Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Firewall your applications with AppArmor
Share
Print
CommentsOne would assume defending applications is as easy as guarding the whole gamut of services running on a network attached computer. But applications these days are complex and intertwined, sharing libraries and files scattered all over the disk. More importantly, Discretionary Access Control (DAC) allows a program to run with the permissions of the user executing it, which introduces the possibility of exploiting a defect in the application to gain super user privileges.
With AppArmor, the idea is to defend individual applications against such threats by restricting their access to only the necessary files and libraries. Simply put, it allows one to lock down an application and the files to be accessed with absolute path names, followed by the common read and write access modes.
AppArmor plugs into the Linux Security Model (LSM) kernel interface. LSM is the de-facto API in the Linux kernel that security models must talk to, which can be applied as a patch to a stock kernel.
AppArmor also compliments the DAC model of accessing files under Linux. First, the user running an application must have sufficient permission to run the program and to access any files. Then, AppArmor applies the mechanism of Mandatory Access Control (MAC) by granting programs only the privileges they need to do their job and nothing else. So if program X needs to access a library Y, DAC first ensures it has adequate permissions to do so, before AppArmor comes into the picture and further locks down the privileges.
Using AppArmor
AppArmor actually began life with Immunix, which was acquired by Novell in May 2005. Novell then worked on the closed-source application and released it as free software under the GNU General Public License (GPL) in January 2006. AppArmor is integrated into both of Novell's offerings, the subscription-based SUSE Enterprise Linux and the free openSUSE Linux distribution. If you chose not to install AppArmor during installation, you can do it post-install through SUSE's setup tool, YaST.
AppArmor has its own management section under YaST. From here, you can enable or disable AppArmor as well as add, delete, and update application profiles. Once AppArmor is enabled, it automatically enforces security profiles that are present in the /etc/apparmor.d directory.
| AppArmor or SELinux? |
|---|
|
The open source security camp is divided into (at least) two factions; one group advocating the easy to use AppArmor and the other rallying behind the more comprehensive SELinux. AppArmor and SELinux have similar goals, but they approach it differently. AppArmor wraps around individual applications and limits its access to the essential libraries and files only. SELinux is designed to control the whole operating system and even regulate the flow of information within the distribution. SELinux's approach is more comprehensive, and is based on strong security techniques like MAC and Multi-Level Security (MLS). But this makes it rather cumbersome to set up. While both products are open source, Novell is still in the driver's seat for AppArmor's development. SELinux on the other hand, is developed by several vendors including Red Hat, Tresys, NSA, IBM, HP, and by individual open source developers. Comparing how the tools have evolved would be unfair, since AppArmor is still the new kid on the block. Since being open sourced in late 2000, SELinux has been making steady progress towards being easy to setup and maintain, thanks to several new graphical tools and utilities that make the job easier. Both solutions are focusing on securing applications that operate on the threshold between the local computer and the outside world. So what should you be running? Well, as things stand currently, the answer depends on what distribution you run. To get the most out of AppArmor you have to be using either the free openSUSE distribution or SUSE Linux for the enterprise. Similarly, Fedora and Red Hat Enterprise Linux users get the maximum benefit of SELinux development. |
SUSE ships with profiles for common services such as ntp, netstat, ping, traceroute, and applications such as Firefox. SUSE also includes several profiles under /etc/apparmor/profiles/extras/ for various applications like Gaim, Evolution, RealPlayer, and for several commands and services like useradd, userdel, Squid, Sendmail, and MySQL -- though the README in the directory warns that these profiles haven't been tested enough and should not be used without modifications.
To help you generate profiles, AppArmor includes several console-based as well as graphical tools. Ensure the application isn't running before you pull it up for profiling. AppArmor begins by asking the location of the program you want to profile. It then runs an analysis tool to detect and make note of all library references made by the application. Once completed (it usually takes only few seconds), it switches into a "learning mode" and requests you to start and use the application. Use it to perform all the required functions. Upon completion AppArmor will scan the system logs and generate a series of questions to help you lock down the application.
Here's a portion of a sample profile:
#include <tunables/global>
/usr/bin/ldd {
#include <abstractions/consoles>
/dev/log w,
/dev/urandom r,
/usr/lib64/locale/** r,
/lib/lib*.so* r,
/dev/null rw,
/dev/zero rw,
}
As you can see, a major portion of the profile is nothing but a list of files and libraries the application requires, with absolute pathnames and the access mode. The #include statement pulls in external predefined components of AppArmor into the profile. The profile begins with the absolute path to the application, in this case, /usr/bin/ldd.
