LOGO

AppArmor: Securing Ubuntu with Mandatory Access Control

September 28, 2016
Topics:FeaturesLinux & macOS TerminalLinux
AppArmor: Securing Ubuntu with Mandatory Access Control

Understanding AppArmor Security on Ubuntu

AppArmor represents a crucial security component integrated by default into Ubuntu, beginning with version 7.10. Its operation is typically unobtrusive, running in the background without requiring explicit user interaction.

Consequently, users may be unaware of its presence and the protective measures it implements.

How AppArmor Enhances System Security

The primary function of AppArmor is to secure susceptible processes by limiting the potential harm that security flaws within those processes could inflict. This is achieved through restriction of process capabilities.

By confining these processes, AppArmor minimizes the attack surface and reduces the risk of exploitation.

Securing Mozilla Firefox with AppArmor

While AppArmor provides system-wide security benefits, it can also be specifically configured to enhance the security of applications like Mozilla Firefox.

However, it’s important to note that this enhanced Firefox security is not enabled automatically; manual configuration is required.

This allows for a more granular level of protection tailored to the specific needs of the application.

  • AppArmor operates by defining security profiles for each application.
  • These profiles dictate which files and resources an application is permitted to access.
  • Any attempt by an application to exceed these defined boundaries is blocked by AppArmor.

Understanding AppArmor Security

AppArmor functions as a security module, sharing similarities with SELinux, which is the default choice for distributions like Fedora and Red Hat. Despite differing implementation approaches, both AppArmor and SELinux enforce “mandatory access control” (MAC) security policies.

Essentially, AppArmor empowers Ubuntu’s developers to define limitations on the operations that processes are permitted to perform.

A prime example of this restriction within Ubuntu’s standard setup is the Evince PDF viewer. Even when running under a user’s account, Evince operates with a constrained set of permissions.

It possesses only the essential privileges required for execution and interaction with PDF files. Should a security flaw be identified in Evince’s PDF rendering engine, and a user were to open a compromised PDF, AppArmor would curtail the potential harm.

In the conventional Linux security framework, Evince would inherit all the permissions of the user. However, with AppArmor in place, its access is limited to only those resources necessary for a PDF viewer’s functionality.

AppArmor is especially beneficial when securing applications prone to exploitation, like web browsers or server-side software.

Key Benefits of AppArmor

  • Reduced Attack Surface: By limiting process capabilities, AppArmor minimizes the potential damage from successful exploits.
  • Enhanced System Stability: Restrictions prevent compromised applications from destabilizing the entire system.
  • Granular Control: Developers can precisely define permissions for each application.

The core principle behind AppArmor is to provide an additional layer of defense, mitigating the impact of vulnerabilities even if they are successfully exploited. It doesn't replace traditional security measures, but rather complements them.

This proactive approach to security is a significant advantage in today’s threat landscape, where zero-day exploits are increasingly common.

Checking AppArmor’s Operational State

Determining the current status of AppArmor is achieved through a terminal command. Execute the following to begin:

sudo apparmor_status

The output will indicate if AppArmor is active on your system, as it typically is by default. It also displays the AppArmor profiles currently present and the processes operating under confinement.

Understanding the Output

The apparmor_status command provides a comprehensive overview. This includes details about loaded profiles and their associated processes.

Confined processes are those whose activities are restricted by AppArmor policies. This enhances system security by limiting potential damage from compromised applications.

htg-explains-what-apparmor-is-and-how-it-secures-your-ubuntu-system-1.jpg

Reviewing this information regularly helps ensure AppArmor is functioning as expected and providing the intended security benefits.

AppArmor Profiles

AppArmor utilizes profiles to govern process restrictions. The preceding list details the protocols currently installed on the system, specifically those included with Ubuntu. Additional profiles can be implemented through the installation of the apparmor-profiles package.

Certain software packages, such as server applications, may incorporate their own AppArmor profiles. These profiles are automatically installed alongside the respective package. Furthermore, administrators have the capability to develop custom AppArmor profiles, tailoring restrictions to specific software needs.

Profile Modes: Enforce vs. Complain

AppArmor profiles operate in either “complain mode” or “enforce mode.” Ubuntu’s default configuration sets profiles to “enforce mode,” actively preventing applications from performing actions defined as restricted.

Conversely, “complain mode” permits applications to execute restricted actions while simultaneously logging these instances as complaints. This mode is particularly useful for testing a profile before full enforcement. It allows for the identification of potential errors without disrupting system functionality.

Profile Location

All AppArmor profiles are stored as plain-text files within the /etc/apparmor.d directory. These files are designed to be human-readable and can include comments for documentation purposes.

Activating AppArmor for Firefox

A Firefox profile is included with AppArmor by default. This profile is located as the usr.bin.firefox file within the /etc/apparmor.d directory.

It is not activated automatically, as overly restrictive settings could lead to functionality issues. The presence of a symbolic link to this file in the /etc/apparmor.d/disable folder signifies its current disabled state.

Enabling Firefox Confinement

To activate the Firefox profile and implement AppArmor confinement for Firefox, execute the following commands sequentially:

sudo rm /etc/apparmor.d/disable/usr.bin.firefox

cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a

Following the execution of these commands, re-run the sudo apparmor_status command. You will then observe that the Firefox profiles are now actively loaded.

htg-explains-what-apparmor-is-and-how-it-secures-your-ubuntu-system-3.jpgDisabling the Firefox Profile

Should the active Firefox profile cause any operational difficulties, it can be disabled using these commands:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

Disabling the profile will revert Firefox to its previous unconfined state.

Further Information

For a more comprehensive understanding of AppArmor and its functionalities, refer to the official Ubuntu Server Guide’s dedicated AppArmor page.

#AppArmor#Ubuntu#security#mandatory access control#MAC#Linux security