diff options
author | Michael Palimaka <kensington@gentoo.org> | 2013-04-18 05:50:14 +1000 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2013-04-18 05:50:14 +1000 |
commit | fb010c56f2e220404d281dfeef0eb90cff66ad45 (patch) | |
tree | 92fa4a1cfa7bf6cc492e7697ec33b35acfff0be1 /xml | |
parent | Add orc use flag to the faq (diff) | |
download | hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.gz hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.bz2 hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.zip |
AppArmor guide has been moved to the wiki.
Diffstat (limited to 'xml')
-rw-r--r-- | xml/apparmor.xml | 204 |
1 files changed, 0 insertions, 204 deletions
diff --git a/xml/apparmor.xml b/xml/apparmor.xml deleted file mode 100644 index 032f1f3..0000000 --- a/xml/apparmor.xml +++ /dev/null @@ -1,204 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> -<!-- $Header$ --> - -<guide disclaimer="draft" link="apparmor.xml" lang="en"> -<title>Gentoo AppArmor Guide</title> - -<author title="Author"> - <mail link="kensington@gentoo.org">Michael Palimaka</mail> -</author> - -<abstract> -This guide provides a brief overview of AppArmor, and gives information -on how to install and configure it on Gentoo. -</abstract> - -<!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> -<license version="3.0"/> - -<version>1</version> -<date>2012-07-10</date> - -<chapter> -<title>Introduction</title> - -<section> -<body> -<p> -AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. -</p> -<p> -For each file path you specify, AppArmor will permit it only the permissions you grant. -</p> -<pre caption="Sample profile"> -# ------------------------------------------------------------------ -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# ------------------------------------------------------------------ - -#include <tunables/global> - -/sbin/klogd { - #include <abstractions/base> - - capability sys_admin, # for backward compatibility with kernel <= 2.6.37 - capability syslog, - - network inet stream, - - /boot/System.map* r, - @{PROC}/kmsg r, - @{PROC}/kallsyms r, - /dev/tty rw, - - /sbin/klogd rmix, - /var/log/boot.msg rwl, - /{,var/}run/klogd.pid krwl, - /{,var/}run/klogd/klogd.pid krwl, - /{,var/}run/klogd/kmsg r, -} -</pre> -</body> -</section> - -</chapter> - -<chapter> -<title>Initial setup</title> - -<section> -<title>Kernel patching</title> -<body> -<p> -From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, -it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate -profiles - deactivation, listing, init script etc. will not work. -</p> -<p> -The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>, -the patches will not cleanly apply. For convenience, a rebased version of the patches is -<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>. -</p> -</body> -</section> - -<section> -<title>Install utilities</title> -<body> -<p> -The AppArmor userspace utilities currently live in the -<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>. -You should install layman, and then add the <c>hardened-dev</c> overlay: - -<pre caption="Install userspace utilities"> -# <i>layman -a hardened-dev</i> -# <i>emerge apparmor-utils</i> -<comment>You will probably also wish to install some profiles to get started:</comment> -# <i>emerge apparmor-profiles</i> -</pre> - -</p> -</body> -</section> - -<section> -<title>Further configuration</title> -<body> -<p> -You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however -the default values will suit most users. -</p> -</body> -</section> - -</chapter> - -<chapter> -<title>Working with profiles</title> - -<section> -<body> -<p> -Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored -in subdirectories - you may organise them however it suits you. -</p> - -<pre caption="Sample profile directory listing"> -/etc/apparmor.d $ <i>ls</i> -abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd -apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd -bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd -disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd -local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute -</pre> - -<p> -Profiles are referred to by name, including any parent subdirectories if present. -</p> -</body> -</section> - -<section> -<title>Manual control</title> -<body> - -<p> -To activate a profile, simply set it to enforce mode. -<pre caption="Manual profile activation"> -# <i>aa-enforce usr.sbin.dnsmasq</i> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. -</pre> -</p> - -<p> -Similarly, to deactive a profile, simply set it to complain mode. -<pre caption="Manual profile deactivation"> -# <i>aa-complain usr.sbin.dnsmasq</i> -Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. -</pre> -</p> - -<p> -The current status of your profiles may be viewed using <c>aa-status</c>. -<pre caption="Profile status listing"> -# <i>aa-status</i> -apparmor module is loaded. -6 profiles are loaded. -5 profiles are in enforce mode. - /bin/ping - /sbin/klogd - /sbin/syslog-ng - /usr/sbin/dnsmasq - /usr/sbin/identd -1 profiles are in complain mode. - /usr/sbin/lspci -1 processes have profiles defined. -1 processes are in enforce mode. - /usr/sbin/dnsmasq (12905) -0 processes are in complain mode. -0 processes are unconfined but have a profile defined. -</pre> -</p> - -</body> -</section> - -<section> -<title>Automatic control</title> -<body> -<p> -The provided init script will automatically load all profiles located in your profile directory. -Unless specifically specified otherwise, each profile will be loaded in enforce mode. -</p> -</body> -</section> - -</chapter> - -</guide> |