AppArmor : プロファイルの有効化/無効化2023/07/13 |
|
AppArmor でロードされている各プロファイルは、以下のようにして個別に 有効化/無効化 することができます。
|
|
| [1] | AppArmor を操作するための各種ツールが含まれたパッケージをインストールしておきます。 |
|
root@dlp:~# apt -y install apparmor-utils
|
| [2] | プロファイルを無効化する場合は以下のように設定します。 |
|
root@dlp:~# aa-status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# 各プロファイルの設定ファイルは以下 root@dlp:~# ll /etc/apparmor.d total 40 drwxr-xr-x 2 root root 4096 Jun 11 19:27 abi drwxr-xr-x 4 root root 4096 Jun 11 19:27 abstractions drwxr-xr-x 2 root root 4096 Feb 14 05:49 disable drwxr-xr-x 2 root root 4096 Feb 14 05:49 force-complain drwxr-xr-x 2 root root 4096 Jun 11 19:30 local -rw-r--r-- 1 root root 1379 Feb 14 05:49 lsb_release -rw-r--r-- 1 root root 1189 Feb 14 05:49 nvidia_modprobe -rw-r--r-- 1 root root 3461 Mar 30 04:02 sbin.dhclient drwxr-xr-x 5 root root 4096 Jun 11 19:27 tunables -rw-r--r-- 1 root root 3448 Mar 12 17:23 usr.bin.man # 例として [/usr/bin/man] を無効化 root@dlp:~# aa-disable /usr/bin/man Disabling /usr/bin/man. aa-status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# 無効化されたプロファイルは以下で確認可 root@dlp:~# ll /etc/apparmor.d/disable total 0 lrwxrwxrwx 1 root root 27 Jul 12 19:34 usr.bin.man -> /etc/apparmor.d/usr.bin.man |
| [3] | プロファイルを有効化する場合は以下のように設定します。 |
|
root@dlp:~# aa-status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# 例として [/usr/bin/man] を [enforce] モードで有効化 # [enforce] モード : プロファイルで許可された動作のみを許可 # [complain] モード : プロファイルで許可されない動作をログに記録するが拒否はしない root@dlp:~# aa-enforce /usr/bin/man Setting /usr/bin/man to enforce mode. aa-status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
|
| Sponsored Link |