Linux Security Framework -- Apparmor机制介绍
AppArmor 是一个类似于selinux 的东东,主要的作用是设置某个可执行程序的访问控制权限,可以限制程序 读/写某个目录/文件,打开/读/写网络端口等等。
Novell给出的Apparmor的解释:
AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.之所以选择Apparmor而不是SELinux,主要基于以下两点原因:
- 对于初学者来说,Apparmor比SELinux更简单
- ubuntu的粉丝,ubuntu选择了Apparmor,同理,如果你是fedora的粉丝,很明显会选择SELinux
实事求是的说,SELinux比Apparmor更安全,更灵活,同时配置起来也更复杂。SELinux与Apparmor最大的区别在于:Apparmor使用文件名(路径名)最为安全标签,而SELinux使用文件的inode作为安全标签,这就意味着,Apparmor机制可以通过修改文件名而被绕过,另外,在文件系统中,只有inode才具有唯一性。
由于ubuntu发行版已经自带了Apparmor的package,所以只需要在命令行中输入如下命令,就可以查询当前Apparmor的状态:
- sudo apparmor_status
从上图中可以看出,当前Apparmor包含了20个profile文件,而且都处于enforce状态,没有处于enforce状态的文件。Apparmor的profile文件分为两类:enforce与complain mode,存在于/etc/apparmor.d/目录下,下面来看下官方给出的两种不同状态的profile的解释。
Enforcing: This means the profile is actively protecting the application. By default, Ubuntu already locks down the CUPS daemon for you, but you will see several other profiles listed that you can set to enforce mode at any time. 简单理解就是:如果某个程序不符合其profile文件的限制,程序行为将会失败。
Complain: This means a profile exists but is not yet actively protecting the application. Instead, it is sort of in "debug" mode and will put "complain" messages into /var/log/messages. What this means is that if the application wants to read, write, or execute something that isn't listed in the profile, it will complain. This is how you generally create a profile.简单理解就是:如果某个程序不符合其profile文件的限制,改程序就会被apparmor“打小报告”,即将该程序的行为记录在系统日志中,但是程序访问行为会成功,比如本来没有让某个程序访问某个文件,但就是访问,仅仅报告一下,文件访问会成功,如果在enforce模式下,文件访问就会失败。
如果想把某个profile置为enforce状态,执行如下命令:- sudo enforce <application_name>
- sudo complain <application_name>
- sudo /etc/init.d/apparmor restart
- sudo apt-get install apparmor-profiles
(2)通过工具来管理profile,比较著名是:apparmor-utils,通过如下命令进行安装:
- sudo apt-get install apparmor-utils
再看一个手工编写的profile,熟悉下其语法格式,如果想更详细的学习,参见具体的讲解profile语法格式的文档,如:http://ubuntuforums.org/showthread.php?t=1008906。
- #include <tunables/global>
- /usr/bin/kopete { //需要限制的应用程序的名称
- #include <abstractions/X>
- #include <abstractions/audio>
- #include <abstractions/base>
- #include <abstractions/kde>
- #include <abstractions/nameservice>
- #include <abstractions/user-tmp>
- //限制其在对家目录下几个文件的读写权限
- deny @{HOME}/.bash* rw,
- deny @{HOME}/.cshrc rw,
- deny @{HOME}/.profile rw,
- deny @{HOME}/.ssh/* rw,
- deny @{HOME}/.zshrc rw,
- /etc/X11/cursors/oxy-white.theme r,
- /etc/default/apport r,
- /etc/kde4/* r,
- /etc/kde4rc r,
- /etc/kderc r,
- /etc/security/* r,
- /etc/ssl/certs/* r,
- owner /home/*/ r,
- /opt/firefox/firefox.sh Px,
- /usr/bin/convert rix,
- /usr/bin/kde4 rix,
- /usr/bin/kopete r,
- /usr/bin/kopete_latexconvert.sh rix,
- /usr/bin/launchpad-integration ix,
- /usr/bin/xdg-open mrix,
- /usr/lib/firefox*/firefox.sh Px,
- /usr/lib/kde4/**.so mr,
- /usr/lib/kde4/libexec/drkonqi ix,
- /usr/share/emoticons/ r,
- /usr/share/emoticons/** r,
- /usr/share/enchant/** r,
- /usr/share/kde4/** r,
- /usr/share/kubuntu-default-settings/** r,
- /usr/share/locale-langpack/** r,
- /usr/share/myspell/** r,
- owner @{HOME}/.config/** rwk,
- owner @{HOME}/.kde/** rwlk,
- owner @{HOME}/.local/share/mime/** r,
- owner @{HOME}/.thumbnails/** rw,
- owner @{HOME}/Downloads/ rw,
- owner @{HOME}/Downloads/** rw,
- }
- r = read
- w = write
- l = link
- k = lock
- a = append
- ix = inherit = Inherit the parent's profile.
- px = requires a separate profile exists for the application, with environment scrubbing.
- Px = requires a separate profile exists for the application, without environment scrubbing.
- ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
- m = allow executable mapping.
