AppArmor Profiles: Security Risks

TL;DR

Yes, a badly configured AppArmor profile can reduce security. While designed to restrict programs and limit damage, incorrect rules can either be too permissive or break essential functionality, leading to vulnerabilities or making the system unusable. Regular auditing and testing are crucial.

How AppArmor Works

AppArmor creates a security sandbox around applications. It does this by defining what resources (files, network access, capabilities) an application is allowed to use. If an application tries something outside its profile, AppArmor blocks it.

Why Bad Profiles Are Dangerous

1. Too Permissive: If a profile allows too much access, the application effectively has few restrictions. This defeats the purpose of using AppArmor and doesn’t improve security.
2. Broken Functionality: Overly restrictive profiles can prevent legitimate applications from working correctly. Users might then disable AppArmor to get things running, removing all protection.
3. Unexpected Behaviour: Incorrect rules can lead to unpredictable application behaviour or crashes, potentially masking underlying vulnerabilities.
4. Denial of Service: A profile that blocks essential system functions could cause a denial-of-service condition.

Steps to Check and Improve AppArmor Profiles

1. Audit Existing Profiles: Regularly review your AppArmor profiles for unnecessary permissions. Look for wildcard rules (e.g., allowing access to entire directories) that should be narrowed down.
   • Use aa-audit to identify denied actions. This helps you understand what the application is trying to do and whether those attempts are legitimate.
2. Run in Complain Mode: Put a profile into ‘complain’ mode before enforcing it. This logs violations without blocking them, allowing you to identify necessary permissions.

   sudo aa-complain /etc/apparmor.d/your_profile

3. Examine Audit Logs: Check the system logs (usually /var/log/syslog or using journalctl) for AppArmor audit messages.

   sudo journalctl -xe | grep apparmor

4. Narrow Permissions: Replace broad permissions with specific ones. For example, instead of allowing access to /tmp/*, allow access only to the specific files the application needs.
5. Use Capabilities Carefully: AppArmor can restrict Linux capabilities (e.g., CAP_NET_RAW). Only grant necessary capabilities and avoid granting all capabilities unless absolutely required.
6. Test Thoroughly: After making changes, test the application extensively to ensure it functions correctly with the new profile.
7. Profile Generation Tools: Consider using tools like apparmor_parser or other profiling utilities to help generate initial profiles. However, always review and refine these automatically generated profiles.
8. Keep Profiles Updated: As applications are updated, their resource requirements may change. Regularly update your AppArmor profiles to reflect these changes.

Example Scenario

Imagine a web server profile that allows write access to /var/www/html/*. A vulnerability in the web application could allow an attacker to upload malicious files into any part of the website, because the AppArmor profile doesn’t restrict where within /var/www/html/ the files can be written.

Resources

• AppArmor Documentation: https://gitlab.com/apparmor/apparmor/-/wikis/home