AppArmor 是一款与SeLinux类似的安全框架/工具,其主要作用是控制应用程序的各种权限,例如对某个目录/文件的读/写,对网络端口的打开/读/写等等。
来之Novell网站的引用:
AppArmor通过一个配置文件(即profile)来指定一个应用程序的相关权限。在大多数情况下,可以通过限制应用程序的某些不必要的权限来提升系统安全性,本人在 打造私有的DNS 服务 和 apparmor 引起自定义mysql 日志问题 就遇到了安全问题
AppArmor是 Ubuntu 的默认选择,但在默认情况下,系统自带安装的profile配置文件很少,通过命令:sudo apt-get install apparmor-profiles,可以安装额外的AppArmor-profile文件。
在Ubuntu下通过命令sudo apparmor_status可以查看当前AppArmor的状态。
执行sudo apt-get install apparmor-profiles命令之前的自带profile配置:
$ sudo apparmor_status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 4 processes have profiles defined. 4 processes are in enforce mode. /sbin/dhclient (471) /sbin/dhclient (1088) /usr/sbin/mysqld (886) /usr/sbin/ntpd (4131) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
执行sudo apt-get install apparmor-profiles命令之后的情况:
$ sudo apparmor_status apparmor module is loaded. 42 profiles are loaded. 9 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//sanitized_helper /usr/lib/connman/scripts/dhclient-script /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump 33 profiles are in complain mode. /sbin/klogd /sbin/syslog-ng /sbin/syslogd /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox /usr/lib/chromium-browser/chromium-browser//lsb_release /usr/lib/chromium-browser/chromium-browser//xdgsettings /usr/lib/dovecot/anvil /usr/lib/dovecot/auth /usr/lib/dovecot/config /usr/lib/dovecot/deliver /usr/lib/dovecot/dict /usr/lib/dovecot/dovecot-auth /usr/lib/dovecot/dovecot-lda /usr/lib/dovecot/imap /usr/lib/dovecot/imap-login /usr/lib/dovecot/lmtp /usr/lib/dovecot/log /usr/lib/dovecot/managesieve /usr/lib/dovecot/managesieve-login /usr/lib/dovecot/pop3 /usr/lib/dovecot/pop3-login /usr/lib/dovecot/ssl-params /usr/sbin/avahi-daemon /usr/sbin/dnsmasq /usr/sbin/dovecot /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nmbd /usr/sbin/nscd /usr/sbin/smbd /usr/{sbin/traceroute,bin/traceroute.db} /{usr/,}bin/ping 4 processes have profiles defined. 4 processes are in enforce mode. /sbin/dhclient (581) /sbin/dhclient (1115) /usr/sbin/mysqld (924) /usr/sbin/ntpd (3684) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
可以看到新安装了一些profile配置文件。Apparmor的profile配置文件均保存在目录/etc/apparmor.d,对应的日志文件记录在/var/log/messages。
Apparmor使用内核标准安全文件系统机制(/sys/kernel/security)来加载和监控profiles文件。而虚拟文件/sys/kernel/security/apparmor/profiles里记录了当前加载的profiles文件。
重启apparmor,Apparmor的启动、停止等操作的相关命令如下:
原文地址:Ubuntu apparmor何方神圣标签: