Should I disable AppArmor? July 7, 2009
Posted by jdstrand in security, ubuntu, ubuntu-server.Tags: canonical
trackback
Short answer: Of course not!
Longer answer:
Ubuntu has had AppArmor1 on by default for a while now, and with each new release more and more profiles are added. The Ubuntu community has worked hard to make the installed profiles work well, and by far and large, most people happily use their Ubuntu systems without noticing AppArmor is even there.
Of course, like with any software, there are bugs. I know these AppArmor profile bugs can be frustrating, but because AppArmor is a path-based system, diagnosing, fixing and even working around profile bugs is actually quite easy. AppArmor has the ability to disable specific profiles rather than simply turning it on or off, yet I’ve seen people in IRC and forums advise others to disable AppArmor completely. This is totally misguided and YOU SHOULD NEVER DISABLE APPARMOR ENTIRELY to work around a profiling problem. That is like trying to open your front door with dynamite– it will work, but it’ll leave a big hole and you’ll likely hurt yourself. Think about it, on my regular ol’ Jaunty laptop system, I have 4 profiles in place installed via Ubuntu packages (to see the profiles on your system, look in /etc/apparmor.d). Why would I want to disable all of AppArmor (and therefore all of those profiles) instead of dealing with just the one that is causing me problems? Obviously, the more software you install with AppArmor protection, the more you have to lose by disabling AppArmor completely.
So, when dealing with a profile bug, there are only a few things you need to know:
- AppArmor messages show up in /var/log/kern.log (by default)
- AppArmor profiles are located in /etc/apparmor.d
- The profile name is, by convention, <absolute path with ‘/’ replaced by ‘.’>. E.g ‘/etc/apparmor.d/sbin.dhclient3′ is the profile for ‘/sbin/dhclient3′.
- Profiles are simple text files
With this in mind, let’s say tcpdump is misbehaving. You can check /var/log/kern.log for entries like:
Jul 7 12:21:15 laptop kernel: [272480.175323] type=1503 audit(1246987275.634:324): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=0 name="/opt/foo.out" pid=24113 profile="/usr/sbin/tcpdump"
That looks complicated, but it isn’t really, and it tells you everything you need to know to file a bug and fix the problem yourself. Specifically, “/usr/sbin/tcpdump” was denied “a” access to “/opt/foo.out”.
So now what?
If you are using the program with a default configuration or non-default but common configuration, then by all means, file a bug. If unsure, ask on IRC, on a mailing list or just file it anyway.
If you are a non-technical user or just need to put debugging this issue on hold, then you can disable this specific profile (there are others ways of doing this, but this method works best):
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
$ sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/usr.sbin.tcpdump
What that does is remove the profile for tcpdump from the kernel, then disables the profile such that AppArmor won’t load it when it is started (eg, on reboot). Now you can use the application without AppArmor protection, but leaving all those other applications with profiles protected.
If you are technically minded, dive into /etc/apparmor.d/usr.sbin.tcpdump and adjust the profile, then reload it:
$ sudo <your favorite editor> /etc/apparmor.d/usr.sbin.tcpdump
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump
This will likely be an iterative process, but you can base your new or updated rules on what is already the profile– it is pretty straightforward. After a couple of times, it will be second nature and you might want to start contributing to developing new profiles. Once the profile is working for you, please add your proposed fix to the bug report you filed earlier.
The DebuggingApparmor page has information on how to triage, fix and work-around AppArmor profile bugs. To learn more about AppArmor and the most frequently used access rules, install the apparmor-docs package, and read /usr/share/doc/apparmor-docs/techdoc.pdf.gz.
1. For those of you who don’t know, AppArmor is a path-based (as opposed to SELinux, which is inode-based) mandatory access control (MAC) system that limits access a process has to a predefined set of files and operations. These access controls are known as ‘profiles’ in AppArmor parlance.
Add a GUI and you’ll get higher level o running AppArmors.
Without GUI – people will complain, other will tell them to disable and both will be happy.
Add a GUI. PolicyKit-based, as a tray icon program.
Sure, and this is planned (perhaps even for Karmic). That said, the few times I’ve seen the bad advice, it is normally related to server software.
Can’t I just delete the offending profile in /etc/apparmor.d/ and reboot?
Yes, but this isn’t recommended because you’ll have a hard time getting the profile back if you ever want it.
“That is like trying to open your front door with dynamite– it will work, but it’ll leave a big hole and you’ll likely hurt yourself.”
Uh huh. That’s just plain misleading. While AppArmor does add to the security of a system, you’re NOT *likely* to hurt yourself without it. Under certain conditions if you do all sorts of other things wrong, you *might* (and that’s a very strong might) create an issue. But it is in no way *likely*.
But I love the fear mongering, it makes Linux look like it’s really an insecure operating system.
You misunderstood the point. There are potentially many AppArmor profiles providing confinement on an Ubuntu system. If one is causing problems, it is silly to disable all of AppArmor because of it. The other profiles are doing their job just fine.