AppArmor 是一個類似于selinux 的東東,主要的作用是設置某個可執行程序的訪問控制權限,可以限制程序 讀/寫某個目錄/文件,打開/讀/寫網絡端口等等。
Novell給出的Apparmor的解釋:
|
?AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
|
之所以選擇Apparmor而不是SELinux,主要基于以下兩點原因:
- 對于初學者來說,Apparmor比SELinux更簡單
- ubuntu的粉絲,ubuntu選擇了Apparmor,同理,如果你是fedora的粉絲,很明顯會選擇SELinux
實事求是的說,SELinux比Apparmor更安全,更靈活,同時配置起來也更復雜。SELinux與Apparmor最大的區別在于:Apparmor使用文件名(路徑名)最為安全標簽,而SELinux使用文件的inode作為安全標簽,這就意味著,Apparmor機制可以通過修改文件名而被繞過,另外,在文件系統中,只有inode才具有唯一性。
由于ubuntu發行版已經自帶了Apparmor的package,所以只需要在命令行中輸入如下命令,就可以查詢當前Apparmor的狀態:
- sudo apparmor_status
從上圖中可以看出,當前Apparmor包含了20個profile文件,而且都處于enforce狀態,沒有處于enforce狀態的文件。
Apparmor的profile文件分為兩類:enforce與complain mode,存在于/etc/apparmor.d/目錄下,下面來看下官方給出的兩種不同狀態的profile的解釋。
Enforcing: This means the profile is actively protecting the application. By default, Ubuntu already locks down the CUPS daemon for you, but you will see several other profiles listed that you can set to enforce mode at any time.Complain: This means a profile exists but is not yet actively protecting the application. Instead, it is sort of in "debug" mode and will put "complain" messages into /var/log/messages. What this means is that if the application wants to read, write, or execute something that isn't listed in the profile, it will complain. This is how you generally create a profile.
簡單理解就是:如果某個程序不符合其profile文件的限制,改程序就會被apparmor“打小報告”,即將該程序的行為記錄在系統日志中,但是程序訪問行為會成功,比如本來沒有讓某個程序訪問某個文件,但就是訪問,僅僅報告一下,文件訪問會成功,如果在enforce模式下,文件訪問就會失敗。
如果想把某個profile置為enforce狀態,執行如下命令:- sudo enforce <application_name>
- sudo complain <application_name>
- sudo /etc/init.d/apparmor restart
- sudo apt-get install apparmor-profiles
(2)通過工具來管理profile,比較著名是:apparmor-utils,通過如下命令進行安裝:
- sudo apt-get install apparmor-utils
再看一個手工編寫的profile,熟悉下其語法格式,如果想更詳細的學習,參見具體的講解profile語法格式的文檔,如: http://ubuntuforums.org/showthread.php?t=1008906 。
- #include <tunables/global>
- /usr/bin/kopete { //需要限制的應用程序的名稱
- #include <abstractions/X>
- #include <abstractions/audio>
- #include <abstractions/base>
- #include <abstractions/kde>
- #include <abstractions/nameservice>
- #include <abstractions/user-tmp>
- //限制其在對家目錄下幾個文件的讀寫權限
- deny @{HOME}/.bash* rw,
- deny @{HOME}/.cshrc rw,
- deny @{HOME}/.profile rw,
- deny @{HOME}/.ssh/* rw,
- deny @{HOME}/.zshrc rw,
- /etc/X11/cursors/oxy-white.theme r,
- /etc/default/apport r,
- /etc/kde4/* r,
- /etc/kde4rc r,
- /etc/kderc r,
- /etc/security/* r,
- /etc/ssl/certs/* r,
- owner /home/*/ r,
- /opt/firefox/firefox.sh Px,
- /usr/bin/convert rix,
- /usr/bin/kde4 rix,
- /usr/bin/kopete r,
- /usr/bin/kopete_latexconvert.sh rix,
- /usr/bin/launchpad-integration ix,
- /usr/bin/xdg-open mrix,
- /usr/lib/firefox*/firefox.sh Px,
- /usr/lib/kde4/**.so mr,
- /usr/lib/kde4/libexec/drkonqi ix,
- /usr/share/emoticons/ r,
- /usr/share/emoticons/** r,
- /usr/share/enchant/** r,
- /usr/share/kde4/** r,
- /usr/share/kubuntu-default-settings/** r,
- /usr/share/locale-langpack/** r,
- /usr/share/myspell/** r,
- owner @{HOME}/.config/** rwk,
- owner @{HOME}/.kde/** rwlk,
- owner @{HOME}/.local/share/mime/** r,
- owner @{HOME}/.thumbnails/** rw,
- owner @{HOME}/Downloads/ rw,
- owner @{HOME}/Downloads/** rw,
- }
- r = read
- w = write
- l = link
- k = lock
- a = append
- ix = inherit = Inherit the parent's profile.
- px = requires a separate profile exists for the application, with environment scrubbing.
- Px = requires a separate profile exists for the application, without environment scrubbing.
- ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
- m = allow executable mapping.
更多文章、技術交流、商務合作、聯系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
