AppArmor介绍

test 2022-10-08 10:53:38  52430

分类专栏：资讯

原文链接：http://www.lenky.info/archives/2014/05/2405

AppArmor是一款与SeLinux类似的安全框架/工具，其主要作用是控制应用程序的各种权限，例如对某个目录/文件的读/写，对网络端口的打开/读/写等等。
来之Novell网站的引用：

AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.

AppArmor通过一个配置文件（即profile）来指定一个应用程序的相关权限。在大多数情况下，可以通过限制应用程序的某些不必要的权限来提升系统安全性，比如指定Firefox不能访问系统目录，这样即便是使用Firefox访问了恶意网页，也可以避免恶意网页通过Firefox访问到系统目录。
AppArmor是Ubuntu的默认选择，但在默认情况下，系统自带安装的profile配置文件很少，通过命令：sudo apt-get install apparmor-profiles，可以安装额外的AppArmor-profile文件。
在Ubuntu下通过命令sudo apparmor_status可以查看当前AppArmor的状态。
执行sudo apt-get install apparmor-profiles命令之前的自带profile配置：

lenky@local:~$ sudo apparmor_status
apparmor module is loaded.
20 profiles are loaded.
20 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (2438)
/usr/sbin/cups-browsed (1070)
/usr/sbin/cupsd (2881)
/usr/sbin/cupsd (2884)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
lenky@local:~$

执行sudo apt-get install apparmor-profiles命令之后的情况：

lenky@local:~$ sudo apparmor_status
apparmor module is loaded.
47 profiles are loaded.
23 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/tcpdump
24 profiles are in complain mode.
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//xdgsettings
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/{sbin/traceroute,bin/traceroute.db}
/{usr/,}bin/ping
10 processes have profiles defined.
4 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (2438)
/usr/sbin/cups-browsed (1070)
/usr/sbin/cupsd (2881)
/usr/sbin/cupsd (2884)
0 processes are in complain mode.
6 processes are unconfined but have a profile defined.
/usr/sbin/avahi-daemon (868)
/usr/sbin/avahi-daemon (873)
/usr/sbin/dnsmasq (2493)
/usr/sbin/nmbd (2639)
/usr/sbin/smbd (704)
/usr/sbin/smbd (1105)
lenky@local:~$

可以看到新安装了一些profile配置文件。Apparmor的profile配置文件均保存在目录/etc/apparmor.d，对应的日志文件记录在/var/log/messages。
Apparmor使用内核标准安全文件系统机制（/sys/kernel/security）来加载和监控profiles文件。而虚拟文件/sys/kernel/security/apparmor/profiles里记录了当前加载的profiles文件。

lenky@local:/var/log$ cat /sys/kernel/security/apparmor/profiles
cat: /sys/kernel/security/apparmor/profiles: 权限不够
lenky@local:/var/log$ sudo -i
[sudo] password for lenky:
root@local:~ cat /sys/kernel/security/apparmor/profiles
/usr/{sbin/traceroute,bin/traceroute.db} (complain)
/usr/sbin/smbd (complain)
/usr/sbin/nscd (complain)
/usr/sbin/nmbd (complain)
/usr/sbin/mdnsd (complain)
/usr/sbin/identd (complain)
/usr/sbin/dovecot (complain)
/usr/sbin/dnsmasq (complain)
/usr/sbin/avahi-daemon (complain)
/usr/lib/dovecot/pop3-login (complain)
/usr/lib/dovecot/pop3 (complain)
/usr/lib/dovecot/managesieve-login (complain)
/usr/lib/dovecot/imap-login (complain)
/usr/lib/dovecot/imap (complain)
/usr/lib/dovecot/dovecot-auth (complain)
/usr/lib/dovecot/deliver (complain)
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//lsb_release (complain)
/usr/lib/chromium-browser/chromium-browser//sanitized_helper (enforce)
/usr/lib/chromium-browser/chromium-browser//xdgsettings (complain)
/sbin/syslog-ng (complain)
/sbin/syslogd (complain)
/sbin/klogd (complain)
/{usr/,}bin/ping (complain)
/usr/sbin/tcpdump (enforce)
/usr/lib/telepathy/telepathy-ofono (enforce)
/usr/lib/telepathy/telepathy-* (enforce)
/usr/lib/telepathy/telepathy-*//sanitized_helper (enforce)
/usr/lib/telepathy/telepathy-*//pxgsettings (enforce)
/usr/lib/telepathy/mission-control-5 (enforce)
/usr/sbin/cups-browsed (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-thumbnailer//sanitized_helper (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince-previewer//sanitized_helper (enforce)
/usr/bin/evince (enforce)
/usr/bin/evince//sanitized_helper (enforce)
/usr/lib/lightdm/lightdm-guest-session (enforce)
/usr/lib/lightdm/lightdm-guest-session//chromium (enforce)
/usr/sbin/cupsd (enforce)
/usr/lib/cups/backend/cups-pdf (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)
root@local:~

