linux|AppArmor快速入门

AppArmor是Linux内核的强制访问控制(MAC)一个实现方案,在Ubuntu等发行版上面默认开启。相比SELinux,AppArmor相对简单易用,更加适合日常使用。现在我们以node_exporter为例,介绍快速应用AppArmor的方法。
安装apparmor-utils

apt install -y apparmor-utils

【linux|AppArmor快速入门】执行aa-genprof
root@gw:~# aa-genprof /usr/bin/node_exporter not a dynamic executable Writing updated profile for /usr/bin/node_exporter. Setting /usr/bin/node_exporter to complain mode.Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/ProfilesProfiling: /usr/bin/node_exporterPlease start the application to be profiled in another window and exercise its functionality now.Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied.[(S)can system log for AppArmor events] / (F)inish

这里进入等待状态了。不要按任何键中断它。
新打开一个窗口,启动node_exporter(我这里是用systemd启动的):
systemctl start node_exporter

附服务文件**/lib/systemd/system/node_exporter.service**:
[Unit] Description=node_exporter After=network.target [Service] Type=simple User=root ExecStart=/usr/bin/node_exporter --collector.systemd Restart=on-failure [Install] WantedBy=multi-user.target

等待片刻,等待node_exporter被采集。
回到aa-genprof的窗口:
[(S)can system log for AppArmor events] / (F)inish

按S键扫描系统日志。出现以下内容:
Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Complain-mode changes:Profile:/usr/bin/node_exporter Capability: net_admin Severity:8 [1 - capability net_admin,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish

好像go语言写的程序都需要net_admin权限。这里按A允许即可。
又弹出一段信息:
Profile:/usr/bin/node_exporter Path:/sys/kernel/mm/transparent_hugepage/hpage_pmd_size New Mode: owner r Severity: 4 [1 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish

这里可以简单的按A允许,也可以按G改成通配;可以按多次G,效果如下:
Profile:/usr/bin/node_exporter Path:/sys/kernel/mm/transparent_hugepage/hpage_pmd_size New Mode: owner r Severity: 41 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 2 - owner /sys/kernel/mm/transparent_hugepage/* r, 3 - owner /sys/kernel/mm/** r, 4 - owner /sys/kernel/** r, [5 - owner /sys/** r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish

此时按A即允许读取/sys目录下的所有文件和目录。
重复上面的步骤,直到最后不再询问权限,而是出现:
= Changed Local Profiles =The following local profiles were changed. Would you like to save them? [1 - /usr/bin/node_exporter] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

按S保存配置文件。自动回到等待状态:
Writing updated profile for /usr/bin/node_exporter.Profiling: /usr/bin/node_exporterPlease start the application to be profiled in another window and exercise its functionality now.Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied.[(S)can system log for AppArmor events] / (F)inish

按F键退出。
执行aa-status查看apparmor的状态:
... 33 processes are in enforce mode. ... /usr/bin/node_exporter (191273) ...

恭喜,此时node_exporter已经身披盔甲了!

    推荐阅读