AppArmor is a security layer which enforces access control on the filesystem resources applications can access, and the permissions they can access them with. It comprises a kernel module and user space profiles for each application, which define the resources an application expects to access. For more information, see the AppArmor home page. Apertis uses AppArmor for all applications and services.
- Write AppArmor profiles to be as constrained as possible.
- Validate the profiles manually before release, and during testing.
For application development, the only work which needs to be done for AppArmor integration is to write and install a profile for the application. See the AppArmor website for information on writing profiles. Profiles should be as constrained as possible, following the principle of least privilege.
To install a profile, use the following
AppArmor profiles can be validated in two ways: manually, and at runtime. Manual verification should be performed before each release, manually inspecting the profile against the list of changes made to the application since the last release, and checking that each entry is still relevant and correct, and that no new entries are needed.
Runtime verification is automatic: AppArmor will deny access to files which
violate the profile, emitting a message in the audit logs (
Feb 23 18:54:07 my-host kernel: [ 24.610703] type=1400 audit(1393181647.872:15): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/ntpd" name="/etc/ldap/ldap.conf" pid=1526 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Such messages should be investigated, and may result in changes to the application (to prevent it making such accesses) or to the profile (to allow them).
Manual and runtime verification are complementary: manual verification ensures the profile is as small as possible; runtime verification ensures the profile is as big as it needs to be.