IBM 10 SP1 EAL4 Server User Manual


 
px - discrete profile execute
Px - discrete profile execute after scrubbing the environment
ix - inherit execute
m - allow PROT_EXEC with mmap(2) calls
l – link
For more information about complete AppArmor profile syntax, please see the apparmor.d man page.
AppArmor profiles are loaded into the kernel by the apparmor_parser tool. apparmor_parser can
load new profiles, replace profiles, and remove profiles. Profiles can optionally and individually be selected to
be loaded in “Complain” mode so that AppArmor does not enforce the profile but just logs an error
message if access would be denied by AppArmor with the profile. For more information on
apparmor_parser, see the apparmor_parser man page.
AppArmor also provides a status tool, apparmor_status. apparmor_status provides information
about the number of profiles loaded in enforcing and complaining mode and the number of running processes
being confined by AppArmor. For more information on apparmor_status please see the
apparmor_status man page.
The confined program reports which programs with open network sockets are running without the
protection of an AppArmor profile. The complain program allows an authorized administrator to switch
AppArmor out of enforcing mode and into complaining mode for a targeted program. The enforce program
allows an authorized administrator to do the opposite, switch from complain to enforcing mode for a
particular profile. genprof can be used to generate a profile with all of the permission that were exercised
during a test run of the targeted program. Please see the confined, enforce, complain, and genprof man pages
for more detail.
For an application contained by an AppArmor profile, access that is not explicitly allowed is denied.
5.8.2 AppArmor access control functions
AppArmor access control functions are called through LSM hooks from various points in the kernel when
new subjects and objects are created, when access between subject and object is mediated, and when subject
and object security attributes transition to different values (such as during an execve()call). The AppArmor
profile is applied to a process during the execve() call. If an AppArmor profile for an executable is loaded
after instances of that executable have already started running, the preexisting processes will not be confined
by AppArmor. Please see the apparmor man page for additional detail.
5.8.3 securityfs
Communication between the AppArmor kernel component and the AppArmor administrative utilities takes
place through the securityfs interface, mounted at /sys/kernel/security/apparmor.
apparmor_parser uses /sys/kernel/security/apparmor/.load to load new profiles and
likewise uses /sys/kernel/security/apparmor/.replace and
/sys/kernel/security/apparmor/.remove to replace and remove profiles. apparmor_status
uses /sys/kernel/security/apparmor/profiles to generate the status report.
151