Chapter 20. Profile Components and Syntax

Chapter 20. Profile Components and Syntax¶

Contents

20.1. Breaking a Novell AppArmor Profile into Its Parts
20.2. Profile Types
20.3. #include Statements
20.4. Capability Entries (POSIX.1e)
20.5. Network Access Control
20.6. Paths and Globbing
20.7. File Permission Access Modes
20.8. Execute Modes
20.9. Resource Limit Control
20.10. Auditing Rules
20.11. Setting Capabilities per Profile

Building AppArmor profiles to confine an application is very straightforward and intuitive. AppArmor ships with several tools that assist in profile creation. It does not require you to do any programming or script handling. The only task that is required of the administrator is to determine a policy of strictest access and execute permissions for each application that needs to be hardened.

Updates or modifications to the application profiles are only required if the software configuration or the desired range of activities changes. AppArmor offers intuitive tools to handle profile updates and modifications.

You are ready to build Novell AppArmor profiles after you select the programs to profile. To do so, it is important to understand the components and syntax of profiles. AppArmor profiles contain several building blocks that help build simple and reusable profile code:

#include Files: #include statements are used to pull in parts of other AppArmor profiles to simplify the structure of new profiles.
Abstractions: Abstractions are #include statements grouped by common application tasks.
Program Chunks: Program chunks are #include statements that contain chunks of profiles that are specific to program suites.
Capability Entries: Capability entries are profile entries for any of the POSIX.1e Linux capabilities allowing a fine-grained control over what a confined process is allowed to do through system calls that require privileges.
Network Access Control Entries: Network Access Control Entries mediate network access based on the address type and family.
Local Variable Definitions: Local variables define shortcuts for paths.
File Access Control Entries: File Access Control Entries specify the set of files an application can access.
rlimit Entries: rlimit entries set and control an application's resource limits.

For help determining the programs to profile, refer to Section 19.2, “Determining Programs to Immunize”. To start building AppArmor profiles with YaST, proceed to Chapter 22, Building and Managing Profiles with YaST. To build profiles using the AppArmor command line interface, proceed to Chapter 23, Building Profiles from the Command Line.

20.1. Breaking a Novell AppArmor Profile into Its Parts¶

The easiest way of explaining what a profile consists of and how to create one is to show the details of a sample profile, in this case for a hypothetical application called /usr/bin/foo:

#include <tunables/global>

# a comment naming the application to confine
/usr/bin/foo
{
   #include <abstractions/base>

   capability setgid,
   network inet tcp,

   link /etc/sysconfig/foo -> /etc/foo.conf,
   /bin/mount            ux,
   /dev/{,u}random     r,
   /etc/ld.so.cache      r,
   /etc/foo/*            r,
   /lib/ld-*.so*         mr,
   /lib/lib*.so*         mr,
   /proc/[0-9]**         r,
   /usr/lib/**           mr,
   /tmp/                r,
   /tmp/foo.pid          wr,
   /tmp/foo.*            lrw,
   /@{HOME}/.foo_file   rw,
   /@{HOME}/.foo_lock    kw,
   owner /shared/foo/** rw,
   /usr/bin/foobar       cx,
   /bin/**               px -> bin_generic,


   # a comment about foo's local (children)profile for /usr/bin/foobar.

   profile /usr/bin/foobar {
      /bin/bash          rmix,
      /bin/cat           rmix,
      /bin/more          rmix,
      /var/log/foobar*   rwl,
      /etc/foobar        r,
   } 

  # foo's hat, bar.
   ^bar {
    /lib/ld-*.so*         mr,
    /usr/bin/bar          px,
    /var/spool/*          rwl,
   } 
}

	This loads a file containing variable definitions.
	The normalized path to the program that is confined.
	The curly braces (`{}`) serve as a container for include statements, subprofiles, path entries, capability entries, and network entries.
	This directive pulls in components of AppArmor profiles to simplify profiles.
	Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
	A directive determining the kind of network access allowed to the application. For details, refer to Section 20.5, “Network Access Control”.
	A link pair rule specifying the source and the target of a link. See Section 20.7.6, “Link Pair” for more information.
	The curly braces (`{}`) make this rule apply to the path both with and without the content enclosed by the braces.
	A path entry specifying what areas of the file system the program can access. The first part of a path entry specifies the absolute path of a file (including regular expression globbing) and the second part indicates permissible access modes (for example `r` for read, `w` for write, and `x` for execute). A whitespace of any kind (spaces or tabs) can precede pathnames or separate the pathname from the access modes. Spaces between the access mode and the trailing comma are optional. Find a comprehensive overview of the available access modes in Section 20.7, “File Permission Access Modes”.
	This variable expands to a value that can be changed without changing the entire profile.
	An owner conditional rule, granting read and write permission on files owned by the user. Refer to Section 20.7.7, “Owner Conditional Rules” for more information.
	This entry defines a transition to the local profile `/usr/bin/foobar`. Find a comprehensive overview of the available execute modes in Section 20.8, “Execute Modes”.
	A named profile transition to the profile bin_generic located in the global scope. See Section 20.8.7, “Named Profile Transitions” for details.
	The local profile `/usr/bin/foobar` is defined in this section.
	This section references a “hat” subprofile of the application. For more details on AppArmor's ChangeHat feature, refer to Chapter 24, Profiling Your Web Applications Using ChangeHat.

When a profile is created for a program, the program can access only the files, modes, and POSIX capabilities specified in the profile. These restrictions are in addition to the native Linux access controls.

Example: To gain the capability CAP_CHOWN, the program must have both access to CAP_CHOWN under conventional Linux access controls (typically, be a root-owned process) and have the capability chown in its profile. Similarly, to be able to write to the file /foo/bar the program must have both the correct user ID and mode bits set in the files attributes (see the chmod and chown man pages) and have /foo/bar w in its profile.

Attempts to violate Novell AppArmor rules are recorded in /var/log/audit/audit.log if the audit package is installed or otherwise in /var/log/messages. In many cases, Novell AppArmor rules prevent an attack from working because necessary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor.

20.2. Profile Types¶

AppArmor knows four different types of profiles: standard profiles, unattached profiles, local profiles and hats. Standard and unattached profiles are stand-alone profiles, each stored in a file under /etc/apparmor.d/. Local profiles and hats are children profiles embedded inside of a parent profile used to provide tighter or alternate confinement for a subtask of an application.

20.2.1. Standard Profiles¶

The default AppArmor profile is attached to a program by its name, so a profile name must match the path to the application it is to confine.

/usr/bin/foo {
...
}

This profile will be automatically used whenever an unconfined process executes /usr/bin/foo.

20.2.2. Unattached Profiles¶

Unattached profiles do not reside in the file system namespace and therefore are not automatically attached to an application. The name of an unattached profile is preceded by the keyword profile. You can freely choose a profile name, except for the following limitations: the name must not begin with a : or . character. If it contains a whitespace, it must be quoted. If the name begins with a /, the profile is considered to be a standard profile, so the following two profiles are identical:

profile /usr/bin/foo {
...
}
/usr/bin/foo {
...
}

Unattached profiles are never used automatically, nor can they be transitioned to through a px rule. They need to be attached to a program by either using a named profile transition (see Section 20.8.7, “Named Profile Transitions”) or with the change_profile rule (see Section 20.2.5, “Change rules”).

Unattached profiles are useful for specialized profiles for system utilities that generally should not be confined by a system wide profile (for example, /bin/bash). They can also be used to set up roles or to confine a user.

20.2.3. Local Profiles¶

Local profiles provide a convenient way to provide specialized confinement for utility programs launched by a confined application. They are specified just like standard profiles except they are embedded in a parent profile and begin with the profile keyword:

/parent/profile {
   ...
   profile local/profile {
      ...
   }
}

To transition to a local profile, either use a cx rule (see Section 20.8.2, “Discrete Local Profile Execute Mode (cx)”) or a named profile transition (see Section 20.8.7, “Named Profile Transitions”).

20.2.4. Hats¶

AppArmor "hats" are a local profiles with some additional restrictions and an implicit rule allowing for change_hat to be used to transition to them. Refer to Chapter 24, Profiling Your Web Applications Using ChangeHat for a detailed description.

20.2.5. Change rules¶

AppArmor provides change_hat and change_profile rules that control domain transitioning. change_hat are specified by defining hats in a profile, while change_profile rules refer to another profile and start with the keyword change_profile:

change_profile /usr/bin/foobar,

Both change_hat and change_profile provide for an application directed profile transition, without having to launch a separate application. change_profile provides a generic one way transition between any of the loaded profiles. change_hat provides for a returnable parent child transition where an application can switch from the parent profile to the hat profile and if it provides the correct secret key return to the parent profile at a later time.

change_profile is best used in situations where an application goes through a trusted setup phase and then can lower its privilege level. Any resources mapped or opened during the start-up phase may still be accessible after the profile change, but the new profile will restrict the opening of new resources, and will even limit some of the resources opened before the switch. Specifically, memory resources will still be available while capability and file resources (as long as they are not memory mapped) can be limited.

change_hat is best used in situations where an application runs a virtual machine or an interpreter that does not provide direct access to the applications resources (e.g. Apache's mod_php). Since change_hat stores the return secret key in the application's memory the phase of reduced privilege should not have direct access to memory. It is also important that file access is properly separated, since the hat can restrict accesses to a file handle but does not close it. If an application does buffering and provides access to the open files with buffering, the accesses to these files may not be seen by the kernel and hence not restricted by the new profile.

	Safety of Domain Transitions
The `change_hat` and `change_profile` domain transitions are less secure than a domain transition done through an exec because they do not affect a processes memory mappings, nor do they close resources that have already been opened.

20.3. `#include` Statements¶

#include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles. Include files retrieve access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs. Using includes can reduce the size of a profile.

By default, AppArmor adds /etc/apparmor.d to the path in the #include statement. AppArmor expects the include files to be located in /etc/apparmor.d. Unlike other profile statements (but similar to C programs), #include lines do not end with a comma.

To assist you in profiling your applications, Novell AppArmor provides three classes of #includes: abstractions, program chunks and tunables.

20.3.1. Abstractions¶

Abstractions are #includes that are grouped by common application tasks. These tasks include access to authentication mechanisms, access to name service routines, common graphics requirements, and system accounting. Files listed in these abstractions are specific to the named task. Programs that require one of these files usually require some of the other files listed in the abstraction file (depending on the local configuration as well as the specific requirements of the program). Find abstractions in /etc/apparmor.d/abstractions.

20.3.2. Program Chunks¶

The program-chunks directory (/etc/apparmor.d/program-chunks) contains some chunks of profiles that are specific to program suites and not generally useful outside of the suite, thus are never suggested for use in profiles by the profile wizards (aa-logprof and aa-genprof). Currently, program chunks are only available for the postfix program suite.

20.3.3. Tunables¶

The tunables directory (/etc/apparmor.d/tunables) contains global variable definitions. When used in a profile, these variables expand to a value that can be changed without changing the entire profile. Add all the tunables definitions that should be available to every profile to /etc/apparmor.d/tunables/global.

20.4. Capability Entries (POSIX.1e)¶

Capability statements are simply the word capability followed by the name of the POSIX.1e capability as defined in the capabilities(7) man page.

20.5. Network Access Control¶

AppArmor allows mediation of network access based on the address type and family. The following illustrates the network access rule syntax:

network [[<domain>][<type>][<protocol>]]

	Supported domains: `inet`, `ax25`, `ipx`, `appletalk`, `netrom`, `bridge`, `x25`, `inet6`, `rose`, `netbeui`, `security`, `key`, `packet`, `ash`, `econet`, `atmsvc`, `sna`, `irda`, `pppox`, `wanpipe`, `bluetooth`
	Supported types: `stream`, `dgram`, `seqpacket`, `rdm`, `raw`, `packet`
	Supported protocols: `tcp`, `udp`, `icmp`

The AppArmor tools support only family and type specification. The AppArmor module emits only network domain type in “access denied” messages. And only these are output by the profile generation tools, both YaST and command line.

The following examples illustrate possible network-related rules to be used in AppArmor profiles. Note that the syntax of the last two are not currently supported by the AppArmor tools.

network,
network inet,
network inet6,
network inet stream,
network inet tcp,
network tcp,

	Allow all networking. No restrictions applied with regards to domain, type, or protocol.
	Allow general use of IPv4 networking.
	Allow general use of IPv6 networking.
	Allow the use of IPv4 TCP networking.
	Allow the use of IPv4 TCP networking, paraphrasing the rule above.
	Allow the use of both IPv4 and IPv6 TCP networking.

20.6. Paths and Globbing¶

AppArmor explicitly distinguishes directory path names from file path names. Use a trailing / for any directory path that needs to be explicitly distinguished:

/some/random/example/* r: Allow read access to files in the /some/random/example directory.
/some/random/example/ r: Allow read access to the directory only.
/some/**/ r: Give read access to any directories below /some.
/some/random/example/** r: Give read access to files and directories under /some/random/example.
/some/random/example/**[^/] r: Give read access to files under /some/random/example. Explicitly exclude directories ([^/]).

Globbing (or regular expression matching) is when you modify the directory path using wild cards to include a group of files or subdirectories. File resources can be specified with a globbing syntax similar to that used by popular shells, such as csh, Bash, and zsh.

`*`	Substitutes for any number of any characters, except `/`. Example: An arbitrary number of file path elements.
`**`	Substitutes for any number of characters, including `/`. Example: An arbitrary number of path elements, including entire directories.
`?`	Substitutes for any single character, except `/`.
`[abc]`	Substitutes for the single character `a`, `b`, or `c`. Example: a rule that matches `/home[01]/*/.plan` allows a program to access `.plan` files for users in both `/home0` and `/home1`.
`[a-c]`	Substitutes for the single character `a`, `b`, or `c`.
`{ab,cd}`	Expands to one rule to match `ab` and one rule to match `cd`. Example: a rule that matches `/{usr,www}/pages/**` grants access to Web pages in both `/usr/pages` and `/www/pages`.
`[ ^a ]`	Substitutes for any character except `a`.

20.6.1. Using Variables in Profiles¶

AppArmor allows to use variables holding paths in profiles. Use global variables to make your profiles portable and local variables to create shortcuts for paths.

A typical example of when global variables come in handy are network scenarios in which user home directories are mounted in different locations. Instead of rewriting paths to home directories in all affected profiles, you only need to change the value of a variable. Global variables are defined under /etc/apparmor.d/tunables and have to be made available via an #include statement. Find the variable definitions for this use case (@{HOME} and @{HOMEDIRS}) in the /etc/apparmor.d/tunables/home file.

Local variables are defined at the head of a profile. This is useful to provide the base of for a chrooted path, for example:

@{CHROOT_BASE}=/tmp/foo
/sbin/syslog-ng {
...
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/log/** w,
...
}


With the current AppArmor tools, variables can only be used when manually editing and maintaining a profile.

20.6.2. Alias rules¶

Alias rules provide an alternative way to manipulate profile path mappings to site specific layouts. They are an alternative form of path rewriting to using variables, and are done post variable resolution:

alias /home/ -> /mnt/users/


With the current AppArmor tools, alias rules can only be used when manually editing and maintaining a profile. Whats more, they are deactivated by disabled. Enable alias rules by editing `/etc/apparmor.d/tunables/alias`

20.7. File Permission Access Modes¶

File permission access modes consist of combinations of the following modes:

`r`	Read mode
`w`	Write mode (mutually exclusive to `a`)
`a`	Append mode (mutually exclusive to `w`)
`k`	File locking mode
`l`	Link mode
`link file -> target`	Link pair rule (cannot be combined with other access modes)

20.7.1. Read Mode (r)¶

Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump.

20.7.2. Write Mode (w)¶

Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).

20.7.3. Append Mode (a)¶

Allows a program to write to the end of a file. In contrast to the w mode, the append mode does not include the ability to overwrite data, to rename, or to remove a file. The append permission is typically used with applications who need to be able to write to log files, but which should not be able to manipulate any existing data in the log files. As the append permission is just a subset of the permissions associated with the write mode, the w and a permission flags cannot be used together and are mutually exclusive.

20.7.4. File Locking Mode (k)¶

The application can take file locks. Former versions of AppArmor allowed files to be locked if an application had access to them. By using a separate file locking mode, AppArmor makes sure locking is restricted only to those files which need file locking and tightens security as locking can be used in several denial of service attack scenarios.

20.7.5. Link Mode (l)¶

The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created (with the exception that the destination does not need link access).

20.7.6. Link Pair¶

The link mode grants permission to create links to arbitrary files, provided the link has a subset of the permissions granted by the target (subset permission test). By specifying origin and destination, the link pair rule provides greater control over how hard links are created. Link pair rules by default do not enforce the link subset permission test that the standard rules link permission requires. To force the rule to require the test the subset keyword is used. The following rules are equivalent:

/link    l,
link subset /link -> /**,


Currently link pair rules are not supported by YaST and the command line tools. Manually edit your profiles to use them. Updating such profiles using the tools is safe, because the link pair entries will not be touched.

20.7.7. Owner Conditional Rules¶

The file rules can be extended so that they can be conditional upon the the user being the owner of the file (the fsuid has to match the file's uid). For this purpose the owner keyword is prepended to the rule. Owner conditional rules accumulate just as regular file rules.

owner /home/*/** rw

When using file ownership conditions with link rules the ownership test is done against the target file so the user must own the file to be able to link to it.

	Precedence of Regular File Rules
Owner conditional rules are considered a subset of regular file rules. If a regular file rule overlaps with an owner conditional file rule, the resultant permissions will be that of the regular file rule.

20.7.8. Deny Rules¶

Deny rules can be used to annotate or quiet known rejects. The profile generating tools will not ask about a known reject treated with a deny rule. Such a reject will also not show up in the audit logs when denied, keeping the log files lean. If this is not desired, prepend the deny entry with the keyword audit.

It is also possible to use deny rules in combination with allow rules. This allows you to specify a broad allow rule, and then subtract a few known files that should not be allowed. Deny rules can also be combined with owner rules, to deny files owned by the user. The following example allows read/write access to everything in a users directory except write access to the .ssh/ files:

deny /home/*/.ssh/** w,
/home/*/** rw,

The extensive use of deny rules is generally not encouraged, because it makes it much harder to understand what a profile does. However a judicious use of deny rules can simplify profiles. Therefore the tools only generate profiles denying specific files and will not make use of globbing in deny rules. Manually edit your profiles to add deny rules using globbing. Updating such profiles using the tools is safe, because the deny entries will not be touched.

20.8. Execute Modes¶

Execute modes, also named profile transitions, consist of the following modes:

`px`	Discrete profile execute mode
`cx`	Discrete local profile execute mode
`ux`	Unconstrained execute mode
`ix`	Inherit execute mode
`m`	Allow `PROT_EXEC` with mmap(2) calls

20.8.1. Discrete Profile Execute Mode (px)¶

This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition. If there is no profile defined, the access is denied.

	Using the Discrete Profile Execute Mode
`px` does not scrub the environment of variables such as `LD_PRELOAD`. As a result, the calling domain may have an undue amount of influence over the called item.

Incompatible with Ux, ux, Px, and ix.

20.8.2. Discrete Local Profile Execute Mode (cx)¶

As px, but instead of searching the global profile set, cx only searches the local profiles of the current profile. This profile transition provides a way for an application to have alternate profiles for helper applications.

	Limitations of the Discrete Local Profile Execute Mode (cx)
Currently, cx transitions are limited to top level profiles and can not be used in hats and children profiles. This restriction will be removed in the future.

Incompatible with Ux, ux, Px, px, Cx, and ix.