Also notice how the wildcard character (*) is used to give read access to every file that begins with lib and has a extension that begins with so. This is to safeguard against future changes to the libraries. The double asterisk (**) is borrowed from rsync. It will include all files, even subdirectories and files under them as well.
Profiles are automatically enforced upon creation. If you make changes to the application or the libraries and files it depends upon, you also need to update the profile accordingly. The AppArmor Administration Guide details the entire procedure of creating, updating, and managing profiles with illustrations.
For creating and editing profiles you need root privileges. But the idea with AppArmor is to neutralize the adverse effects of a compromised application that itself runs as root. If you are a paranoid user and don't trust your new system admin with the root password, use AppArmor to create restricted login shells. This AppArmor FAQ entry, for example, shows how a user can be given some of root's privileges to access the system log, but not the power to reboot the server.
One interesting feature of AppArmor is its ability to run portions of a program protected by a profile in a security context of their own. An application can be made to "change hats" as required to confine a particular sub-process. But for this to work, applications need to be made "change hat" aware. Novell ships the Apache Web server with a special module called mod_change_hat. Using this module, individual PHP pages or CGI scripts can run inside their own security domain without the full privileges of Apache.
Bouquets and Brickbats
For what it promises, AppArmor is fairly simple to roll-out, at least for SUSE users. Installation doesn't require any kernel or application recompilation and is well integrated into both Novell distributions. Even home users of SUSE Linux would find it relatively easy to wrap a secure profile around some of their critical network applications, like the Gaim instant messenger or the Firefox Web browser.
But to extract maximum juice out of AppArmor you really have to know the application thoroughly. Once the profile takes over, access to every feature that you forgot to make it aware of, will be blocked. If you are careless, you can also even trip over AppArmor's flexibility. Read and carefully choose the appropriate permissions for all the references to the various files and libraries. Make careful use of the wildcard characters.
Novell has two guides related to AppArmor, the detailed Administrators Guide and the short Quick Start Guide. Plus they have a FAQ, and several mailing lists as well. As mentioned earlier, there are several profiles included to help you get started. Enterprise users get the benefit of maintenance updates through their SUSE Linux subscription.
Improvements in the pipeline
AppArmor is under heavy development. While it is well integrated into the Novell distributions, you could also use AppArmor with Slackware. An Ubuntu port is also under way. To make AppArmor smarter, the developers have plans to use a better static analyzer in place of the current one that just recursively runs ldd to list shared library calls. Also under works is a smarter learning mode that will help administrators save time, by not reporting actions that have already been reported.
AppArmor is limited to guarding applications that have profiles. The plan for the future is to have a blanket profile for all applications that do not have a dedicated profile. By following a blacklist approach, this profile could deny access to key files in the distribution (/etc/sudoers, /etc/shadow) unless there is an application with a profile that is allowed access.
Conclusion
AppArmor is a very mature tool and Novell continues to develop it further. Like I have said throughout the article, it doesn't require a 500-page manual to get started with. But like every security tool, you must learn to use it properly. It's fairly easy to use from within the two SUSE variants but to reach the masses it has to be supported by other distributions as well. With mixed reactions to the recent Novell-Microsoft partnership, AppArmor could face some resistance from other distribution vendors.
Comments
on Firewall your applications with AppArmorNote: Comments are owned by the poster. We are not responsible for their content.
I think it will take a long time and the future will proof it how the fork sticks together.
I don't want to get used to something, when the chance is that next year you've to pay or get rid of the app.
SELinux has a steep learning curve, but has been approved (if that says anything...).
- Unomi -
It would be very good if the community would take a step back, take a deep breath and chill-out for a bit about this Novell/MS thing. If not we may end up throwing the baby out with the bath water. And that would be a very Bad Thing<tm>.
The MS deal cemented in my mind that Novell is on a downward spiral and should be avoided at all costs.
No one can stop us now except for ourselves. The deal between Microsoft and Novell is proof positive that we will prevail. They can't stop us. But if we're not careful we could stop ourselves by acting on irrational fears and zealotry (no matter how valid these fears may be). Microsoft is evil, no question about that. But we do not have to play by their rules.
You know, it is very possible that the only reason Microsoft made this deal with Novell was to cause an uproar in the community and plant the seeds of discontent. They get us fighting with ourselves and make us look childish and unstable to the rest of the world. It's just doing their work for them.
Sometimes you have to shoot yourself in the foot to know it hurts.
"Microsoft is evil, no question about that."
No. What's happening in Rwanda is evil. What's happenning in Iraq is evil. What Hitler did to the Jews is evil. Quite frankly most people using the word "evil" have never experienced in their lives. Which just explains why they abuse it so freely. There are plenty of other adjetives that do as well.
