththesubjectorwithrelatedmatters,oroflegal,commercial,philosophical,ethicalorpoliticalpositionregardingthem.
The"InvariantSections"arecertainSecondarySectionswhosetitlesaredesignated,asbeingthoseofInvariantSections,inthenoticethatsaysthattheDocumentisreleasedunderthisLicense.
IfasectiondoesnotfittheabovedefinitionofSecondarythenitisnotallowedtobedesignatedasInvariant.
TheDocumentmaycontainzeroInvariantSections.
IftheDocumentdoesnotidentifyanyInvariantSectionsthentherearenone.
The"CoverTexts"arecertainshortpassagesoftextthatarelisted,asFront-CoverTextsorBack-CoverTexts,inthenoticethatsaysthattheDocumentisreleasedunderthisLicense.
AFront-CoverTextmaybeatmost5words,andaBack-CoverTextmaybeatmost25words.
A"Transparent"copyoftheDocumentmeansamachine-readablecopy,representedinaformatwhosespecificationisavailabletothegeneralpublic,thatissuitableforrevisingthedocumentstraightforwardlywithgenerictexteditorsor(forimagescomposedofpixels)genericpaintprogramsor(fordrawings)somewidelyavailabledrawingeditor,andthatissuitableforinputtotextformattersorforautomatictranslationtoavarietyofformatssuitableforinputtotextformatters.
AcopymadeinanotherwiseTransparentfileformatwhosemarkup,orabsenceofmarkup,hasbeenarrangedtothwartordiscouragesubsequentmodificationbyreadersisnotTransparent.
AnimageformatisnotTransparentifusedforanysubstantialamountoftext.
Acopythatisnot"Transparent"iscalled"Opaque".
ExamplesofsuitableformatsforTransparentcopiesincludeplainASCIIwithoutmarkup,Texinfoinputformat,LaTeXinputformat,SGMLorXMLusingapubliclyavailableDTD,andstandard-conformingsimpleHTML,PostScriptorPDFdesignedforhumanmodification.
ExamplesoftransparentimageformatsincludePNG,XCFandJPG.
Opaqueformatsincludeproprietaryformatsthatcanbereadandeditedonlybyproprietarywordprocessors,SGMLorXMLforwhichtheDTDand/orprocessingtoolsarenotgenerallyavailable,andthemachine-generatedHTML,PostScriptorPDFproducedbysomewordprocessorsforoutputpurposesonly.
The"TitlePage"means,foraprintedbook,thetitlepageitself,plussuchfollowingpagesasareneededtohold,legibly,thematerialthisLicenserequirestoappearinthetitlepage.
Forworksinformatswhichdonothaveanytitlepageassuch,"TitlePage"meansthetextnearthemostprominentappearanceofthework'stitle,precedingthebeginningofthebodyofthetext.
Asection"EntitledXYZ"meansanamedsubunitoftheDocumentwhosetitleeitherispreciselyXYZorcontainsXYZinparenthesesfollowingtextthattranslatesXYZinanotherlanguage.
(HereXYZstandsforaspecificsectionnamementionedbelow,suchas"Acknowledgements","Dedications","Endorsements",or"History".
)To"PreservetheTitle"ofsuchasectionwhenyoumodifytheDocumentmeansthatitremainsasection"EntitledXYZ"accordingtothisdefinition.
TheDocumentmayincludeWarrantyDisclaimersnexttothenoticewhichstatesthatthisLicenseappliestotheDocument.
TheseWarrantyDisclaimersareconsideredtobeincludedbyreferenceinthisLicense,butonlyasregardsdisclaimingwarranties:anyotherimplicationthattheseWarrantyDisclaimersmayhaveisvoidandhasnoeffectonthemeaningofthisLicense.
VERBATIMCOPYINGYoumaycopyanddistributetheDocumentinanymedium,eithercommerciallyornoncommercially,providedthatthisLicense,thecopyrightnotices,andthelicensenoticesayingthisLicenseappliestotheDocumentarereproducedinallcopies,andthatyouaddnootherconditionswhatsoevertothoseofthisLicense.
Youmaynotusetechnicalmeasurestoobstructorcontrolthereadingorfurthercopyingofthecopiesyoumakeordistribute.
However,youmayacceptcompensationinexchangeforcopies.
Ifyoudistributealargeenoughnumberofcopiesyoumustalsofollowtheconditionsinsection3.
Youmayalsolendcopies,underthesameconditionsstatedabove,andyoumaypubliclydisplaycopies.
COPYINGINQUANTITYIfyoupublishprintedcopies(orcopiesinmediathatcommonlyhaveprintedcovers)oftheDocument,numberingmorethan100,andtheDocument'slicensenoticerequiresCoverTexts,youmustenclosethecopiesincoversthatcarry,clearlyandlegibly,alltheseCoverTexts:Front-CoverTextsonthefrontcover,andBack-CoverTextsonthebackcover.
Bothcoversmustalsoclearlyandlegiblyidentifyyouasthepublisherofthesecopies.
Thefrontcovermustpresentthefulltitlewithallwordsofthetitleequallyprominentandvisible.
Youmayaddothermaterialonthecoversinaddition.
Copyingwithchangeslimitedtothecovers,aslongastheypreservethetitleoftheDocumentandsatisfytheseconditions,canbetreatedasverbatimcopyinginotherrespects.
GNULicenses133Iftherequiredtextsforeithercoveraretoovoluminoustofitlegibly,youshouldputthefirstoneslisted(asmanyasfitreasonably)ontheactualcover,andcontinuetherestontoadjacentpages.
IfyoupublishordistributeOpaquecopiesoftheDocumentnumberingmorethan100,youmusteitherincludeamachine-readableTransparentcopyalongwitheachOpaquecopy,orstateinorwitheachOpaquecopyacomputer-networklocationfromwhichthegeneralnetwork-usingpublichasaccesstodownloadusingpublic-standardnetworkprotocolsacompleteTransparentcopyoftheDocument,freeofaddedmaterial.
Ifyouusethelatteroption,youmusttakereasonablyprudentsteps,whenyoubegindistributionofOpaquecopiesinquantity,toensurethatthisTransparentcopywillremainthusaccessibleatthestatedlocationuntilatleastoneyearafterthelasttimeyoudistributeanOpaquecopy(directlyorthroughyouragentsorretailers)ofthateditiontothepublic.
Itisrequested,butnotrequired,thatyoucontacttheauthorsoftheDocumentwellbeforeredistributinganylargenumberofcopies,togivethemachancetoprovideyouwithanupdatedversionoftheDocument.
MODIFICATIONSYoumaycopyanddistributeaModifiedVersionoftheDocumentundertheconditionsofsections2and3above,providedthatyoureleasetheModifiedVersionunderpreciselythisLicense,withtheModifiedVersionfillingtheroleoftheDocument,thuslicensingdistributionandmodificationoftheModifiedVersiontowhoeverpossessesacopyofit.
Inaddition,youmustdothesethingsintheModifiedVersion:A.
UseintheTitlePage(andonthecovers,ifany)atitledistinctfromthatoftheDocument,andfromthoseofpreviousversions(whichshould,iftherewereany,belistedintheHistorysectionoftheDocument).
Youmayusethesametitleasapreviousversioniftheoriginalpublisherofthatversiongivespermission.
B.
ListontheTitlePage,asauthors,oneormorepersonsorentitiesresponsibleforauthorshipofthemodificationsintheModifiedVersion,togetherwithatleastfiveoftheprincipalauthorsoftheDocument(allofitsprincipalauthors,ifithasfewerthanfive),unlesstheyreleaseyoufromthisrequire-ment.
C.
StateontheTitlepagethenameofthepublisheroftheModifiedVersion,asthepublisher.
D.
PreserveallthecopyrightnoticesoftheDocument.
E.
Addanappropriatecopyrightnoticeforyourmodificationsadjacenttotheothercopyrightnotices.
F.
Include,immediatelyafterthecopyrightnotices,alicensenoticegivingthepublicpermissiontousetheModifiedVersionunderthetermsofthisLicense,intheformshownintheAddendumbelow.
G.
PreserveinthatlicensenoticethefulllistsofInvariantSectionsandrequiredCoverTextsgivenintheDocument'slicensenotice.
H.
IncludeanunalteredcopyofthisLicense.
I.
PreservethesectionEntitled"History",PreserveitsTitle,andaddtoitanitemstatingatleastthetitle,year,newauthors,andpublisheroftheModifiedVersionasgivenontheTitlePage.
IfthereisnosectionEntitled"History"intheDocument,createonestatingthetitle,year,authors,andpublisheroftheDocumentasgivenonitsTitlePage,thenaddanitemdescribingtheModifiedVersionasstatedintheprevioussentence.
J.
Preservethenetworklocation,ifany,givenintheDocumentforpublicaccesstoaTransparentcopyoftheDocument,andlikewisethenetworklocationsgivenintheDocumentforpreviousversionsitwasbasedon.
Thesemaybeplacedinthe"History"section.
YoumayomitanetworklocationforaworkthatwaspublishedatleastfouryearsbeforetheDocumentitself,oriftheoriginalpublisheroftheversionitreferstogivespermission.
K.
ForanysectionEntitled"Acknowledgements"or"Dedications",PreservetheTitleofthesection,andpreserveinthesectionallthesubstanceandtoneofeachofthecontributoracknowledgementsand/ordedicationsgiventherein.
L.
PreservealltheInvariantSectionsoftheDocument,unalteredintheirtextandintheirtitles.
Sectionnumbersortheequivalentarenotconsideredpartofthesectiontitles.
M.
DeleteanysectionEntitled"Endorsements".
SuchasectionmaynotbeincludedintheModifiedVersion.
N.
DonotretitleanyexistingsectiontobeEntitled"Endorsements"ortoconflictintitlewithanyInvariantSection.
O.
PreserveanyWarrantyDisclaimers.
IftheModifiedVersionincludesnewfront-mattersectionsorappendicesthatqualifyasSecondarySectionsandcontainnomaterialcopiedfromtheDocument,youmayatyouroptiondesignatesomeorallofthesesectionsasinvariant.
Todothis,addtheirtitlestothelistofInvariantSectionsintheModifiedVersion'slicensenotice.
Thesetitlesmustbedistinctfromanyothersectiontitles.
YoumayaddasectionEntitled"Endorsements",provideditcontainsnothingbutendorsementsofyourModifiedVersionbyvariousparties--forexample,statementsofpeerrevieworthatthetexthasbeenapprovedbyanorganizationastheauthoritativedefinitionofastandard.
YoumayaddapassageofuptofivewordsasaFront-CoverText,andapassageofupto25wordsasaBack-CoverText,totheendofthelistofCoverTextsintheModifiedVersion.
OnlyonepassageofFront-CoverTextandoneofBack-CoverTextmaybeaddedby(orthrougharrangementsmadeby)anyoneentity.
IftheDocumentalreadyincludesacovertextforthesamecover,previouslyaddedbyyouorbyarrangementmadebythesameentityyouareactingonbehalfof,youmaynotaddanother;butyoumayreplacetheoldone,onexplicitpermissionfromthepreviouspublisherthataddedtheoldone.
134NovellAppArmorAdministrationGuideTheauthor(s)andpublisher(s)oftheDocumentdonotbythisLicensegivepermissiontousetheirnamesforpublicityforortoassertorimplyendorsementofanyModifiedVersion.
COMBININGDOCUMENTSYoumaycombinetheDocumentwithotherdocumentsreleasedunderthisLicense,underthetermsdefinedinsection4aboveformodifiedversions,providedthatyouincludeinthecombinationalloftheInvariantSectionsofalloftheoriginaldocuments,unmodified,andlistthemallasInvariantSectionsofyourcombinedworkinitslicensenotice,andthatyoupreservealltheirWarrantyDisclaimers.
ThecombinedworkneedonlycontainonecopyofthisLicense,andmultipleidenticalInvariantSectionsmaybereplacedwithasinglecopy.
IftherearemultipleInvariantSectionswiththesamenamebutdifferentcontents,makethetitleofeachsuchsectionuniquebyaddingattheendofit,inparentheses,thenameoftheoriginalauthororpublisherofthatsectionifknown,orelseauniquenumber.