20.8.3. Unconstrained Execute Mode (ux)¶

Allows the program to execute the resource without any AppArmor profile applied to the executed resource. This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information about what is constrained, see the apparmor(7) man page.

Using Unconstrained Execute Mode (ux)

	Using Unconstrained Execute Mode (ux)
Use `ux` only in very special cases. It enables the designated child processes to be run without any AppArmor protection. `ux` does not scrub the environment of variables such as `LD_PRELOAD`. As a result, the calling domain may have an undue amount of influence over the called resource. Use this mode only if the child absolutely must be run unconfined and `LD_PRELOAD` must be used. Any profile using this mode provides negligible security. Use at your own risk.

Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. ux does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the called resource. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Any profile using this mode provides negligible security. Use at your own risk.

This mode is incompatible with Ux, px, Px, and ix.

20.8.4. Clean Exec modes¶

The clean exec modes allow the named program to run in px, cx and ux mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. The clean exec modes are specified with an uppercase letter: Px, Cx and Ux. See the man page of ld.so(8) for some information about setuid and setgid environment scrubbing.

20.8.5. Inherit Execute Mode (ix)¶

ix prevents the normal AppArmor domain transition on execve(2) when the profiled program executes the named program. Instead, the executed resource inherits the current profile.

This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile or losing the permissions of the current profile. There is no version to scrub the environment because ix executions do not change privileges.

Incompatible with cx, ux, and px. Implies m.

20.8.6. Allow Executable Mapping (m)¶

This mode allows a file to be mapped into memory using mmap(2)'s PROT_EXEC flag. This flag marks the pages executable. It is used on some architectures to provide non executable data pages, which can complicate exploit attempts. AppArmor uses this mode to limit which files a well-behaved program (or all programs on architectures that enforce non executable memory access controls) may use as libraries, to limit the effect of invalid -L flags given to ld(1) and LD_PRELOAD, LD_LIBRARY_PATH, given to ld.so(8).

20.8.7. Named Profile Transitions¶

By default, the px and cx (and their clean exec variants, too) transition to a profile who's name matches the executable name. With named profile transitions, you can specify a profile to be transitioned to. This is useful if multiple binaries need to share a single profile, or if they need to use a different profile than their name would specify. Named profile transitions can be used in conjunction with cx, Cx, px and Px. Currently there is a limit of twelve named profile transitions per profile.

Named profile transitions use -> to indicate the name of the profile that needs to be transitioned to:

/usr/bin/foo 
{
  /bin/** px -> shared_profile,
  ...
  /usr/*bash cx -> local_profile,
  ...
  profile local_profile 
  {
    ...
  }
}

Difference Between Normal and Named Transitions

	Difference Between Normal and Named Transitions
When used with globbing, normal transitions provide a “one to many” relationship—`/bin/** px` will transition to `/bin/ping`, `/bin/cat`, etc, depending on the program being run. Named transitions provide a “many to one” relationship—all programs that match the rule regardless of their name will transition to the specified profile. Named profile transitions show up in the log as having the mode `Nx`. The name of the profile to be changed to is listed in the `name2` field.

When used with globbing, normal transitions provide a “one to many” relationship—/bin/** px will transition to /bin/ping, /bin/cat, etc, depending on the program being run.

Named transitions provide a “many to one” relationship—all programs that match the rule regardless of their name will transition to the specified profile.

Named profile transitions show up in the log as having the mode Nx. The name of the profile to be changed to is listed in the name2 field.

20.8.8. Inheritance Fallback for Profile Transitions¶

The px and cx transitions specify a hard dependency (if the specified profile does not exist, the exec will fail). With the inheritance fallback, the execution will succeed but inherit the current profile. To specify inheritance fallback, ix is combined with cx, Cx, px and Px into the modes cix, Cix, pix and Pix. The fallback modes can be used with named profile transitions, too.

