diff options
author | Michael Palimaka <kensington@gentoo.org> | 2013-04-18 05:50:14 +1000 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2013-04-18 05:50:14 +1000 |
commit | fb010c56f2e220404d281dfeef0eb90cff66ad45 (patch) | |
tree | 92fa4a1cfa7bf6cc492e7697ec33b35acfff0be1 | |
parent | Add orc use flag to the faq (diff) | |
download | hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.gz hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.bz2 hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.zip |
AppArmor guide has been moved to the wiki.
-rw-r--r-- | html/apparmor.html | 222 | ||||
-rw-r--r-- | xml/apparmor.xml | 204 |
2 files changed, 0 insertions, 426 deletions
diff --git a/html/apparmor.html b/html/apparmor.html deleted file mode 100644 index 291adb9..0000000 --- a/html/apparmor.html +++ /dev/null @@ -1,222 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Documentation --- - Gentoo AppArmor Guide</title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b> - This document is a work in progress and should not be considered official yet. - </p></td></tr></table> -<br><h1>Gentoo AppArmor Guide</h1> -<form name="contents" action="http://www.gentoo.org"> -<b>Content</b>: - <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> -<option value="#doc_chap2">2. Initial setup</option> -<option value="#doc_chap3">3. Working with profiles</option></select> -</form> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Introduction</p> -<p> -AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. -</p> -<p> -For each file path you specify, AppArmor will permit it only the permissions you grant. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample profile</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# ------------------------------------------------------------------ -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# ------------------------------------------------------------------ - -#include <tunables/global> - -/sbin/klogd { - #include <abstractions/base> - - capability sys_admin, # for backward compatibility with kernel <= 2.6.37 - capability syslog, - - network inet stream, - - /boot/System.map* r, - @{PROC}/kmsg r, - @{PROC}/kallsyms r, - /dev/tty rw, - - /sbin/klogd rmix, - /var/log/boot.msg rwl, - /{,var/}run/klogd.pid krwl, - /{,var/}run/klogd/klogd.pid krwl, - /{,var/}run/klogd/kmsg r, -} -</pre></td></tr> -</table> -<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. - </span>Initial setup</p> -<p class="secthead"><a name="doc_chap2_sect1">Kernel patching</a></p> -<p> -From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, -it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate -profiles - deactivation, listing, init script etc. will not work. -</p> -<p> -The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <span class="code" dir="ltr">hardened-sources</span>, -the patches will not cleanly apply. For convenience, a rebased version of the patches is -<a href="https://github.com/kensington/apparmor-grsec/tarball/master">available</a>. -</p> -<p class="secthead"><a name="doc_chap2_sect2">Install utilities</a></p> -<p> -The AppArmor userspace utilities currently live in the -<a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</a>. -You should install layman, and then add the <span class="code" dir="ltr">hardened-dev</span> overlay: - -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install userspace utilities</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">layman -a hardened-dev</span> -# <span class="code-input">emerge apparmor-utils</span> -<span class="code-comment">You will probably also wish to install some profiles to get started:</span> -# <span class="code-input">emerge apparmor-profiles</span> -</pre></td></tr> -</table> - -</p> -<p class="secthead"><a name="doc_chap2_sect3">Further configuration</a></p> -<p> -You may wish to edit the configuation files located in <span class="code" dir="ltr">/etc/apparmor</span>, however -the default values will suit most users. -</p> -<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. - </span>Working with profiles</p> -<p> -Profiles are stored as simple text files in <span class="code" dir="ltr">/etc/apparmor.d</span>. They may take any name, and may be stored -in subdirectories - you may organise them however it suits you. -</p> -<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Sample profile directory listing</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -/etc/apparmor.d $ <span class="code-input">ls</span> -abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd -apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd -bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd -disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd -local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute -</pre></td></tr> -</table> -<p> -Profiles are referred to by name, including any parent subdirectories if present. -</p> -<p class="secthead"><a name="doc_chap3_sect2">Manual control</a></p> -<p> -To activate a profile, simply set it to enforce mode. -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile activation</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">aa-enforce usr.sbin.dnsmasq</span> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. -</pre></td></tr> -</table> -</p> -<p> -Similarly, to deactive a profile, simply set it to complain mode. -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile deactivation</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">aa-complain usr.sbin.dnsmasq</span> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. -</pre></td></tr> -</table> -</p> -<p> -The current status of your profiles may be viewed using <span class="code" dir="ltr">aa-status</span>. -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Profile status listing</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">aa-status</span> -apparmor module is loaded. -6 profiles are loaded. -5 profiles are in enforce mode. - /bin/ping - /sbin/klogd - /sbin/syslog-ng - /usr/sbin/dnsmasq - /usr/sbin/identd -1 profiles are in complain mode. - /usr/sbin/lspci -1 processes have profiles defined. -1 processes are in enforce mode. - /usr/sbin/dnsmasq (12905) -0 processes are in complain mode. -0 processes are unconfined but have a profile defined. -</pre></td></tr> -</table> -</p> -<p class="secthead"><a name="doc_chap3_sect3">Automatic control</a></p> -<p> -The provided init script will automatically load all profiles located in your profile directory. -Unless specifically specified otherwise, each profile will be loaded in enforce mode. -</p> -<br><p class="copyright"> - The contents of this document, unless otherwise expressly stated, are - licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. - </p> -<!-- - <rdf:RDF xmlns="http://web.resource.org/cc/" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> - - <License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/"> - - <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> - <permits rdf:resource="http://web.resource.org/cc/Distribution" /> - <requires rdf:resource="http://web.resource.org/cc/Notice" /> - <requires rdf:resource="http://web.resource.org/cc/Attribution" /> - <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> - <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> - </License> - </rdf:RDF> ---><br> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="apparmor.xml?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Page updated July 10, 2012</p></td></tr> -<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> -This guide provides a brief overview of AppArmor, and gives information -on how to install and configure it on Gentoo. -</p></td></tr> -<tr><td align="left" class="topsep"><p class="alttext"> - <a href="mailto:kensington@gentoo.org" class="altlink"><b>Michael Palimaka</b></a> -<br><i>Author</i><br></p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/xml/apparmor.xml b/xml/apparmor.xml deleted file mode 100644 index 032f1f3..0000000 --- a/xml/apparmor.xml +++ /dev/null @@ -1,204 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> -<!-- $Header$ --> - -<guide disclaimer="draft" link="apparmor.xml" lang="en"> -<title>Gentoo AppArmor Guide</title> - -<author title="Author"> - <mail link="kensington@gentoo.org">Michael Palimaka</mail> -</author> - -<abstract> -This guide provides a brief overview of AppArmor, and gives information -on how to install and configure it on Gentoo. -</abstract> - -<!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> -<license version="3.0"/> - -<version>1</version> -<date>2012-07-10</date> - -<chapter> -<title>Introduction</title> - -<section> -<body> -<p> -AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. -</p> -<p> -For each file path you specify, AppArmor will permit it only the permissions you grant. -</p> -<pre caption="Sample profile"> -# ------------------------------------------------------------------ -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# ------------------------------------------------------------------ - -#include <tunables/global> - -/sbin/klogd { - #include <abstractions/base> - - capability sys_admin, # for backward compatibility with kernel <= 2.6.37 - capability syslog, - - network inet stream, - - /boot/System.map* r, - @{PROC}/kmsg r, - @{PROC}/kallsyms r, - /dev/tty rw, - - /sbin/klogd rmix, - /var/log/boot.msg rwl, - /{,var/}run/klogd.pid krwl, - /{,var/}run/klogd/klogd.pid krwl, - /{,var/}run/klogd/kmsg r, -} -</pre> -</body> -</section> - -</chapter> - -<chapter> -<title>Initial setup</title> - -<section> -<title>Kernel patching</title> -<body> -<p> -From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, -it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate -profiles - deactivation, listing, init script etc. will not work. -</p> -<p> -The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>, -the patches will not cleanly apply. For convenience, a rebased version of the patches is -<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>. -</p> -</body> -</section> - -<section> -<title>Install utilities</title> -<body> -<p> -The AppArmor userspace utilities currently live in the -<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>. -You should install layman, and then add the <c>hardened-dev</c> overlay: - -<pre caption="Install userspace utilities"> -# <i>layman -a hardened-dev</i> -# <i>emerge apparmor-utils</i> -<comment>You will probably also wish to install some profiles to get started:</comment> -# <i>emerge apparmor-profiles</i> -</pre> - -</p> -</body> -</section> - -<section> -<title>Further configuration</title> -<body> -<p> -You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however -the default values will suit most users. -</p> -</body> -</section> - -</chapter> - -<chapter> -<title>Working with profiles</title> - -<section> -<body> -<p> -Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored -in subdirectories - you may organise them however it suits you. -</p> - -<pre caption="Sample profile directory listing"> -/etc/apparmor.d $ <i>ls</i> -abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd -apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd -bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd -disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd -local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute -</pre> - -<p> -Profiles are referred to by name, including any parent subdirectories if present. -</p> -</body> -</section> - -<section> -<title>Manual control</title> -<body> - -<p> -To activate a profile, simply set it to enforce mode. -<pre caption="Manual profile activation"> -# <i>aa-enforce usr.sbin.dnsmasq</i> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. -</pre> -</p> - -<p> -Similarly, to deactive a profile, simply set it to complain mode. -<pre caption="Manual profile deactivation"> -# <i>aa-complain usr.sbin.dnsmasq</i> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. -</pre> -</p> - -<p> -The current status of your profiles may be viewed using <c>aa-status</c>. -<pre caption="Profile status listing"> -# <i>aa-status</i> -apparmor module is loaded. -6 profiles are loaded. -5 profiles are in enforce mode. - /bin/ping - /sbin/klogd - /sbin/syslog-ng - /usr/sbin/dnsmasq - /usr/sbin/identd -1 profiles are in complain mode. - /usr/sbin/lspci -1 processes have profiles defined. -1 processes are in enforce mode. - /usr/sbin/dnsmasq (12905) -0 processes are in complain mode. -0 processes are unconfined but have a profile defined. -</pre> -</p> - -</body> -</section> - -<section> -<title>Automatic control</title> -<body> -<p> -The provided init script will automatically load all profiles located in your profile directory. -Unless specifically specified otherwise, each profile will be loaded in enforce mode. -</p> -</body> -</section> - -</chapter> - -</guide> |