MakethesameadjustmenttothesectiontitlesinthelistofInvariantSectionsinthelicensenoticeofthecombinedwork.
Inthecombination,youmustcombineanysectionsEntitled"History"inthevariousoriginaldocuments,formingonesectionEntitled"History";likewisecombineanysectionsEntitled"Acknowledgements",andanysectionsEntitled"Dedications".
YoumustdeleteallsectionsEntitled"Endorsements".
COLLECTIONSOFDOCUMENTSYoumaymakeacollectionconsistingoftheDocumentandotherdocumentsreleasedunderthisLicense,andreplacetheindividualcopiesofthisLicenseinthevariousdocumentswithasinglecopythatisincludedinthecollection,providedthatyoufollowtherulesofthisLicenseforverbatimcopyingofeachofthedocumentsinallotherrespects.
Youmayextractasingledocumentfromsuchacollection,anddistributeitindividuallyunderthisLicense,providedyouinsertacopyofthisLicenseintotheextracteddocument,andfollowthisLicenseinallotherrespectsregardingverbatimcopyingofthatdocument.
AGGREGATIONWITHINDEPENDENTWORKSAcompilationoftheDocumentoritsderivativeswithotherseparateandindependentdocumentsorworks,inoronavolumeofastorageordistributionmedium,iscalledan"aggregate"ifthecopyrightresultingfromthecompilationisnotusedtolimitthelegalrightsofthecompilation'susersbeyondwhattheindividualworkspermit.
WhentheDocumentisincludedinanaggregate,thisLicensedoesnotapplytotheotherworksintheaggregatewhicharenotthemselvesderivativeworksoftheDocument.
IftheCoverTextrequirementofsection3isapplicabletothesecopiesoftheDocument,theniftheDocumentislessthanonehalfoftheentireaggregate,theDocument'sCoverTextsmaybeplacedoncoversthatbrackettheDocumentwithintheaggregate,ortheelectronicequivalentofcoversiftheDocumentisinelectronicform.
Otherwisetheymustappearonprintedcoversthatbracketthewholeaggregate.
TRANSLATIONTranslationisconsideredakindofmodification,soyoumaydistributetranslationsoftheDocumentunderthetermsofsection4.
ReplacingInvariantSectionswithtranslationsrequiresspecialpermissionfromtheircopyrightholders,butyoumayincludetranslationsofsomeorallInvariantSectionsinadditiontotheoriginalversionsoftheseInvariantSections.
YoumayincludeatranslationofthisLicense,andallthelicensenoticesintheDocument,andanyWarrantyDisclaimers,providedthatyoualsoincludetheoriginalEnglishversionofthisLicenseandtheoriginalversionsofthosenoticesanddisclaimers.
IncaseofadisagreementbetweenthetranslationandtheoriginalversionofthisLicenseoranoticeordisclaimer,theoriginalversionwillprevail.
IfasectionintheDocumentisEntitled"Acknowledgements","Dedications",or"History",therequirement(section4)toPreserveitsTitle(section1)willtypicallyrequirechangingtheactualtitle.
TERMINATIONYoumaynotcopy,modify,sublicense,ordistributetheDocumentexceptasexpresslyprovidedforunderthisLicense.
Anyotherattempttocopy,modify,sublicenseordistributetheDocumentisvoid,andwillautomaticallyterminateyourrightsunderthisLicense.
However,partieswhohavereceivedcopies,orrights,fromyouunderthisLicensewillnothavetheirlicensesterminatedsolongassuchpartiesremaininfullcompliance.
FUTUREREVISIONSOFTHISLICENSETheFreeSoftwareFoundationmaypublishnew,revisedversionsoftheGNUFreeDocumentationLicensefromtimetotime.
Suchnewversionswillbesimilarinspirittothepresentversion,butmaydifferindetailtoaddressnewproblemsorconcerns.
Seehttp://www.
gnu.
org/copyleft/.
EachversionoftheLicenseisgivenadistinguishingversionnumber.
