AppArmor funciona con perfiles para asegurar servicios espcificos.

• Es mas facil de aprender
• Viene por defecto en debian

apt install apparmor-utils apparmor-notify apparmor-easyprof
 
man apparmor.d
 
tree /etc/apparmor
ls /etc/apparmor.d/
 
 
aa-status
 
aa-genprof /tu/app
ls /sys/kernel/security/apparmor/

Para generar un perfil de alguna aplicacion ejecutamos:

cp /usr/bin/vim /usr/local/bin/kim
aa-genprof /usr/local/bin/kim

En otra sesion ejecutamos la aplicacion.

Luego en el aa-genprof le damos permisos a los directorios que deseemos. Al final guardamos y nos salimos.

Podemos ver los permisos con:

cat /etc/apparmor.d/usr.local.bin.kim
# Last Modified: Tue Nov 12 01:39:21 2019
#include <tunables/global>
 
/usr/local/bin/kim {
  #include <abstractions/base>
 
  /home/ues/ r,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/local/bin/kim mr,
  owner /etc/* rw,
  owner /etc/vim/vimrc r,
  owner /root/* rw,
  owner /usr/share/vim/** r,
 
}

Habilitamos la aplicacion kim en apparmor con complain para verificar su estado

aa-complain /usr/local/bin/kim 

Habilitamos la aplicacion kim en apparmor con

aa-enforce /usr/local/bin/kim 

Si queremos auditar las acciones con auditd

aa-audit /usr/local/bin/kim 

Luego verificamos que podemos editar en esas carpetas pero no en otras.

kim /etc/hosts kim /tmp/pp

aa-complain # Monitorea una aplicacion especifica. aa-logprof # Para actualizar los perfiles de apparmor aa-notify # notifica

</code>

sudo aa-status
sudo aa-status | grep -e "^[[:alnum:]]" -e ping
sudo aa-genprof /bin/ping-x
	S
	A
	A
	A
	S
	F
ping-x -c3 -4 127.0.0.1
sudo cat /etc/apparmor.d/bin.ping-x
ping-x -c3 -4 127.0.0.1
ping-x -c3 -6 ::1 #ping: socket: Permission denied

cat /etc/apparmor.d/usr.bin.test
 
#include <tunables/global>
 
profile test /usr/lib/test/test_binary {
    #include <abstractions/base>
 
    # Main libraries and plugins
    /usr/share/TEST/** r,
    /usr/lib/TEST/** rm,
 
    # Configuration files and logs
    @{HOME}/.config/ r,
    @{HOME}/.config/TEST/** rw,
}

Strings preceded by a @ symbol are variables defined by abstractions (/etc/apparmor.d/abstractions/), tunables (/etc/apparmor.d/tunables/) or by the profile itself. #include includes other profile-files directly. Paths followed by a set of characters are access permissions. Pattern matching is done using AppArmor's globbing syntax.

Most common use cases are covered by the following statements:

  r — read: read data
  w — write: create, delete, write to a file and extend it
  m — memory map executable: memory map a file executable
  x — execute: execute file; needs to be preceded by a qualifier

Remember that those permission do not allow binaries to exceed the permission dictated

Referencias