AppArmor
Contents
Overview
Included with openSUSE and SUSE Linux Enterprise, AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours.
A detailed description of AppArmor is available to discuss the problem that AppArmor is intended to solve, the technology and the paradigm of the AppArmor solution. A guide for geeks with more details and less marketing is also available.
- OpenSUSE 10.3 includes AppArmor 2.1, which has several enhancements and a few semantic changes. For a detailed description of the changes look here.
- OpenSUSE 11.0 includes AppArmor 2.3, which has several more enhancements and a few semantic changes. For a detailed description of the changes look here.
Getting the Software
AppArmor packages can be downloaded from the AppArmor page on Novell Forge and AppArmor RPMs are included in SUSE Linux 10.1 and later.
Integrated packages are also included with all SUSE distributions from SUSE Linux Enterprise Server 9, Service Pack 3 (SLES9 SP3) onward, including SLES10, SLED10, and openSUSE 10.0, 10.1, 10.2, and 10.3. These packages are all licensed GPL2.
AppArmor integrated into openSUSE and SUSE Linux Enterprise
AppArmor consists of:
- a kernel module, shipped with the SUSE Linux kernel, which enforces the security profiles
- a collection of RPMs, also shipped with SUSE Linux, that provide:
- a set of AppArmor profiles for numerous programs that ship with SUSE Linux
- tools to create and manage new and existing AppArmor profiles
- a YaST user interface to manage reports and notification of security events
- documentation about the AppArmor tools
It is best to reboot a system after completing installation, so that AppArmor can confine all system daemons.
The AppArmor rpms
These can be selected during installation, or afterwards, from the SUSE Linux package management user interface in YaST.
libapparmor apparmor-profiles apparmor-utils apparmor-parser yast2-apparmor apparmor-docs
Development Version of AppArmor
For new features that are currently under active development the AppArmor page on Novell Forge hosts downloads of source code for review and community feedback. When features have been stabilized and are ready for integration testing and use they will become part of SUSE Linux.
Communicate
The AppArmor developers are on the openSUSE mailing list for questions. In addition there are specific mailing lists for AppArmor that users can post to or join to communicate with developers.
- apparmor-general@forge.novell.com is a mailing list for end users of AppArmor. A good place for questions about how to use AppArmor to protect your applications.
- apparmor-dev@forge.novell.com is a developer mailing list for AppArmor developers and community members. This list is for questions about development of core AppArmor features - the kernel module, the profiling tools. If you are interested in reviewing the code for AppArmor and contributing reviews or patches this would be the list for you.
- apparmor-announce@forge.novell.com is a low traffic list announcing the availabilty of new releases or features.
Contribute
There are ways that you can help: creating AppArmor profiles for applications that you run or reporting bugs that you find will help make openSUSE/SUSE Linux Enterprise a more secure platform for running your applications.
AppArmor Profiles
The SUSE Linux distribution contains integrated AppArmor tools and profiles for you to use to secure your applications and create new profiles. You can contribute new profiles for applications that you are interested in by following the recipe to generate new profiles, or to enhance existing profiles. This process is explained in detail in the AppArmor administration guide section 3.3.
If you have new or modified profiles you can upload them to the profile repository or submit them to the apparmor-general@forge.novell.com mailing list along with a use case for the application behavior that you exercised. The AppArmor team will review and may submit the work into SUSE Linux. We can't guarantee that every profile will be included but we will make a sincere effort to include as much as possible so that end users can contribute to the security profiles that ship in SUSE Linux.
AppArmor Profile Repository
AppArmor 2.1 (openSUSE 10.3) includes support for the profile repository, which is an online community database of profiles. The database is freely available and has profiles for multiple distributions. The repository allows users to create their own accounts and share their profiles.
The profile repository can be accessed via the web, or through the tools on AppArmor 2.1 (openSUSE 10.3) and later.
Bug Fixing
If you see a problem with an AppArmor tool or profile you can use bugzilla (Product: SUSE LINUX X.Y, Component: AppArmor) to submit the description of the problem. For advice on what information most helps us fix bugs, please see Bugs:AppArmor.
Press Articles
- Nice description and quick overview with screenshots: Protect your applications with AppArmor.
- Linux Magazine's comparison of AppArmor and SELinux: Linux Magazine Issue 69: August 2006.
- eWeek's comparison of AppArmor and SELinux: Wield the Shield: How Trustworthy Is Your OS?.
Other Links
- Crispin Cowan (the AppArmor project lead) gave an interesting talk at FOSDEM 2006: http://ftp.heanet.ie/mirrors/fosdem-video/2006/FOSDEM2006-apparmor.avi (271 MB)