18c2ecf20Sopenharmony_ci======== 28c2ecf20Sopenharmony_ciAppArmor 38c2ecf20Sopenharmony_ci======== 48c2ecf20Sopenharmony_ci 58c2ecf20Sopenharmony_ciWhat is AppArmor? 68c2ecf20Sopenharmony_ci================= 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ciAppArmor is MAC style security extension for the Linux kernel. It implements 98c2ecf20Sopenharmony_cia task centered policy, with task "profiles" being created and loaded 108c2ecf20Sopenharmony_cifrom user space. Tasks on the system that do not have a profile defined for 118c2ecf20Sopenharmony_cithem run in an unconfined state which is equivalent to standard Linux DAC 128c2ecf20Sopenharmony_cipermissions. 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ciHow to enable/disable 158c2ecf20Sopenharmony_ci===================== 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ciset ``CONFIG_SECURITY_APPARMOR=y`` 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_ciIf AppArmor should be selected as the default security module then set:: 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ci CONFIG_DEFAULT_SECURITY="apparmor" 228c2ecf20Sopenharmony_ci CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_ciBuild the kernel 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ciIf AppArmor is not the default security module it can be enabled by passing 278c2ecf20Sopenharmony_ci``security=apparmor`` on the kernel's command line. 288c2ecf20Sopenharmony_ci 298c2ecf20Sopenharmony_ciIf AppArmor is the default security module it can be disabled by passing 308c2ecf20Sopenharmony_ci``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the 318c2ecf20Sopenharmony_cikernel's command line. 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ciFor AppArmor to enforce any restrictions beyond standard Linux DAC permissions 348c2ecf20Sopenharmony_cipolicy must be loaded into the kernel from user space (see the Documentation 358c2ecf20Sopenharmony_ciand tools links). 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ciDocumentation 388c2ecf20Sopenharmony_ci============= 398c2ecf20Sopenharmony_ci 408c2ecf20Sopenharmony_ciDocumentation can be found on the wiki, linked below. 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ciLinks 438c2ecf20Sopenharmony_ci===== 448c2ecf20Sopenharmony_ci 458c2ecf20Sopenharmony_ciMailing List - apparmor@lists.ubuntu.com 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ciWiki - http://wiki.apparmor.net 488c2ecf20Sopenharmony_ci 498c2ecf20Sopenharmony_ciUser space tools - https://gitlab.com/apparmor 508c2ecf20Sopenharmony_ci 518c2ecf20Sopenharmony_ciKernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor 52