"They get us fighting with ourselves and make us look childish and unstable to the rest of the world. It's just doing their work for them."
Pfft! To quote slashdot "you must be new here?" The community has been behaving as you described before the Novell/MS deal was even a glimer in Balmer's eye.
Sometimes you have to shoot yourself in the foot to know it hurts.
That sounds like a foolish statement. It's never good to shoot yourself in the foot. Figuratively or literally.
No. What's happening in Rwanda is evil. What's happening in Iraq is evil. What Hitler did to the Jews is evil. Quite frankly most people using the word "evil" have never experienced in their lives. Which just explains why they abuse it so freely. There are plenty of other adjectives that do as well.
Granted there are other adjectives that would be suitable here. However it was understood by it's context that I was using the word "evil" in order to make my point (which it did quite clearly; I'm surprised you missed it). Literary license and all.
Pfft! To quote slashdot "you must be new here?" The community has been behaving as you described before the Novell/MS deal was even a glimmer in Balmer's eye.
In-fights and religious flame wars are part and parcel to the community. It's dominated by Alpha Males and thus it is inevitable there will be some dust-ups along the way. However, in the corporate world, 99.9% of these dust-ups go completely unnoticed. They only see things when it looks like their business will be impacted. They will look at the MS/Novell deal and say, "Hey, looks like someone has finally gotten on the ball and started to make things happen that we can benefit from." Then they'll look at the backlash and say, "Man, I knew it was all a farce. This Open Source is just a bunch of crazy hotheads who care nothing about helping us get our work done. Good thing we're staying away from them."
Oh, and not that it matters but I'm not at all new here. I started with Linux before, well, pretty much everyone in, on and around Linux Journal. And was doing what had yet to be called Open Source or Free Software for a few years prior to that.
<toot> <toot>
That's just me blowing my little horn.
What Hitler did to the Jews is evil.
As one who grew up in what used to be known as West Germany I have some knowledge of these events. I've been to Dachau and Passau and Nürnberg. And if you thought the Jews had it bad, you'd never believe what the Nazis did to the Gypsies.
This is depressing.
Additionally, how does one protect themselves for all the other applications out there. AppArmor comes with profiles for things like ping but, what about ls, date, rm, df, cp, mv, Gnome, KDE, OOo, Apache, Postfix, Samba, Xine, XMMS, MPlayer, Skype, Java, you get the idea? I guess the question is how should one actually use AppArmor? Does one use it on locked down servers and the few processes that such a server is running, or does one spend ages profiling every little application on a desktop system in order to secure it?
While on one hand, AppArmor seems like a fantastic tool, it seems like it might be a massive administrative burden at the same time and if there is a performance hit...
Performance overhead is, of course, variable. The cost is mostly in opening files and exec'ing programs, so it depends on your workload.
What programs to profile: that depends on your threat model. To defend against network attack, put a profile around every program with an open network port. AppArmor includes a system analyzer that scans for open network ports, finds listening programs, and reports their AppArmor profiles, if any.
<a href="http://www.novell.com/documentation/suse101/pdfdoc/apparmor-admin-guide_en/apparmor-admin-guide_en.pdf" title="novell.com">http://www.novell.com/documentation/suse101/pdfdo<nobr>c<wbr></nobr> /apparmor-admin-guide_en/apparmor-admin-guide_en.<nobr>p<wbr></nobr> df</a novell.com>
Might consider this.... *if* I trusted Novell!
Posted by: Anonymous Coward on December 06, 2006 03:09 AMRe:Might consider this.... *if* I trusted Novell!
Posted by: Administrator on December 14, 2006 07:44 PMAppArmor is GPL anyway. IF you do not like it, use another solution or build your own!
LOL with that attitude we would all be using Windows you fucking Jughead.
You might as well be using MS Office instead of OpenOffice or whatever else!
What is wrong with selinux?
Essentially, nothing is wrong with SELinux.
You can get it with Fedora Core 6 if you like, to say nothing of CentOS or Red Hat.
My experience is that you have faster results and far less administration hassles with SELinux than with AppArmor and the like.
Yours,
YBK
Exactly what makes SELinux the de facto standard?
Posted by: Administrator on December 14, 2006 07:57 PMExcuse me? Did you just tell me to RTFM? A 122 page manual, no less???
My question/comment was to point out important missing information in the article. AppArmor is not yet a widely known or used application and more detailed background and technical information would have made the article far more helpful.
If I must read the Admin guide in order to know an application's general capabilities, then perhaps they ought not bother with articles on Linux.com. I mean, if I always have to read through the admin guide, what's the point of the article?
No thanks man... I will pass. Besides, SELinux is 10x better and more widely used than Novell's apparmour stuff.
