Using Mandatory Access Control to Lock Down Your Linux Desktop with AppArmor

Introduction to AppArmor

I’ve seen many Linux users overlook AppArmor, but it’s a powerful tool for locking down your system. AppArmor is a Mandatory Access Control (MAC) system that restricts the actions of applications and services, providing a robust way to prevent malicious or compromised apps from causing harm. In this article, I’ll walk you through how to use AppArmor to boost your Linux system’s security.

Installing AppArmor

To get started, you’ll need to install the AppArmor package on your Linux system. On Debian-based systems, this is straightforward:

sudo apt-get install apparmor

On other distributions, such as Arch Linux or openSUSE, the package name may vary - be sure to check your distribution’s documentation for more information.

Understanding AppArmor Profiles

AppArmor profiles are the core of the AppArmor system, defining the permissions and restrictions for a particular application or service. Think of profiles as a set of rules that determine what an application can and cannot do. For example, a profile might allow an app to read and write to a specific directory but deny access to other parts of the system. To view the available AppArmor profiles on your system, use:

sudo apparmor_status

This will show you a list of all the profiles that are currently loaded, along with their status (either “enforced” or “complain”).

Creating a New Profile

Don’t bother with manually writing profiles from scratch - the aa-genprof command makes it easy to generate a profile for a specific application or service. For example, to generate a profile for the Firefox web browser, use:

sudo aa-genprof firefox

This will launch Firefox and start generating a profile for it. As you use Firefox, the profile will be updated to reflect the actions you take. When you’re finished, exit Firefox and the profile will be saved.

Editing a Profile

Once a profile has been generated, you can refine the permissions and restrictions by editing the profile directly. AppArmor profiles are stored in the /etc/apparmor.d/ directory and can be edited with a text editor. To edit the profile for Firefox, use:

sudo nano /etc/apparmor.d/usr.bin.firefox

This will open the profile in the nano editor, where you can make changes to the permissions and restrictions. The real trick is finding the right balance between security and usability.

Enforcing a Profile

To enforce a profile, you’ll need to reload the AppArmor system and then set the profile to “enforced” mode. Use the following commands:

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

This will reload the profile and set it to “enforced” mode, where it will restrict the actions of the Firefox application according to the rules defined in the profile.

Troubleshooting AppArmor

If you encounter issues with AppArmor, there are several tools you can use to troubleshoot the problem. The apparmor_status command can be used to view the status of all the profiles on your system, while the apparmor_parser command can be used to reload a specific profile. You can also check the AppArmor logs to see if there are any error messages that can help you diagnose the issue. For more information on AppArmor, you can visit the AppArmor wiki or the Ubuntu AppArmor documentation.

Security Considerations

In practice, a well-crafted profile can provide strong protection against malicious or compromised applications, but a poorly crafted profile can leave your system vulnerable. This is where people usually get burned - it’s crucial to test your profiles thoroughly and ensure that they are not too permissive or too restrictive. You can find more information on securing your Linux system with AppArmor on the Debian wiki.