AppArmor快速入门
班经亘
AppArmor是Linux内核的强制访问控制(MAC)一个实现方案,在Ubuntu等发行版上面默认开启。相比SELinux,AppArmor相对简单易用,更加适合日常使用。现在我们以node_exporter为例,介绍快速应用AppArmor的方法。
安装apparmor-utils
apt install -y apparmor-utils
执行aa-genprof
root@gw:~# aa-genprof /usr/bin/node_exporter
not a dynamic executable
Writing updated profile for /usr/bin/node_exporter.
Setting /usr/bin/node_exporter to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Profiling: /usr/bin/node_exporter
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
这里进入等待状态了。不要按任何键中断它。
新打开一个窗口,启动node_exporter(我这里是用systemd启动的):
systemctl start node_exporter
附服务文件**/lib/systemd/system/node_exporter.service**:
[Unit]
Description=node_exporter
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/node_exporter --collector.systemd
Restart=on-failure
[Install]
WantedBy=multi-user.target
等待片刻,等待node_exporter被采集。
回到aa-genprof的窗口:
[(S)can system log for AppArmor events] / (F)inish
按S键扫描系统日志。出现以下内容:
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
Profile: /usr/bin/node_exporter
Capability: net_admin
Severity: 8
[1 - capability net_admin,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
好像go语言写的程序都需要net_admin权限。这里按A允许即可。
又弹出一段信息:
Profile: /usr/bin/node_exporter
Path: /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
New Mode: owner r
Severity: 4
[1 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
这里可以简单的按A允许,也可以按G改成通配;可以按多次G,效果如下:
Profile: /usr/bin/node_exporter
Path: /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
New Mode: owner r
Severity: 4
1 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
2 - owner /sys/kernel/mm/transparent_hugepage/* r,
3 - owner /sys/kernel/mm/** r,
4 - owner /sys/kernel/** r,
[5 - owner /sys/** r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
此时按A即允许读取/sys目录下的所有文件和目录。
重复上面的步骤,直到最后不再询问权限,而是出现:
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /usr/bin/node_exporter]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
按S保存配置文件。自动回到等待状态:
Writing updated profile for /usr/bin/node_exporter.
Profiling: /usr/bin/node_exporter
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
按F键退出。
执行aa-status查看apparmor的状态:
...
33 processes are in enforce mode.
...
/usr/bin/node_exporter (191273)
...
恭喜,此时node_exporter已经身披盔甲了!
类似资料: