AppArmor profile
Definition
AppArmor (Application Armor) is a Linux kernel security module that provides mandatory access control (MAC) by confining programs to a limited set of resources. It uses profiles to define the access permissions for individual applications, restricting their capabilities to only what is necessary for their function. This helps in minimizing the potential damage from vulnerabilities or exploits within the application.
Secure Settings Example
# Example AppArmor profile for a web server
profile webserver /usr/sbin/apache2 {
# Allow read access to configuration files
/etc/apache2/** r,
# Allow network access
network inet tcp,
# Deny access to sensitive directories
deny /etc/shadow,
deny /root/**,
# Allow execution of necessary binaries
/usr/sbin/apache2 mr,
/usr/bin/php-cgi mr,
# Restrict capabilities
capability net_bind_service,
}
Insecure Settings Example
# Insecure AppArmor profile with overly permissive rules
profile webserver /usr/sbin/apache2 {
# Allow read and write access to all files
/ rw,
# Allow all network access
network,
# Allow execution of all binaries
/usr/** mr,
# Allow all capabilities
capability,
}