So, how usable is AppArmor in Debian?

The short answer is: using AppArmor in Debian is fairly straight forward.

Installing and activating it though is not – yet – a very user friendly experience. One needs to install the apparmor package, then activate it in the kernel by editing a line in the GRUB bootloader and then reboot. The procedure is explained in detail here.
We are working on fixing Debian Bug #702030 which aims at making the installation process easier for normal users by activating the module automatically as soon as one installs the apparmor package.

Once you have set this up though, you’re good to go. Profiles for confining processes and programs should then be activated automatically.

One can verify this through the `sudo aa-status` command which should output something like this:

apparmor module is loaded.
30 profiles are loaded.
30 profiles are in enforce mode.
 /usr/bin/evince
 /usr/bin/evince-previewer
 /usr/bin/evince-previewer//sanitized_helper
 /usr/bin/evince-thumbnailer
 /usr/bin/evince-thumbnailer//sanitized_helper
 /usr/bin/evince//sanitized_helper
 /usr/bin/irssi
 /usr/bin/pidgin
 /usr/bin/pidgin//launchpad_integration
 /usr/bin/pidgin//sanitized_helper
 /usr/bin/tlsdate
 /usr/bin/tlsdate-helper
 /usr/bin/torbrowser-launcher
 /usr/bin/totem
 /usr/bin/totem-audio-preview
 /usr/bin/totem-video-thumbnailer
 /usr/lib/cups/backend/cups-pdf
 /usr/lib/libvirt/virt-aa-helper
 /usr/sbin/apt-cacher-ng
 /usr/sbin/cups-browsed
 /usr/sbin/cupsd
 /usr/sbin/cupsd//third_party
 /usr/sbin/libvirtd
 /usr/sbin/ntpd
 /usr/sbin/tcpdump
 /usr/sbin/tlsdated
 gst_plugin_scanner
 system_tor
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
 /usr/bin/pidgin
 /usr/bin/torbrowser-launcher
 /usr/sbin/cups-browsed 
 /usr/sbin/cupsd
 /usr/sbin/libvirtd
 system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

As of today there are only a dozen packages which ship their own profile in Debian: bind9, clamav, cups-browsed & cups-daemon,  libvirt-daemon-system, mysql-5.5, lightdm, obfsproxy, sssd, tlsdate, tor, torbrowser-launcher, vidalia.

In order to confine other applications, like evince, irssi, ntpd, pidgin, totem or tcpdump, one can install the apparmor-profiles-extra package.

All those profiles work very well in a Debian Wheezy environment or higher, from my own experience. (Only the torbrowser-launcher profile needs to be fixed in wheezy-backports, but works well in Jessie or higher – I’m working on it.)

If you want to confine other applications and found a profile which you want to use on your system, you can copy that profile into /etc/apparmor.d/ and then run

aa-enforce /etc/apparmor.d/myprofile

And that’s pretty much it!

 

rike

 

Leave a Reply

Your email address will not be published. Required fields are marked *