profile文件以它所对应的应用程序的完整路径来命名，当然，要去除对前面的根符号（/），然后把路径中间的/替换为.。如果是软连接，还必须转换到最终的应用程序。比如firefox的情况：

lenky@local:/var/log$ whereis firefox
firefox: /usr/bin/firefox /etc/firefox /usr/lib/firefox /usr/bin/X11/firefox /usr/share/man/man1/firefox.1.gz
lenky@local:/var/log$ file /usr/bin/firefox
/usr/bin/firefox: symbolic link to `../lib/firefox/firefox.sh'
lenky@local:/var/log$ ls /usr/lib/firefox/firefox.sh -l
-rwxr-xr-x 1 root root 2740 4月 11 05:10 /usr/lib/firefox/firefox.sh

可以看到firefox对应的最终路径是/usr/lib/firefox/firefox.sh，因此与此相对的AppArmor配置文件为：/etc/apparmor.d/usr.lib.firefox.firefox.sh，即我们可以在/etc/apparmor.d目录下建立一个usr.lib.firefox.firefox.sh文件来定义firefox的相关权限。
一个profile文件定义好之后，当其对应的应用程序启动（比如firefox），它也就自动激活生效。有两种模式，分别为：
complain：应用程序发生了超过其权限之外的动作时，Apparmor会进行log记录，但是不会阻止应用程序相关动作的成功执行。
enforce：应用程序发生了超过其权限之外的动作时，Apparmor会进行log记录，并且会阻止应用程序相关动作的成功执行。
通过命令aa-complain或aa-enforce可以切换profile文件的状态。这需要先安装对应的utils工具：

sudo apt-get install apparmor-utils

试试：

lenky@local:~$ sudo aa-complain tcpdump
Setting /usr/sbin/tcpdump to complain mode.
lenky@local:~$ sudo aa-enforce tcpdump
Setting /usr/sbin/tcpdump to enforce mode.

做了这种修改后需要重启apparmor，Apparmor的启动、停止等操作的相关命令如下：

Start : sudo /etc/init.d/apparmor start
Stop : sudo /etc/init.d/apparmor stop
reload: sudo /etc/init.d/apparmor reload
Show status: sudo /etc/init.d/apparmor status

其他命令：
aa-unconfined用来显示系统里那些拥有tcp/udp端口，但又未处于apparmor监控之下的进程。

lenky@local:~$ sudo aa-unconfined
704 /usr/sbin/smbd not confined
868 /usr/sbin/avahi-daemon not confined
979 /usr/sbin/sshd not confined
1070 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)'
2493 /usr/sbin/dnsmasq not confined
2639 /usr/sbin/nmbd not confined
2881 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
9624 /usr/sbin/nginx (nginx: master process /usr/sbin/nginx) not confined

这样的进程越多，对应系统被攻击的风险也就越大。aa-genprof命令用来生成一个profile文件。实例：利用命令sudo aa-genprof nginx生成nginx的一个profile文件。
在一个终端1里执行：

lenky@local:~$ sudo aa-genprof nginx
...
[(S)can system log for AppArmor events] / (F)inish

另开一个终端2，执行sudo nginx，然后切回终端1，按s进行扫描，竟然挂了，原因不明，不管，直接再执行sudo aa-genprof nginx，按s进行扫描，没有扫描到东西。
切换会终端2，sudo killall nginx; sudo nginx，切回终端1，按s进行扫描，有如下提示：

[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore

按a，还有类似提示，一直按a，即全部设置为allow，到最后出现：

(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

按s保存配置。
出现：

[(S)can system log for AppArmor events] / (F)inish

按f结束

网站声明：如果转载，请联系本站管理员。否则一切后果自行承担。

本文链接：https://www.xckfsq.com/news/show.html?id=17518

赞同 0

评论 0 条

AppArmor介绍

相关文章

关注我们