20.8.9. Variable Settings in Execution Modes¶

When choosing one of the Px, Cx or Ux execution modes, take into account that the following environment variables are removed from the environment before the child process inherits it. As a consequence, applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Px, Cx or Ux flags:

GCONV_PATH
GETCONF_DIR
HOSTALIASES
LD_AUDIT
LD_DEBUG
LD_DEBUG_OUTPUT
LD_DYNAMIC_WEAK
LD_LIBRARY_PATH
LD_ORIGIN_PATH
LD_PRELOAD
LD_PROFILE
LD_SHOW_AUXV
LD_USE_LOAD_BIAS
LOCALDOMAIN
LOCPATH
MALLOC_TRACE
NLSPATH
RESOLV_HOST_CONF
RES_OPTIONS
TMPDIR
TZDIR

20.9. Resource Limit Control¶

AppArmor provides the ability to set and control an application's resource limits (rlimits, also known as ulimits). By default AppArmor does not control applications rlimits, and it will only control those limits specified in the confining profile. For more information about resource limits, refer to the setrlimit(2), ulimit(1), or ulimit(3) man pages.

AppArmor leverages the system's rlimits and as such does not provide an additional auditing that would normally occur. It also cannot raise rlimits set by the system, AppArmor rlimits can only reduce an application's current resource limits.

The values will be inherited by the children of a process and will remain even if a new profile is transitioned to or the application becomes unconfined. So when an application transitions to a new profile, that profile has the ability to further reduce the applications rlimits.

AppArmor's rlimit rules will also provide mediation of setting an application's hard limits, should it try to raise them. The application will not be able to raise its hard limits any further than specified in the profile. The mediation of raising hard limits is not inherited as the set value is, so that once the application transitions to a new profile it is free to raise its limits as specified in the profile.

AppArmor's rlimit control does not affect an application's soft limits beyond ensuring that they are less than or equal to the application's hard limits.

AppArmor's hard limit rules have the general form of:

set rlimit resource <= value,

where resource and value are to be replaced with the following values:

cpu

currently not supported

fsize, data, stack, core, rss, as, memlock, msgqueue

a number in bytes, or a number with a suffix where the suffix can be K (kilobytes), M (megabytes), G (gigabytes), for example

rlimit data <= 100M,

fsize, nofile, locks, sigpending, nproc^*, rtprio

a number greater or equal to 0

nice

a value between -20 and 19

^*The nproc rlimit is handled different than all the other rlimits. Instead of indicating the standard process rlimit it controls the maximum number of processes that can be running under the profile at any given time. Once the limit is exceeded the creation of new processes under the profile will fail until the number of currently running processes is reduced.


Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is to manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them.

20.10. Auditing Rules¶

AppArmor provides the ability to audit given rules so that when they are matched an audit message will appear in the audit log. To enable audit messages for a given rule, the audit keyword is prepended to the rule:

audit /etc/foo/*        rw,

If it is desirable to audit only a given permission the rule can be split into two rules. The following example will result in audit messages when files are opened for writing, but not when they are opened for just reading:

audit /etc/foo/*  w,
/etc/foo/*        r,


Audit messages are not generated for every read or write of a file but only when a file is opened for read or write.

Audit control can be combined with owner conditional file rules to provide auditing when users access files they own (at the moment it is not possible to audit files they don't own):

audit owner /home/*/.ssh/**       rw,

20.11. Setting Capabilities per Profile¶

Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges. Therefore a program, having been granted write access to a file via its profile, would not be able to actually write to this file as long as the mode bits are set to read only.

The only exception to this strict rule is the set capability rule. This provides the ability to give non-root users administrative privileges, as defined in the capabilities(7) man page. Contrary to setting a program to setuid or using file system capabilities (that apply to single programs only), the set capability rule allows the user to apply capabilities to multiple programs running under a specific profile (by using ix transitions). For security reasons, set capability rules will not be inherited (once a program leaves the profile, it loses the elevated privilege).

	Use set capabilities Rules with Extreme Caution
Using the set capabilities rules allows to give processes `root` privileges. Therefore these rules should be used with extreme caution and only in exceptional cases.

To set a capability in a profile the keyword “set” is prepended to a capability rule. Setting a capability also implicitly adds a capability rule allowing that capability.

set capability cap_chown,


Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is to manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them.