SDB:AppArmor

Overview

Included with openSUSE and SUSE Linux Enterprise, AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behaviour and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours.

A detailed description of AppArmor is available to discuss the problem that AppArmor is intended to solve, the technology and the paradigm of the AppArmor solution. A guide for geeks with more details and less marketing is also available.

Getting the software

AppArmor packages can be obtained from the build service and AppArmor RPMs are included in openSUSE 10.1 and later.

Integrated packages are also included with all SUSE distributions from SUSE Linux Enterprise Server 9, Service Pack 3 (SLES9 SP3) onward, including SLES10, SLED10, and openSUSE. These packages are all licensed GPL2.

AppArmor integrated into openSUSE and SUSE Linux Enterprise

AppArmor consists of:

• a kernel module, shipped with the SUSE Linux kernel, which enforces the security profiles
• a collection of RPMs, also shipped with SUSE Linux, that provide:
  • a set of AppArmor profiles for numerous programs that ship with SUSE Linux
  • tools to create and manage new and existing AppArmor profiles
  • a YaST user interface to manage reports and notification of security events
  • documentation about the AppArmor tools

It is best to reboot a system after completing installation, so that AppArmor can confine all system daemons.

The AppArmor rpms

These can be selected during installation, or afterwards, from the SUSE Linux package management user interface in YaST. They are:

 libapparmor
 apparmor-profiles
 apparmor-utils
 apparmor-parser
 yast2-apparmor
 apparmor-docs

Development version of AppArmor

For new features that are currently under active development the AppArmor wiki hosts downloads of source code for review and community feedback. When features have been stabilized and are ready for integration testing and use they will become part of SUSE Linux.

Communicate

The AppArmor developers are on the upstream AppArmor mailing list for questions. The mailing list is for end users and developers - questions about how to use AppArmor to protect your applications are welcome there, questions or discussions about the future development of AppArmor are also welcome.

Contribute

There are ways that you can help: creating AppArmor profiles for applications that you run or reporting bugs that you find will help make openSUSE/SUSE Linux Enterprise a more secure platform for running your applications.

AppArmor profiles

The SUSE Linux distribution contains integrated AppArmor tools and profiles for you to use to secure your applications and create new profiles. You can contribute new profiles for applications that you are interested in by following the recipe to generate new profiles, or to enhance existing profiles. This process is explained in detail in the AppArmor section in the security guide

If you have new or modified profiles you can upload them in bugzilla or submit them to the AppArmor mailing list along with a use case for the application behavior that you exercised. The AppArmor team will review and may submit the work into SUSE Linux. We can't guarantee that every profile will be included but we will make a sincere effort to include as much as possible so that end users can contribute to the security profiles that ship in SUSE Linux.

Bug fixing

If you see a problem with an AppArmor tool or profile you can use bugzilla (Product: SUSE LINUX X.Y, Component: AppArmor) to submit the description of the problem. For advice on what information most helps us fix bugs, please see openSUSE:Bugreport_AppArmor.

Press articles

• Nice description and quick overview with screenshots: Protect your applications with AppArmor.
• Linux Magazine's comparison of AppArmor and SELinux: Linux Magazine Issue 69: August 2006.
• eWeek's comparison of AppArmor and SELinux: Wield the Shield: How Trustworthy Is Your OS?.

Other links

• Crispin Cowan (the AppArmor project lead) gave an interesting talk at FOSDEM 2006: http://ftp.heanet.ie/mirrors/fosdem-video/2006/FOSDEM2006-apparmor.avi (271 MB)