Create an AppArmor Application Profile

About This Task

AppArmor uses application profiles to define an application’s system access. This procedure uses the nginx application to demonstrate how to create a profile to enable access.

Before You Begin

• You must have an eLxr Server 26.04 development host setup with sudo privileges. For details, see Quick Start Overview.

• AppArmor must be set to enforcing. For details, see Set AppArmor Enforcing Mode.

Procedure

1. Install the nginx package.

   # sudo apt-get install nginx
   
   ---- Lots of output as packages install ----
   

2. Create a profile for the application, located at /usr/sbin/nginx.

   # sudo touch /etc/apparmor.d/usr.sbin.nginx
   

   This creates an empty usr.sbin.nginx file in the same location where all AppArmor policies reside, at /etc/apparmor.d/<path-to-app>.

3. Update the usr.sbin.nginx file to add the following information to it. For example, open it in vi, add the following text, and save the file.

   #include <tunables/global>
   
   profile nginx /usr/sbin/nginx flags=(complain) {
   include <abstractions/base>
   
   # Allow read and execute access to nginx executable
   /usr/sbin/nginx rix,
   
   # Allow reading files in the web directory
   /var/www/html/ r,
   /var/www/html/** r,
   
   # Allow reading configuration files for nginx
   /etc/nginx/nginx.conf r,
   /etc/nginx/sites-enabled/ r,
   /etc/nginx/sites-enabled/** r,
   
   # Deny access to /etc/passwd
   deny /etc/passwd r,
   
   # Deny access to the home directory
   deny /home/** rw,
   }
   

   In this example, read and execute access is granted to a number of folders and files necessary for nginx to work properly. It is initially set to complain mode, which essentially disables enforcement. Even in complain mode, when the deny action is set, it disables access to the resource associated with it, such as /etc/passwd and home/ in this example.

4. Use the apparmor_parser application to check the rule. This application will review the profile you created in the previous step and provide recommendations for resolving any issues. You must fix any issues that may arise. If there are no issues, it will load the profile for use by AppArmor.

   $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
   

5. Check the new profile status using the aa-status application.

   $ sudo aa-status
   
   apparmor module is loaded.
   -- Output truncated ---
   24 profiles are in complain mode.
      ...
      Xorg
      nginx
      plasmashell
      ...
   

   Notice that the nginx profile in complain mode, in alignment with the policy you created.

6. Set the nginx profile to enforce mode.

   sudo $ aa-enforce /usr/sbin/nginx
   
   Setting /usr/sbin/nginx to enforce mode
   Warning: profile nginx represents multiple programs
   

7. Check the profile status again.

   sudo $ aa-status
   
   apparmor module is loaded.
   -- Output truncated ---
   25 profiles are in enforce mode.
    ...
    man_groff
    nginx
    nvidia_modprobe
    ...
   

   Notice that the nginx profile is now located in the list of profiles in enforced mode.