AppArmor 是一個類似于selinux 的東東,主要的作用是設(shè)置某個可執(zhí)行程序的訪問控制權(quán)限,可以限制程序 讀/寫某個目錄/文件,打開/讀/寫網(wǎng)絡(luò)端口等等。
Novell給出的Apparmor的解釋:
|
?AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
|
之所以選擇Apparmor而不是SELinux,主要基于以下兩點(diǎn)原因:
- 對于初學(xué)者來說,Apparmor比SELinux更簡單
- ubuntu的粉絲,ubuntu選擇了Apparmor,同理,如果你是fedora的粉絲,很明顯會選擇SELinux
實(shí)事求是的說,SELinux比Apparmor更安全,更靈活,同時配置起來也更復(fù)雜。SELinux與Apparmor最大的區(qū)別在于:Apparmor使用文件名(路徑名)最為安全標(biāo)簽,而SELinux使用文件的inode作為安全標(biāo)簽,這就意味著,Apparmor機(jī)制可以通過修改文件名而被繞過,另外,在文件系統(tǒng)中,只有inode才具有唯一性。
由于ubuntu發(fā)行版已經(jīng)自帶了Apparmor的package,所以只需要在命令行中輸入如下命令,就可以查詢當(dāng)前Apparmor的狀態(tài):
- sudo apparmor_status
從上圖中可以看出,當(dāng)前Apparmor包含了20個profile文件,而且都處于enforce狀態(tài),沒有處于enforce狀態(tài)的文件。
Apparmor的profile文件分為兩類:enforce與complain mode,存在于/etc/apparmor.d/目錄下,下面來看下官方給出的兩種不同狀態(tài)的profile的解釋。
Enforcing: This means the profile is actively protecting the application. By default, Ubuntu already locks down the CUPS daemon for you, but you will see several other profiles listed that you can set to enforce mode at any time.Complain: This means a profile exists but is not yet actively protecting the application. Instead, it is sort of in "debug" mode and will put "complain" messages into /var/log/messages. What this means is that if the application wants to read, write, or execute something that isn't listed in the profile, it will complain. This is how you generally create a profile.
簡單理解就是:如果某個程序不符合其profile文件的限制,改程序就會被apparmor“打小報告”,即將該程序的行為記錄在系統(tǒng)日志中,但是程序訪問行為會成功,比如本來沒有讓某個程序訪問某個文件,但就是訪問,僅僅報告一下,文件訪問會成功,如果在enforce模式下,文件訪問就會失敗。
如果想把某個profile置為enforce狀態(tài),執(zhí)行如下命令:- sudo enforce <application_name>
- sudo complain <application_name>
- sudo /etc/init.d/apparmor restart
- sudo apt-get install apparmor-profiles
(2)通過工具來管理profile,比較著名是:apparmor-utils,通過如下命令進(jìn)行安裝:
- sudo apt-get install apparmor-utils
再看一個手工編寫的profile,熟悉下其語法格式,如果想更詳細(xì)的學(xué)習(xí),參見具體的講解profile語法格式的文檔,如: http://ubuntuforums.org/showthread.php?t=1008906 。
- #include <tunables/global>
- /usr/bin/kopete { //需要限制的應(yīng)用程序的名稱
- #include <abstractions/X>
- #include <abstractions/audio>
- #include <abstractions/base>
- #include <abstractions/kde>
- #include <abstractions/nameservice>
- #include <abstractions/user-tmp>
- //限制其在對家目錄下幾個文件的讀寫權(quán)限
- deny @{HOME}/.bash* rw,
- deny @{HOME}/.cshrc rw,
- deny @{HOME}/.profile rw,
- deny @{HOME}/.ssh/* rw,
- deny @{HOME}/.zshrc rw,
- /etc/X11/cursors/oxy-white.theme r,
- /etc/default/apport r,
- /etc/kde4/* r,
- /etc/kde4rc r,
- /etc/kderc r,
- /etc/security/* r,
- /etc/ssl/certs/* r,
- owner /home/*/ r,
- /opt/firefox/firefox.sh Px,
- /usr/bin/convert rix,
- /usr/bin/kde4 rix,
- /usr/bin/kopete r,
- /usr/bin/kopete_latexconvert.sh rix,
- /usr/bin/launchpad-integration ix,
- /usr/bin/xdg-open mrix,
- /usr/lib/firefox*/firefox.sh Px,
- /usr/lib/kde4/**.so mr,
- /usr/lib/kde4/libexec/drkonqi ix,
- /usr/share/emoticons/ r,
- /usr/share/emoticons/** r,
- /usr/share/enchant/** r,
- /usr/share/kde4/** r,
- /usr/share/kubuntu-default-settings/** r,
- /usr/share/locale-langpack/** r,
- /usr/share/myspell/** r,
- owner @{HOME}/.config/** rwk,
- owner @{HOME}/.kde/** rwlk,
- owner @{HOME}/.local/share/mime/** r,
- owner @{HOME}/.thumbnails/** rw,
- owner @{HOME}/Downloads/ rw,
- owner @{HOME}/Downloads/** rw,
- }
- r = read
- w = write
- l = link
- k = lock
- a = append
- ix = inherit = Inherit the parent's profile.
- px = requires a separate profile exists for the application, with environment scrubbing.
- Px = requires a separate profile exists for the application, without environment scrubbing.
- ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
- m = allow executable mapping.
更多文章、技術(shù)交流、商務(wù)合作、聯(lián)系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯(lián)系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點(diǎn)擊下面給點(diǎn)支持吧,站長非常感激您!手機(jī)微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點(diǎn)擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
