AppArmorの基本操作をまとめます。
記事の目次
動作確認をした環境を確認する!
動作確認した環境を確認します。
$ hostnamectl
Static hostname: vmswps01
Icon name: computer-vm
Chassis: vm
Machine ID: 71bb07e8b0b241a7b80c0ffc45302ee2
Boot ID: 0c944ead31fd4098a50494eb25a79e50
Virtualization: oracle
Operating System: Ubuntu 22.04.2 LTS
Kernel: Linux 5.15.0-78-generic
Architecture: x86-64
Hardware Vendor: innotek GmbH
Hardware Model: VirtualBox
AppArmorの状態を確認する!
AppArmorの状態を確認します。
$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2023-08-22 21:29:25 UTC; 25min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 524 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 524 (code=exited, status=0/SUCCESS)
CPU: 33ms
AppArmorを無効化する!
AppArmorを無効化して停止します。
$ sudo systemctl disable --now apparmor
Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apparmor
Removed /etc/systemd/system/sysinit.target.wants/apparmor.service.
$ systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2023-08-22 21:56:41 UTC; 36s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 1225 ExecStop=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 524 (code=exited, status=0/SUCCESS)
CPU: 871us
AppArmorを有効化する!
AppArmorを有効化して起動します。
$ sudo systemctl enable --now apparmor
Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apparmor
Created symlink /etc/systemd/system/sysinit.target.wants/apparmor.service → /lib/systemd/system/apparmor.service.
$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2023-08-22 21:58:17 UTC; 12s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 1336 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 1336 (code=exited, status=0/SUCCESS)
CPU: 28ms
プロファイルを操作するためのコマンドをインストールする!
$ sudo apt install apparmor-utils -y Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: python3-apparmor python3-libapparmor Suggested packages: vim-addon-manager The following NEW packages will be installed: apparmor-utils python3-apparmor python3-libapparmor 0 upgraded, 3 newly installed, 0 to remove and 75 not upgraded. ...
プロファイルの状態を確認する!
AppArmorのプロファイルの状態を確認します。
$ sudo apparmor_status
apparmor module is loaded.
31 profiles are loaded.
31 profiles are in enforce mode.
/snap/snapd/18357/usr/lib/snapd/snap-confine
/snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/snapd/19457/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.lxd
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.hook.remove
snap.lxd.lxc
snap.lxd.lxc-to-lxd
snap.lxd.lxd
snap.lxd.migrate
snap.lxd.user-daemon
tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
プロファイルを追加する!
AppArmorのプロファイルを追加します。
$ sudo apt install apparmor-profiles Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: apparmor-profiles 0 upgraded, 1 newly installed, 0 to remove and 75 not upgraded. ...
プロファイルが追加されたことを確認します。
$ sudo apparmor_status
apparmor module is loaded.
48 profiles are loaded.
31 profiles are in enforce mode.
/snap/snapd/18357/usr/lib/snapd/snap-confine
/snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/snapd/19457/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.lxd
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.hook.remove
snap.lxd.lxc
snap.lxd.lxc-to-lxd
snap.lxd.lxd
snap.lxd.migrate
snap.lxd.user-daemon
tcpdump
17 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
すべてのプロファイルを「complain」モードに変更する!
AppArmorのすべてのプロファイルを「complain」モードに変更します。
$ sudo aa-complain /etc/apparmor.d/*
すべてのプロファイルを「enforce」モードに変更する!
AppArmorのすべてのプロファイルを「enforce」モードに変更します。
$ sudo aa-enforce /etc/apparmor.d/*
特定のプロファイルをリロードする!
AppArmorの特定のプロファイルをリロードします。以下の「profile.name」をプロファイル名に変更して実行します。
$ sudo apparmor_parser -r /etc/apparmor.d/profile.name
すべてのプロファイルをリロードする!
AppArmorのすべてのプロファイルをリロードします。
$ sudo systemctl reload apparmor.service
おわりに
AppArmorの基本操作をまとめました。
参考情報
関連記事
