OnWorks Linux and Windows Online WorkStations

Logo

Free Hosting Online for WorkStations

< Previous | Contents | Next >

4.1. Using AppArmor‌


image

This section is plagued by a bug (LP #13041346) and instructions will not work as advertised.


The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.

• apparmor_status is used to view the current status of AppArmor profiles.


sudo apparmor_status

• aa-complain places a profile into complain mode.


sudo aa-complain /path/to/bin

• aa-enforce places a profile into enforce mode.


sudo aa-enforce /path/to/bin

• The /etc/apparmor.d directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.


Enter the following to place all profiles into complain mode:


sudo aa-complain /etc/apparmor.d/*


image

6 https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1304134


To place all profiles in enforce mode:


sudo aa-enforce /etc/apparmor.d/*

• apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option. To load a profile:


cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a


To reload a profile:


cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

systemctl can be used to reload all profiles:


sudo systemctl reload apparmor.service

• The /etc/apparmor.d/disable directory can be used along with the apparmor_parser -R option to disable

a profile.


sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name


To re-enable a disabled profile remove the symbolic link to the profile in /etc/apparmor.d/disable/. Then load the profile using the -a option.


sudo rm /etc/apparmor.d/disable/profile.name

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

• AppArmor can be disabled, and the kernel module unloaded by entering the following:


sudo systemctl stop apparmor.service sudo update-rc.d -f apparmor remove

• To re-enable AppArmor enter:


sudo systemctl start apparmor.service sudo update-rc.d apparmor defaults

image

Replace profile.name with the name of the profile you want to manipulate. Also, replace /path/to/ bin/ with the actual executable file path. For example for the ping command use /bin/ping


Top OS Cloud Computing at OnWorks: