| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame] | 1 | ======== |
| 2 | AppArmor |
| 3 | ======== |
| 4 | |
| 5 | What is AppArmor? |
| 6 | ================= |
| 7 | |
| 8 | AppArmor is MAC style security extension for the Linux kernel. It implements |
| 9 | a task centered policy, with task "profiles" being created and loaded |
| 10 | from user space. Tasks on the system that do not have a profile defined for |
| 11 | them run in an unconfined state which is equivalent to standard Linux DAC |
| 12 | permissions. |
| 13 | |
| 14 | How to enable/disable |
| 15 | ===================== |
| 16 | |
| 17 | set ``CONFIG_SECURITY_APPARMOR=y`` |
| 18 | |
| 19 | If AppArmor should be selected as the default security module then set:: |
| 20 | |
| 21 | CONFIG_DEFAULT_SECURITY="apparmor" |
| 22 | CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 |
| 23 | |
| 24 | Build the kernel |
| 25 | |
| 26 | If AppArmor is not the default security module it can be enabled by passing |
| 27 | ``security=apparmor`` on the kernel's command line. |
| 28 | |
| 29 | If AppArmor is the default security module it can be disabled by passing |
| 30 | ``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the |
| 31 | kernel's command line. |
| 32 | |
| 33 | For AppArmor to enforce any restrictions beyond standard Linux DAC permissions |
| 34 | policy must be loaded into the kernel from user space (see the Documentation |
| 35 | and tools links). |
| 36 | |
| 37 | Documentation |
| 38 | ============= |
| 39 | |
| 40 | Documentation can be found on the wiki, linked below. |
| 41 | |
| 42 | Links |
| 43 | ===== |
| 44 | |
| 45 | Mailing List - apparmor@lists.ubuntu.com |
| 46 | |
| 47 | Wiki - http://wiki.apparmor.net |
| 48 | |
| 49 | User space tools - https://gitlab.com/apparmor |
| 50 | |
| 51 | Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor |