apparmor
AppArmor is an important security feature that’s been included by default with Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not be aware of what it is and what it’s doing.
AppArmor是一项重要的安全功能,自Ubuntu 7.10起默认已包含在Ubuntu中。 但是,它在后台静默运行,因此您可能不知道它是什么以及它在做什么。
AppArmor locks down vulnerable processes, restricting the damage security vulnerabilities in these processes can cause. AppArmor can also be used to lock down Mozilla Firefox for increased security, but it doesn’t do this by default.
AppArmor锁定易受攻击的进程,从而限制了这些进程中可能导致的安全漏洞。 AppArmor也可以用于锁定Mozilla Firefox,以提高安全性,但默认情况下不执行此操作。
什么是AppArmor? (What is AppArmor?)
AppArmor is similar to SELinux, used by default in Fedora and Red Hat. While they work differently, both AppArmor and SELinux provide “mandatory access control” (MAC) security. In effect, AppArmor allows Ubuntu’s developers to restrict the actions processes can take.
AppArmor与SELinux类似,在Fedora和Red Hat中默认使用。 尽管它们的工作方式有所不同,但AppArmor和SELinux均提供“强制性访问控制”(MAC)安全性。 实际上,AppArmor允许Ubuntu的开发人员限制流程可以执行的操作。
For example, one application that’s restricted in Ubuntu’s default configuration is the Evince PDF viewer. While Evince may run as your user account, it can only take specific actions. Evince only has the bare minimum of permissions needed to run and work with PDF documents. If a vulnerability were discovered in Evince’s PDF renderer and you opened a malicious PDF document that took over Evince, AppArmor would restrict the damage Evince could do. In the traditional Linux security model, Evince would have access to everything you have access to. With AppArmor, it only has access to things that a PDF viewer needs access to.
例如,在Ubuntu的默认配置中受限制的一个应用程序是Evince PDF查看器。 虽然Evince可以作为您的用户帐户运行,但只能采取特定的操作。 Evince仅具有运行和使用PDF文档所需的最少权限。 如果在Evince的PDF渲染器中发现了一个漏洞,并且您打开了一个接管Evince的恶意PDF文档,则AppArmor将限制Evince可能造成的损害。 在传统的Linux安全模型中,Evince可以访问您有权访问的所有内容。 使用AppArmor,它只能访问PDF查看器需要访问的内容。
AppArmor is particularly useful for restricting software that may be exploited, such as a web browser or server software.
AppArmor对于限制可能被利用的软件(例如Web浏览器或服务器软件)特别有用。
查看AppArmor的状态 (Viewing AppArmor’s Status)
To view AppArmor’s status, run the following command in a terminal:
要查看AppArmor的状态,请在终端中运行以下命令:
sudo apparmor_status
须藤apparmor_status
You’ll see whether AppArmor is running on your system (it’s running by default), the AppArmor profiles that are installed, and the confined processes that are running.
您将看到AppArmor是否正在系统上运行(默认情况下正在运行),已安装的AppArmor配置文件以及正在运行的受限进程。
AppArmor配置文件 (AppArmor Profiles)
In AppArmor, processes are restricted by profiles. The list above shows us the protocols that are installed on the system – these ones come with Ubuntu. You can also install other profiles by installing the apparmor-profiles package. Some packages – server software, for example – may come with their own AppArmor profiles that are installed on the system along with the package. You can also create your own AppArmor profiles to restrict software.
在AppArmor中,流程受配置文件限制。 上面的列表向我们显示了系统上安装的协议-这些是Ubuntu附带的协议。 您还可以通过安装apparmor-profiles软件包来安装其他配置文件。 某些软件包(例如,服务器软件)可能带有其自己的AppArmor配置文件,这些配置文件与软件包一起安装在系统上。 您也可以创建自己的AppArmor配置文件来限制软件。
Profiles can run in “complain mode” or “enforce mode.” In enforce mode – the default setting for the profiles that come with Ubuntu – AppArmor prevents applications from taking restricted actions. In complain mode, AppArmor allows applications to take restricted actions and creates a log entry complaining about this. Complain mode is ideal for testing an AppArmor profile before enabling it in enforce mode – you’ll see any errors that would occur in enforce mode.
配置文件可以在“投诉模式”或“强制模式”下运行。 在强制模式下(Ubuntu随附的配置文件的默认设置),AppArmor阻止应用程序执行受限操作。 在投诉模式下,AppArmor允许应用程序执行受限操作并创建一个抱怨此问题的日志条目。 投诉模式是在强制模式下启用AppArmor配置文件之前测试它的理想选择–您将看到在强制模式下可能发生的任何错误。
Profiles are stored in the /etc/apparmor.d directory. These profiles are plain-text files that can contain comments.
配置文件存储在/etc/apparmor.d目录中。 这些配置文件是纯文本文件,可以包含注释。
为Firefox启用AppArmor (Enabling AppArmor For Firefox)
You may also notice that AppArmor comes with a Firefox profile – it’s the usr.bin.firefox file in the /etc/apparmor.d directory. It isn’t enabled by default, as it may restrict Firefox too much and cause problems. The /etc/apparmor.d/disable folder contains a link to this file, indicating that it’s disabled.
您可能还会注意到,AppArmor附带了一个Firefox配置文件-它是/etc/apparmor.d目录中的usr.bin.firefox文件。 默认情况下未启用它,因为它可能会限制Firefox过多并引起问题。 /etc/apparmor.d/disable文件夹包含指向该文件的链接,表明该文件已被禁用。
To enable the Firefox profile and confine Firefox with AppArmor, run the following commands:
要启用Firefox配置文件并使用AppArmor限制Firefox,请运行以下命令:
sudo rm /etc/apparmor.d/disable/usr.bin.firefox
须藤rm /etc/apparmor.d/disable/usr.bin.firefox
cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a
猫/etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a
After you run these commands, run the sudo apparmor_status command again and you’ll see that the Firefox profiles are now loaded.
运行这些命令后,再次运行sudo apparmor_status命令,您将看到现在已加载Firefox配置文件。
To disable the Firefox profile if it’s causing problems, run the following commands:
要在导致问题的情况下禁用Firefox配置文件,请运行以下命令:
sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
须藤ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
For more detailed information about using AppArmor, consult the official Ubuntu Server Guide’s page on AppArmor.
有关使用AppArmor的更多详细信息,请参考AppArmor上的官方《 Ubuntu Server指南》 页面 。
apparmor
1805
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
