• ARTICLES
SEARCH

How-To Geek

HTG Explains: What AppArmor Is and How It Secures Your Ubuntu System

image

AppArmor is an important security feature that’s been included by default with Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not be aware of what it is and what it’s doing.

AppArmor locks down vulnerable processes, restricting the damage security vulnerabilities in these processes can cause. AppArmor can also be used to lock down Mozilla Firefox for increased security, but it doesn’t do this by default.

What is AppArmor?

AppArmor is similar to SELinux, used by default in Fedora and Red Hat. While they work differently, both AppArmor and SELinux provide “mandatory access control” (MAC) security. In effect, AppArmor allows Ubuntu’s developers to restrict the actions processes can take.

For example, one application that’s restricted in Ubuntu’s default configuration is the Evince PDF viewer. While Evince may run as your user account, it can only take specific actions. Evince only has the bare minimum of permissions needed to run and work with PDF documents. If a vulnerability were discovered in Evince’s PDF renderer and you opened a malicious PDF document that took over Evince, AppArmor would restrict the damage Evince could do. In the traditional Linux security model, Evince would have access to everything you have access to. With AppArmor, it only has access to things that a PDF viewer needs access to.

AppArmor is particularly useful for restricting software that may be exploited, such as a web browser or server software.

Viewing AppArmor’s Status

To view AppArmor’s status, run the following command in a terminal:

sudo apparmor_status

You’ll see whether AppArmor is running on your system (it’s running by default), the AppArmor profiles that are installed, and the confined processes that are running.

sudo apparmor_status

AppArmor Profiles

In AppArmor, processes are restricted by profiles. The list above shows us the protocols that are installed on the system – these ones come with Ubuntu. You can also install other profiles by installing the apparmor-profiles package. Some packages – server software, for example – may come with their own AppArmor profiles that are installed on the system along with the package. You can also create your own AppArmor profiles to restrict software.

Profiles can run in “complain mode” or “enforce mode.” In enforce mode – the default setting for the profiles that come with Ubuntu – AppArmor prevents applications from taking restricted actions. In complain mode, AppArmor allows applications to take restricted actions and creates a log entry complaining about this. Complain mode is ideal for testing an AppArmor profile before enabling it in enforce mode – you’ll see any errors that would occur in enforce mode.

Profiles are stored in the /etc/apparmor.d directory. These profiles are plain-text files that can contain comments.

image

Enabling AppArmor For Firefox

You may also notice that AppArmor comes with  a Firefox profile – it’s the usr.bin.firefox file in the /etc/apparmor.d directory. It isn’t enabled by default, as it may restrict Firefox too much and cause problems. The /etc/apparmor.d/disable folder contains a link to this file, indicating that it’s disabled.

To enable the Firefox profile and confine Firefox with AppArmor, run the following commands:

sudo rm /etc/apparmor.d/disable/usr.bin.firefox

cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a

After you run these commands, run the sudo apparmor_status command again and you’ll see that the Firefox profiles are now loaded.

image

To disable the Firefox profile if it’s causing problems, run the following commands:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox


For more detailed information about using AppArmor, consult the official Ubuntu Server Guide’s page on AppArmor.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 07/6/12

Comments (5)

  1. Praveen Sripati

    Got an error while enabling AppArmor for FF

    praveensripati@UbuntuHost:/etc/apparmor.d$ cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a
    Error: Could not read profile –a: No such file or directory.

  2. Paul

    “To enable the Firefox profile and confine Firefox with AppArmor, run the following commands:
    sudo rm /etc/apparmor.d/disable/usr.bin.firefox
    cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a”

    Sheesh! This is why Linux will NEVER overtake Windows. After all these years, it’s still just a geek’s OS.

  3. MJ

    @Paul: You don’t NEED to do this if you don’t want to. Linux gives the advanced/geek user a lot of options and much fun, specially for those who don’t mind using the Terminal from time to time (like me). But any non-geek user should be able to run Ubuntu or another distro without learning how to use the Terminal. The system may still have some problems, but hey, Windows systems have problems too (I use them both but I’m trying to slowly move to Ubuntu).

  4. Dazed_75

    While interesting, this article lacks sufficient information or references for the reader to have a clue what the rules actually mean. As a daily reader of HTG, I found this one disappointing.

    Paul, I think you are missing the point that this is all automatic for the user. A user wanting to do more is ABLE to and like many things in Windows requires some degree of geekiness for the user to be using power shell, editing obscure configuration files or editing the registry.

  5. Praveen Sripati

    I don’t use the FF which comes with Ubuntu, but I download latest FF and start using it. What changes to the command are required?

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!