AppArmor Profile Repositories

Contents

21.1. Using the Local Repository
21.2. Using the External Repository

AppArmor ships a set of profiles enabled by default and created by the AppArmor developers, and kept under the /etc/apparmor.d. In addition to these profiles, openSUSE ships profiles for individual applications together with the relevant application. These profiles are not enabled by default, and reside under another directory than the standard AppArmor profiles, /etc/apparmor/profiles/extras.

AppArmor also supports the use of an external profile repository. This repository is maintained by Novell and allows you to download profiles generated by Novell and other AppArmor users as well as uploading your own. Find the profile repository at http://apparmor.opensuse.org.

Using the Local Repository

The AppArmor tools (YaST and aa-genprof and aa-logprof) support the use of a local repository. Whenever you start to create a new profile from scratch, and there already is one inactive profile in your local repository, you are asked whether you would like to use the existing inactive one from /etc/apparmor/profiles/extras and whether you want to base your efforts on it. If you decide to use this profile, it gets copied over to the directory of profiles enabled by default (/etc/apparmor.d) and loaded whenever AppArmor is started. Any further further adjustments will be done to the active profile under /etc/apparmor.d.

Using the External Repository

The external AppArmor profile repository at http://apparmor.opensuse.org serves two main purposes: Allowing users to either browse and download profiles created by other users and uploading their profiles to be able to easily use them on different machines. A valid login on the profile repository server is required for uploading profiles. Simply downloading profiles from the server does not require a login.

[Note]Using the AppArmor Profile Repository

When using the profile repository in your deployment, keep in mind that the profiles maintained in the repository are primarily targeted at profile developers and might probably need fine-tuning before they suit your particular needs. Please test the downloaded profiles extensively before deploying them to your live setup, and adjust them if necessary.

Setting up Profile Repository Support

Once properly configured, both the YaST and the command line tools support the use of an external profile repository. The initial configuration takes place when you start the YaST Add Profile Wizard, the Update Profile Wizard, aa-genprof, or aa-logprof to create or update a profile that already exists on the repository server:

  1. Determine whether or not to use the profile repository.

  2. Enable the repository for profile downloads.

  3. Once you have created or modified a profile, determine whether the tools need to be able to upload your profile to the repository.

    If you choose to upload profiles to the repository, enter your credentials for the repository server.

The configuration of the repository is done by editing two configuration files, /etc/apparmor/logprof.conf and /etc/apparmor/respository.conf.

The /etc/apparmor/logprof.conf file contains a section called [repository]. distro determines the version of openSUSE used on your system for which the AppArmor tools need to search profiles on the server. url holds the server URL and preferred_user tells the AppArmor tools to prefer profiles created by the novell user. Those profiles were created, tested and approved by members of the SUSE development team.

...
[repository]
  distro         = opensuse10.3
  url            = http://apparmor.opensuse.org/backend/api
  preferred_user = novell
...

The /etc/apparmor/repository.conf file is created during the configuration process with the AppArmor tools. It contains your authentication data and specifies which actions to enable with regards to the profile repository. If you opt for profile download and do not want to be able to upload your own profiles enabled is set to yes while upload is set to no.

[repository]
   enabled = yes 
   upload = yes  
   user = tux
   pass = XXXXX

Once initially configured through the AppArmor tools, the configuration can only be changed manually.

Downloading a Profile

While creating a profile from scratch or updating an existing profile by processing reject messages in the log, the AppArmor tools search the repository for a matching profile. If the search is successful, the profile or the list of profiles is displayed and you can view them and choose the one that best matches your setup. As soon as you have chosen a profile, it gets copied to the local machine (to the /etc/apparmor.d directory) and activated. Alternatively, you can choose to ignore the profile on the repository and create your own one from scratch.

Uploading Your own Profile

After a profile has been created or updated, the AppArmor tools that a profile also present in the repository has been changed or that a new one has been created. If your system is configured to upload profiles to the repository, you are prompted to provide a ChangeLog to document your changes before the changes are uploaded to the server. These changes are only synched to the repository, but not to the creator of the original profile.