Skip to main content
Information Security

Questions tagged [apparmor]

Ask Question

A filesystem-independent Linux kernel security module enabling Mandatory Access Control (MAC).

36 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
0 answers
201 views

AppArmor deny all files except specifics

I have a Rust-app which uses PyO3 to execute arbitrary Python code. The Python code should only be able to do basic math operations and in now way should be able to access the network (except ...
O'Niel's user avatar
O'Niel
  • 3,478
0 votes
0 answers
127 views

Apparmor profile for executing untrusted binaries for online judge

I am writing an online judge so I need to sandbox execution of untrusted binaries for judging and for that, I am using apparmor. Here's my current simple profile: #include <tunables/global> ...
Saad Ahmed's user avatar
Saad Ahmed
  • 1
1 vote
1 answer
1k views

How to allow an apparmor profile to create a unix socket

On Ubuntu kinetic, I get multiple DENIED operations by apparmor in /var/log/syslog such as: operation="create" class="net" info="failed type and protocol match" error=-13 ...
jean-christophe manciot's user avatar
jean-christophe manciot
  • 243
1 vote
0 answers
302 views

AppArmor Not Recognizing Files & Directories That Exist (Syntax Error)

I am on Ubuntu 20.04 server running AppArmor 2.13.3 and I have downloaded two additional apparmor profiles, from the [official apparmor repository][1]: usr.sbin.apache2 php-fpm Because I am running ...
minataur's user avatar
minataur
  • 61
1 vote
1 answer
441 views

How do AppArmor and systemd access controls compare?

This may be comparing chalk with cheese, but I'm wondering how these tools compare: pros and cons, similarities and differences, and situations where you would use one vs the other.
Kevin Wheeler's user avatar
Kevin Wheeler
  • 143
0 votes
1 answer
1k views

Is AppArmor used in production environments? [closed]

I was recently having a conversation with a friend about his server system (he does a lot of self-hosting) and he mentioned he was in the middle of configuring SELinux. I was curious about the ...
kotakotakota's user avatar
kotakotakota
  • 103
1 vote
0 answers
177 views

How can I enforce a security sandbox with any process?

Deno (the node.js fork) is designed to be secure by default. Therefore, unless you specifically enable it, a program run with Deno has no file, network, or environment access. Deno has a set of ...
cphoover's user avatar
cphoover
  • 111
2 votes
1 answer
487 views

Getting apparmor to profile a program inside docker container

I'm looking to profile a service running inside a specific docker container. I went through the documentation of aa-genprof and aa-autodep and both take program as input to profile. I can't seem to ...
TheKoolhatkar's user avatar
TheKoolhatkar
  • 29
2 votes
2 answers
1k views

Linux whitelist-based Mandatory Access Control instead of a blacklist-based model

I'm trying to harden a Linux installation on a personal computer - I decided to try both SELinux and AppArmor as a Mandatory Access Control (MAC) to supplement the default Discretionary Access Control ...
Dcompoze's user avatar
Dcompoze
  • 131
0 votes
1 answer
302 views

Restrict privileged users from accessing certain directories on Linux servers with Grsecurity?

My question is similar to these: Protect sensitive data from sysadmin prying eyes Restrict access to a specific directory on Linux From those, I understand that SELinux could accomplish my goal. ...
MountainX's user avatar
MountainX
  • 340
3 votes
1 answer
3k views

Is apparmor default deny?

Is apparmor default deny? For example consider the case under SELinux in enforcing mode, where I install a package with no policy associated with it. SELinux's default behaviour is to deny all ...
sashang's user avatar
sashang
  • 183
7 votes
2 answers
246 views

Opt-in a security profile at runtime, without tedious setup

I like lowering my access privilege mid-program (e.g. restrict my program to the current directory and files, disable networking). I imagine this is a pretty common wish. I would like to be able to ...
fluxrider's user avatar
fluxrider
  • 171
5 votes
1 answer
7k views

apparmor: How to enable dbus feature of apparmor ('dbus mediation'), in the linux kernel?

Would very much like to use apparmor to restrict specific dbus communications within my system. However the following line appears in my syslog: Dec 28 09:36:21 apex snapd[1127]: AppArmor status: ...
Dreamcat4's user avatar
Dreamcat4
  • 225
7 votes
2 answers
6k views

Apparmor - how to 'allow everything' rule, then tighten up?

Being very new to apparmor, would just like to start by placing some simple 1 line restriction on a program. And leave everything else as-is. Also, for other reasons it's not possible for me to easily ...
Dreamcat4's user avatar
Dreamcat4
  • 225
4 votes
2 answers
1k views

Replace application's AppArmor profile without process restart

I'm using AppArmor in complain mode for a process in our production environment and I see some false positive profile violations in my logs. I'd like to roll out an updated profile but I cannot ...
CaptainRR's user avatar
CaptainRR
  • 369
20 votes
2 answers
12k views

Docker: when to use apparmor vs seccomp vs --cap-drop

Docker seems to support both apparmor and seccomp. Docker also allows to drop capabilities when running a container. However I couldn't find any documentation or guideline on when to use which ...
JackDaniels's user avatar
JackDaniels
  • 301
11 votes
2 answers
9k views

Comparison between Firejail and Apparmor

I'd like to understand how Apparmor and Firejail compare to each other: advantages, pros and cons, purposes, similarities, etc. I might be asking to compare apples with oranges, however I've noticed ...
reed's user avatar
reed
  • 15.9k
3 votes
1 answer
308 views

Can a badly configured AppArmor profile reduce security?

Can a badly or even maliciously configured AppArmor profile reduce security, or can it only improve it? I read that apparently AppArmor cannot override unix file permissions, so it shouldn't give a ...
reed's user avatar
reed
  • 15.9k
4 votes
1 answer
370 views

Can too restrictive Linux MAC policy decrease security?

Can too restrictive MAC profile (e.x. AppArmor profile) decrease application security? For example: could it be that too restrictive environment for web browser will protect host system very well ...
Vladimir Berlev's user avatar
Vladimir Berlev
  • 263
2 votes
3 answers
3k views

Allow access to a directory for certain application only

I would like to restrict an access to a directory. For example, on my system there is ~/.thunderbird directory that contains settings, letters, caches, etc of Thunderbird mail client. Obviously, other ...
flaz14's user avatar
flaz14
  • 121
2 votes
1 answer
2k views

Apparmor profile denying read access with r flag

I generated an apparmor profile for the tor binary that comes bundled in Ricochet: # Last Modified: Sun Apr 2 2017 #include <tunables/global> /ricochet/*-ricochet/tor { #include <...
user143794's user avatar
user143794
  • 21
1 vote
0 answers
611 views

Sandboxing applications and files in Debian & GrSecurity [closed]

I'm about to switch from Linux Mint to Debian. But before doing that I'm still looking into a few things to secure Debian. 1) The first thing I want is a kind of 'sandboxing' technology. This to ...
O'Niel's user avatar
O'Niel
  • 3,478
4 votes
2 answers
784 views

What is the best way to approach and generate apparmor profiles?

I'm thinking to start making apparmor profiles for my server, but before I start, I want to make sure that I'm doing in a right way. So, I'm thinking to begin with apache2 profiling. Right now I'm ...
Mirsad's user avatar
Mirsad
  • 10.2k
5 votes
1 answer
2k views

Do AppArmor/SELinux provide any security for workstation?

I decided to harden security on my primary workstation a bit. Before I used to use firejail for certain less trusted apps (all apps with internet access) but it's kind of toy. Didn't work really well ...
Lapsio's user avatar
Lapsio
  • 217
0 votes
0 answers
169 views

Determining which files a process modifies / creates with strace?

For purposes of setting up AppArmor or SE Linux, I'm looking to audit what files a program could possibly need access to. My understanding is that the end of AppArmor or SE Linux, is to constrain ...
leeand00's user avatar
leeand00
  • 1,471
-1 votes
1 answer
464 views

Starting a server without SElinux or Apparmor [duplicate]

The Debian kernel that compiled for Beaglebone Black, doesn't support SElinux and Apparmor, AFAIK. I just want to know, is it safe to put a server on the internet without SElinux or Apparmor? However ...
mohammads's user avatar
mohammads
  • 107
1 vote
1 answer
770 views

Virtual Environments vs SELinux/AppArmor : Which is better for running unreliable applications?

By virtual environments, I mean Linux containers like Docker and Vagrant and not full blown VirtualBox. So, the issue is that I often have to install packages from untrusted sources in my Ubuntu. ...
shivams's user avatar
shivams
  • 221
5 votes
6 answers
10k views

Alternatives to SELinux and AppArmor? [closed]

With SELinux developed by NSA and AppArmor by Novell [*], what alternate solutions exists when trying to lock down a system and running applications, based on ACL and similar concepts like Zones on ...
that guy from over there's user avatar
that guy from over there
  • 3,494
3 votes
3 answers
5k views

Apparmor system-wide security -- white-listing

I want to only white-list applications that can run on my system using Apparmor, I know it is used to confine applications/programs based on their path names, but what I need is to contain those ...
securecurve's user avatar
securecurve
  • 153
5 votes
1 answer
2k views

Can attacker break out of apparmor jail with the following profile?

Below is an example profile I've created for web apps, in which I've limited files / commands it can access. It includes profiles to nginx, php-fpm and mysql, no commands is allowed, only few ...
daisy's user avatar
daisy
  • 2,097
12 votes
3 answers
6k views

Restrict access to a specific directory on Linux

I want to limit access to a single directory on the hard disk (log files) to few processes (log files for a single process for example). All processes run under the same user, so file system access ...
leoluk's user avatar
leoluk
  • 223
1 vote
1 answer
251 views

Is it secure to use ChangeHats for Web Application?

I was reading an article on "Profiling Your Web Applications Using ChangeHat" where change hats mean to use different security context for different portion of application. Following are lines taken ...
Ali Ahmad's user avatar
Ali Ahmad
  • 4,884
86 votes
9 answers
83k views

Comparison Between AppArmor and Selinux

I was reviewing several different comparisons of AppArmor and SELinux which include: Why I Like AppArmor More Than SELinux SELinux and AppArmor: An Introductory Comparison From these articles I ...
Ali Ahmad's user avatar
Ali Ahmad
  • 4,884
12 votes
3 answers
4k views

Security tradeoffs of pathname-based MAC (e.g., TOMOYO, grsecurity, AppArmor, ...)

I have been learning about MAC (Mandatory Access Control) systems in Linux. Often, but not always, these are tied to Linux Security Modules. Some systems I've looked at: SELinux, Tomoyo, AppArmor, ...
humanityANDpeace's user avatar
humanityANDpeace
  • 1,472
9 votes
3 answers
8k views

Restrict network access for a single process with SELinux or AppArmor

I have a Python script that access the network, and I want to deny it network access sometimes. How can I achieve this with SELinux or AppArmor? I want to be able to launch this specific script with ...
scythargon's user avatar
scythargon
  • 191
16 votes
2 answers
3k views

Network policies under AppArmor/SELinux

I am attempting to sandbox some untrusted processes using Linux's MAC frameworks -- either SELinux or AppArmor. I see that both SELinux and AppArmor allow the selected granting of socket level access ...
Prashanth's user avatar
Prashanth
  • 163