IftheDocumentspecifiesthataparticularnumberedversionofthisLicense"oranylaterversion"appliestoit,youhavetheoptionoffollowingthetermsandconditionseitherofthatspecifiedversionorofanylaterversionthathasbeenpublished(notasadraft)bytheFreeSoftwareFoundation.
IftheDocumentdoesnotspecifyaversionnumberofthisLicense,youmaychooseanyversioneverpublished(notasadraft)bytheFreeSoftwareFoundation.
ADDENDUM:HowtousethisLicenseforyourdocumentsTousethisLicenseinadocumentyouhavewritten,includeacopyoftheLicenseinthedocumentandputthefollowingcopyrightandlicensenoticesjustafterthetitlepage:Copyright(c)YEARYOURNAME.
GNULicenses135Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.
2onlyaspublishedbytheFreeSoftwareFoundation;withtheInvariantSectionbeingthiscopyrightnoticeandlicense.
Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
IfyouhaveInvariantSections,Front-CoverTextsandBack-CoverTexts,replacethe"with.
.
.
Texts.
"linewiththis:withtheInvariantSectionsbeingLISTTHEIRTITLES,withtheFront-CoverTextsbeingLIST,andwiththeBack-CoverTextsbeingLIST.
IfyouhaveInvariantSectionswithoutCoverTexts,orsomeothercombinationofthethree,mergethosetwoalternativestosuitthesituation.
Ifyourdocumentcontainsnontrivialexamplesofprogramcode,werecommendreleasingtheseexamplesinparallelunderyourchoiceoffreesoftwarelicense,suchastheGNUGeneralPublicLicense,topermittheiruseinfreesoftware.
136NovellAppArmorAdministrationGuideGlossaryApacheApacheisafreelyavailableUNIX-basedWebserver.
ItiscurrentlythemostcommonlyusedWebserverontheInternet.
FindmoreinformationaboutApacheattheApacheWebsiteathttp://www.
apache.
org.
applicationfirewallingNovellAppArmorcontainsapplicationsandlimitstheactionstheyarepermittedtotake.
Itusesprivilegeconfinementtopreventattackersfromusingmaliciousprogramsontheprotectedserverandevenusingtrustedapplicationsinunintendedways.
attacksignaturePatterninsystemornetworkactivitythatsignalsapossiblevirusorhackerattack.
Intrusiondetectionsystemsmightuseattacksignaturestodistinguishbetweenle-gitimateandpotentiallymaliciousactivity.
Bynotrelyingonattacksignatures,NovellAppArmorprovides"proactive"insteadof"reactive"defensefromattacks.
ThisisbetterbecausethereisnowindowofvulnerabilitywheretheattacksignaturemustbedefinedforNovellAppArmorasitdoesforproductsusingattacksignaturestosecuretheirnetworks.
GUIGraphicaluserinterface.
Referstoasoftwarefront-endmeanttoprovideanattrac-tiveandeasy-to-useinterfacebetweenacomputeruserandapplication.
Itselementsincludesuchthingsaswindows,icons,buttons,cursors,andscrollbars.
globbingFilenamesubstitution.
HIPHostintrusionprevention.
Workswiththeoperatingsystemkerneltoblockabnormalapplicationbehaviorintheexpectationthattheabnormalbehaviorrepresentsanunknownattack.
Blocksmaliciouspacketsonthehostatthenetworklevelbeforetheycan"hurt"theapplicationtheytarget.
mandatoryaccesscontrolAmeansofrestrictingaccesstoobjectsthatisbasedonfixedsecurityattributesassignedtousers,files,andotherobjects.
Thecontrolsaremandatoryinthesensethattheycannotbemodifiedbyusersortheirprograms.
profilefoundationclassesProfilebuildingblocksneededforcommonapplicationactivities,suchasDNSlookupanduserauthentication.
RPMTheRPMPackageManager.
Anopenpackagingsystemavailableforanyonetouse.
ItworksonRedHatLinux,openSUSE,andotherLinuxandUNIXsystems.
Itiscapableofinstalling,uninstalling,verifying,querying,andupdatingcomputersoftwarepackages.
Seehttp://www.
rpm.
org/formoreinformation.
SSHSecureShell.
