Create an AppArmor Application Profile

About This Task

AppArmor uses application profiles to define an application’s system access. This procedure uses the nginx application to demonstrate how to create a profile to enable access.

Before You Begin

• You must have an eLxr Server 12 development host setup with sudo privileges. For details, see eLxr QuickStart: Quick Start Overview.

• AppArmor must be set to enforcing. For details, see Set AppArmor Enforcing Mode.

Procedure

1. Install the nginx package.

   # sudo apt-get install nginx
   
   ---- Lots of output as packages install ----
   

2. Create a profile for the application, located at /usr/sbin/nginx.

   # sudo touch /etc/apparmor.d/usr.sbin.nginx
   

   This creates an empty usr.sbin.nginx file in the same location where all AppArmor policies reside, at /etc/apparmor.d/<path-to-app>.

3. Update the usr.sbin.nginx file to add the following information to it. For example, open it in vi, add the following text, and save the file.

   #include <tunables/global>
   
   profile nginx /usr/sbin/nginx flags=(complain) {
   include <abstractions/base>
   
   # Allow read and execute access to nginx executable
   /usr/sbin/nginx rix,
   
   # Allow reading files in the web directory
   /var/www/html/ r,
   /var/www/html/** r,
   
   # Allow reading configuration files for nginx
   /etc/nginx/nginx.conf r,
   /etc/nginx/sites-enabled/ r,
   /etc/nginx/sites-enabled/** r,
   
   # Deny access to /etc/passwd
   deny /etc/passwd r,
   
   # Deny access to the home directory
   deny /home/** rw,
   }
   

   In this example, read and execute access is granted to a number of folders and files necessary for nginx to work properly. It is initially set to complain mode, which essentially disables enforcement. Even in complain mode, when the deny action is set, it disables access to the resource associated with it, such as /etc/passwd and home/ in this example.

4. Use the apparmor_parser application to check the rule. This application will review the profile you created in the previous step and provide recommendations for resolving any issues. You must fix any issues that may arise. If there are no issues, it will load the profile for use by AppArmor.

   # /usr/sbin/apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
   

5. Check the new profile status using the aa-status application.

   # /usr/sbin/aa-status
   
   apparmor module is loaded.
   15 profiles are loaded.
   14 profiles are in enforce mode.
    /usr/bin/man
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/lib/NetworkManager/nm-dhcp-helper
    /usr/lib/connman/scripts/dhclient-script
    /usr/lib/cups/backend/cups-pdf
    /usr/sbin/cups-browsed
    /usr/sbin/cupsd
    /usr/sbin/cupsd//third_party
    /{,usr/}sbin/dhclient
    lsb_release
    man_filter
    man_groff
    nvidia_modprobe
    nvidia_modprobe//kmod
   1 profiles are in complain mode.
      nginx
   0 profiles are in kill mode.
   0 profiles are in unconfined mode.
   2 processes have profiles defined.
   2 processes are in enforce mode.
     /usr/sbin/cups-browsed (2128)
     /usr/sbin/cupsd (805)
   0 processes are in complain mode.
   0 processes are unconfined but have a profile defined.
   0 processes are in mixed mode.
   0 processes are in kill mode.
   

   Notice that the nginx profile in complain mode, in alignment with the policy you created.

6. Set the nginx profile to enforce mode.

   # /usr/sbin/aa-enforce /usr/sbin/nginx
   
   Setting /usr/sbin/nginx to enforce mode
   Warning: profile nginx represents multiple programs
   

7. Check the profile status again.

   # /usr/sbin/aa-status
   
   apparmor module is loaded.
   15 profiles are loaded.
   15 profiles are in enforce mode.
    /usr/bin/man
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/lib/NetworkManager/nm-dhcp-helper
    /usr/lib/connman/scripts/dhclient-script
    /usr/lib/cups/backend/cups-pdf
    /usr/sbin/cups-browsed
    /usr/sbin/cupsd
    /usr/sbin/cupsd//third_party
    /{,usr/}sbin/dhclient
    lsb_release
    man_filter
    man_groff
    nginx
    nvidia_modprobe
    nvidia_modprobe//kmod
   0 profiles are in complain mode.
   0 profiles are in kill mode.
   0 profiles are in unconfined mode.
   2 processes have profiles defined.
   2 processes are in enforce mode.
     /usr/sbin/cups-browsed (2128)
     /usr/sbin/cupsd (805)
   0 processes are in complain mode.
   0 processes are unconfined but have a profile defined.
   0 processes are in mixed mode.
   0 processes are in kill mode.
   

   Notice that the nginx profile is now located in the list of profiles in enforced mode.

Results

Now that you have completed the kernel driver module build, you can install the packages and verify its operation. For details, see install-verify-kernel-module-packages.