Did Microsoft get the rights to apparmor in the recent agreement? Who do we know or not? hmmm..
For the time being though AppArmor is GPL and has features badly needed in Linux deployments. Like say cluster computing where you want to run untrusted code, nesting browser plugins, wrapping closed source apps from doing anything unadvertised, or for that matter wrapping OSS apps we haven't had the time to audit.
As OSS grows our ability to trust software we download is going to get more and more precarious. Something like AppArmor, that has simple & readable config files is a must as we move forward.
The GPL wasn't created to prevent association, it was created to enable it. As long as the code is under GPL we can trust it, Novel not withstanding. If they ever change the license (and that is their prerogative) we can always fork the code and continue on our marry way.
Religious wars just get people killed. Can't we all just get along?
GPL is good. But the "for the time being" is exactly the sort of problem I'm trying to avoid. Maybe it's time to get a community fork of AppArmor. I'd consider using that.
The GPL wasn't created to prevent association, it was created to enable it.
Huh? It was created to give the end user the rights they deserve. And those rights are threatened whenever Microsoft gets involved.
Can't we all just get along?
When Microsoft is ready to stop trying to kill the rights of users, I'll be happy to coexist with them. If they've got legitimate complaints, then let them get them out in the open. The Linux community will deal with the issue and move on. Seriously, do you think they want to "just get along?"
How does AppArmor compare to grsecurity, SE-Linux, sandboxing, virtualization or running stuff in a chroot jail?
* Originally Immunix (Novell bought them out last year)
* Doesn't have PaX. (compared to grsecurity)
* Seems more like grsecurity ver 1.x series.
* Not quite sandboxing. (more fine-grained)
* Novell...Not exactly on the good side of the open community nowadays!
From a security perspective, SELinux is a better approach, but at the cost of complexity. While AppArmor is easier to handle. grsecurity is somewhere in between...But has memory protection features like PaX.
Regardless of which you pick, you have to read about them to properly use them to your advantage. You simply can't blindly "point and click" your way to security.
I've tried grsec+pax+rbac and I ended up disabling rbac because I was not able to made it worked as easy as said. The learning mode has created for my sshd but still, I can't logon from a remote station using PuTTY even I've spent so many days browsing the forum and doing comparisons, but still I never made it worked. Also, one postfix service is unable to execute itself and it wasn't included by the auto learning mode. But I'm sure, it can be addressed but I just decided not to spend another days more and have my attention diverted away from other obligations. I executed learning mode for more than a day and have used putty/sshd several times while on learning mode.
Then AppArmor after that came in to my mine as rbac replacement which I'm sure will not interfere with grsec+pax since apparmor is only for containing applications accesses to other parts of file system. But when I found out that it has no patch for 2.4 kernel, I lost my interest at the moment to implement it as complementary for grsecurity+pax.
Well so much for that theory..
Why don't people just Google before stating their opinions as facts?
Particularly ironic in my mind is the fact that all these people bashing, lamenting and swearing off of Novell, never ever bought a Novell product to begin with. These people never were nor will they ever be Novell customers so, Novell will never give their voices any sway.
And where do you get the facts to back up a statement like this?
I work in a clustered Novell Netware environment. We use a lot of SuSE Linux, too. And as soon as this announcement was made, we began investigating open source options. We're already starting to migrate our servers to an alternative Red Hat-based distribution.
Novell doesn't grok the Linux community any more than Microsoft does. And apparently you may not either.
I have seen this unsubstantiated allegation posted all over the place. It must be one of somebody's talking points.
Why is all this done anonymously in the first place, which does not leave much room for a good discussion, and are comments -in my opinion- somehow pointless and just FUD spreading.
In my eyes, Movell's AppArmor is a non-administrable mess. It resembles something called a 'registry' to an extent that makes me thow all over the place the very moment I see it installed (and non-operating, mostly at least).
I will spell it out to you:
- been there
- done that
- got the t-shirt
- puked all over the place
- uninstalled the sh1t, and enjoyed life again.
This apparmor-thingummabob looks like DOA. Some customers are impressed by it, though. This means some of us can get nice contracts. Unfortunately, this changes absolutely nothing about apparmors ineptitude to accomplish the very task it has been built to.
Yours,
YBK
Novell? I'll pass
Posted by: Anonymous Coward on December 06, 2006 10:02 AMIts from Novell? You mean the Novell who is now in bed with and has been bought and paid for by a secret agreement with Microsoft?
No thanks man... I will pass. Besides, SELinux is 10x better and more widely used than Novell's apparmour stuff.
Did Microsoft get the rights to apparmor in the recent agreement? Who do we know or not? hmmm..
#