Aservicethatallowsyoutoaccessyourserverfromaremotecom-puterandissuetextcommandsthroughasecureconnection.
streamlinedaccesscontrolNovellAppArmorprovidesstreamlinedaccesscontrolfornetworkservicesbyspecifyingwhichfileseachprogramisallowedtoread,write,andexecute.
Thisensuresthateachprogramdoeswhatitissupposedtodoandnothingelse.
URIUniversalresourceidentifier.
ThegenerictermforalltypesofnamesandaddressesthatrefertoobjectsontheWorldWideWeb.
AURLisonekindofURI.
URLUniformResourceLocator.
TheglobaladdressofdocumentsandotherresourcesontheWorldWideWeb.
ThefirstpartoftheaddressindicateswhatprotocoltouseandthesecondpartspecifiestheIPaddressorthedomainnamewheretheresourceislocated.
Forexample,inhttp://www.
novell.
com,httpistheprotocoltouse.
vulnerabilitiesAnaspectofasystemornetworkthatleavesitopentoattack.
Characteristicsofcomputersystemsthatallowanindividualtokeepitfromcorrectlyoperatingorthatallowsunauthorizeduserstotakecontrolofthesystem.
Design,administrative,138NovellAppArmorAdministrationGuideorimplementationweaknessesorflawsinhardware,firmware,orsoftware.
Ifex-ploited,avulnerabilitycouldleadtoanunacceptableimpactintheformofunau-thorizedaccesstoinformationordisruptionofcriticalprocessing.
Glossary139
- manipulatecrontab格式相关文档
- ABC_usercrontab格式
- optionscrontab格式
- aplicacrontab格式
- Clientcrontab格式
- highcrontab格式
- Profilingcrontab格式
PacificRack 下架旧款方案 续费涨价 谨慎自动续费
前几天看到网友反馈到PacificRack商家关于处理问题的工单速度慢,于是也有后台提交个工单问问,没有得到答复导致工单自动停止,不清楚商家最近在调整什么。而且看到有网友反馈到,PacificRack 商家的之前年付低价套餐全部下架,而且如果到期续费的话账单中的产品价格会涨价不少。所以,如果我们有需要续费产品的话,谨慎选择。1、特价产品下架我们看到他们的所有原来发布的特价方案均已下架。如果我们已有...
Ftech:越南vps,2核/2G/20G SSD/1Gbps不限流量/可安装Windows系统,$12.5月
ftech怎么样?ftech是一家越南本土的主机商,成立于2011年,比较低调,国内知道的人比较少。FTECH.VN以极低的成本提供高质量服务的领先提供商之一。主营虚拟主机、VPS、独立服务器、域名等传统的IDC业务,数据中心分布在河内和胡志明市。其中,VPS提供1G的共享带宽,且不限流量,还可以安装Windows server2003/2008的系统。Ftech支持信用卡、Paypal等付款,但...
Virmach:1核/512M1核M1核512M/夏季美国vps促销,年付$7.2,9月更换AMD平台
virmach怎么样?virmach家这几年非常火,从商家的黑五闪购开始,以超低的价格吸引了大批的国人客户,而且商家的机器还是非常稳定的,站长手里的4.75刀年付已经用了两年了,非常稳定,不过商家到国内的线路一般,目前商家新上了夏季优惠促销,价格低到发指,年付7.2美元起,商家反馈将在9月开始更换AMD+NVMe平台,这个消息从年初就有了,不过一直没有更换,目前这个时间也不确定是否准确。点击进入:...
crontab格式为你推荐
-
网络域名注册网站域名申请注册国际域名怎么申请国际域名海外主机美国主机哪个好,最好是速度和稳定性能跟得上?ip代理地址代理IP是什么国内ip代理全国各省代理IP个人虚拟主机个人建网站用哪一种虚拟主机???重庆虚拟主机万网M3型虚拟主机怎么样?速度如何?虚拟主机mysql怎么管理虚拟主机上的MYSQL?(高分回报)论坛虚拟主机做论坛-需要什么类型的虚拟主机?长沙虚拟主机长沙虚拟主机租用 哪里的比较靠谱 朋友介绍湘域互联的 有谁用过