Debian 8: Mandatory Access Control with AppArmor

Install AppArmor, change kernel parameter and reboot.

$ sudo apt install -y apparmor apparmor-utils \
       apparmor-profiles apparmor-profiles-extra
$ sudo systemctl enable apparmor
$ . /etc/default/grub
$ V="${GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor"
$ sudo sed -e "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"${V}\"/g" \
       -i /etc/default/grub
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
$ sudo reboot

Enable profile after reboot.

$ for p in /etc/apparmor.d/*; do sudo aa-enforce "${p}"; done
$ sudo systemctl reload apparmor

The aa-status shows AppArmor status. Enforce mode blocks unallowed operation. Complain mode does not unallowed operation but reports to log file. For example, /sbin/dhclient's behavior is limited by AppArmor (AppArmor is path based MAC). And not listed path here are not limited by AppArmor.

$ sudo aa-status
apparmor module is loaded.
59 profiles are loaded.
59 profiles are in enforce mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/irssi
   /usr/bin/pidgin
   /usr/bin/pidgin//launchpad_integration
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
<snip>

$ sudo aa-enforce /etc/apparmor.d/<profile>

$ sudo aa-complain /etc/apparmor.d/<profile>

$ sudo apparmor_parser -R /etc/apparmor.d/<profile>
$ sudo ln -s /etc/apparmor.d/<profile> /etc/apparmor.d/disable/

$ sudo apparmor_parser -r /etc/apparmor.d/<profile>
$ sudo rm -f /etc/apparmor.d/disable/<profile>

This article will use /bin/mycat which is /bin/cat copy. And create profile for /bin/mycat.

$ sudo cp /bin/cat /bin/mycat

Create base profile with aa-genprof. And terminate aa-genprof with pressing F key.

After running aa-genprof, run /bin/mycat on the other terminal and output log to /var/log/syslog. Pressing S key to aa-genprof will read /var/log/syslog and suggest profile.

$ sudo aa-genprof /bin/mycat
<snip>
Profiling: /bin/mycat

[(S)can system log for AppArmor events] / (F)inish
<snip>

The base profile is the following.

$ sudo cat /etc/apparmor.d/bin.mycat
# Last Modified: Tue Jun 13 16:38:23 2017
#include <tunables/global>

/bin/mycat {
  #include <abstractions/base>

  /bin/mycat mr,

}

Change this base profile to the following. Note that /for is treated as a file and /bar/ is treated as a directory.

$ sudo cat /etc/apparmor.d/bin.mycat
# Last Modified: Tue Jun 13 16:38:23 2017
#include <tunables/global>

/bin/mycat {
  #include <abstractions/base>

  /bin/mycat mr,

  # /foo is file and /bar/ is directory.
  /etc/hostname r, # /etc/hostname can be read.
  /etc/dpkg/* r,   # Files in /etc/dpkg can be read but directory cannot.
  /etc/apt/** r,   # All file and directory in /etc/apt can be read.
}

Enable profile with aa-enforce.

$ sudo aa-enforce /etc/apparmor.d/bin.mycat
Setting /etc/apparmor.d/bin.mycat to enforce mode.

Running /bin/mycat is the following.

$ mycat /etc/passwd > /dev/null
mycat: /etc/passwd: Permission denied
$ mycat /etc/hostname > /dev/null
$ mycat /etc/dpkg/dpkg.cfg > /dev/null
$ mycat /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null
mycat: /etc/dpkg/dpkg.cfg.d/force-unsafe-io: Permission denied
$ mycat /etc/apt/apt.conf.d/00CDMountPoint > /dev/null
$