AppArmor½éÉÜ

andrewyang83

Ô­ÎÄÁ´½Ó£ºhttp://www.lenky.info/archives/2014/05/2405

AppArmorÊÇÒ»¿îÓëSeLinuxÀàËƵݲȫ¿ò¼Ü/¹¤¾ß£¬ÆäÖ÷Òª×÷ÓÃÊÇ¿ØÖÆÓ¦ÓóÌÐòµÄ¸÷ÖÖȨÏÞ£¬ÀýÈç¶Ôij¸öĿ¼/ÎļþµÄ¶Á/д£¬¶ÔÍøÂç¶Ë¿ÚµÄ´ò¿ª/¶Á/дµÈµÈ¡£
À´Ö®NovellÍøÕ¾µÄÒýÓãº

1. AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.

¸´ÖÆ´úÂë

AppArmorͨ¹ýÒ»¸öÅäÖÃÎļþ£¨¼´profile£©À´Ö¸¶¨Ò»¸öÓ¦ÓóÌÐòµÄÏà¹ØȨÏÞ¡£ÔÚ´ó¶àÊýÇé¿öÏ£¬¿ÉÒÔͨ¹ýÏÞÖÆÓ¦ÓóÌÐòµÄijЩ²»±ØÒªµÄȨÏÞÀ´ÌáÉýϵͳ°²È«ÐÔ£¬±ÈÈçÖ¸¶¨Firefox²»ÄÜ·ÃÎÊϵͳĿ¼£¬ÕâÑù¼´±ãÊÇʹÓÃFirefox·ÃÎÊÁ˶ñÒâÍøÒ³£¬Ò²¿ÉÒÔ±ÜÃâ¶ñÒâÍøҳͨ¹ýFirefox·ÃÎʵ½ÏµÍ³Ä¿Â¼¡£
AppArmorÊÇUbuntuµÄĬÈÏÑ¡Ôñ£¬µ«ÔÚĬÈÏÇé¿öÏ£¬ÏµÍ³×Ô´ø°²×°µÄprofileÅäÖÃÎļþºÜÉÙ£¬Í¨¹ýÃüÁsudo apt-get install apparmor-profiles£¬¿ÉÒÔ°²×°¶îÍâµÄAppArmor-profileÎļþ¡£
ÔÚUbuntuÏÂͨ¹ýÃüÁîsudo apparmor_status¿ÉÒԲ鿴µ±Ç°AppArmorµÄ״̬¡£
Ö´ÐÐsudo apt-get install apparmor-profilesÃüÁî֮ǰµÄ×Ô´øprofileÅäÖãº

1. lenky@local:~$ sudo apparmor_status
   
2. apparmor module is loaded.
   
3. 20 profiles are loaded.
   
4. 20 profiles are in enforce mode.
   
5.      /sbin/dhclient
   
6.      /usr/bin/evince
   
7.      /usr/bin/evince-previewer
   
8.      /usr/bin/evince-previewer//sanitized_helper
   
9.      /usr/bin/evince-thumbnailer
   
10.      /usr/bin/evince-thumbnailer//sanitized_helper
    
11.      /usr/bin/evince//sanitized_helper
    
12.      /usr/lib/NetworkManager/nm-dhcp-client.action
    
13.      /usr/lib/connman/scripts/dhclient-script
    
14.      /usr/lib/cups/backend/cups-pdf
    
15.      /usr/lib/lightdm/lightdm-guest-session
    
16.      /usr/lib/lightdm/lightdm-guest-session//chromium
    
17.      /usr/lib/telepathy/mission-control-5
    
18.      /usr/lib/telepathy/telepathy-*
    
19.      /usr/lib/telepathy/telepathy-*//pxgsettings
    
20.      /usr/lib/telepathy/telepathy-*//sanitized_helper
    
21.      /usr/lib/telepathy/telepathy-ofono
    
22.      /usr/sbin/cups-browsed
    
23.      /usr/sbin/cupsd
    
24.      /usr/sbin/tcpdump
    
25. 0 profiles are in complain mode.
    
26. 4 processes have profiles defined.
    
27. 4 processes are in enforce mode.
    
28.      /usr/lib/telepathy/mission-control-5 (2438)
    
29.      /usr/sbin/cups-browsed (1070)
    
30.      /usr/sbin/cupsd (2881)
    
31.      /usr/sbin/cupsd (2884)
    
32. 0 processes are in complain mode.
    
33. 0 processes are unconfined but have a profile defined.
    
34. lenky@local:~$

¸´ÖÆ´úÂë

Ö´ÐÐsudo apt-get install apparmor-profilesÃüÁîÖ®ºóµÄÇé¿ö£º

1. lenky@local:~$ sudo apparmor_status
   
2. apparmor module is loaded.
   
3. 47 profiles are loaded.
   
4. 23 profiles are in enforce mode.
   
5.      /sbin/dhclient
   
6.      /usr/bin/evince
   
7.      /usr/bin/evince-previewer
   
8.      /usr/bin/evince-previewer//sanitized_helper
   
9.      /usr/bin/evince-thumbnailer
   
10.      /usr/bin/evince-thumbnailer//sanitized_helper
    
11.      /usr/bin/evince//sanitized_helper
    
12.      /usr/lib/NetworkManager/nm-dhcp-client.action
    
13.      /usr/lib/chromium-browser/chromium-browser//browser_java
    
14.      /usr/lib/chromium-browser/chromium-browser//browser_openjdk
    
15.      /usr/lib/chromium-browser/chromium-browser//sanitized_helper
    
16.      /usr/lib/connman/scripts/dhclient-script
    
17.      /usr/lib/cups/backend/cups-pdf
    
18.      /usr/lib/lightdm/lightdm-guest-session
    
19.      /usr/lib/lightdm/lightdm-guest-session//chromium
    
20.      /usr/lib/telepathy/mission-control-5
    
21.      /usr/lib/telepathy/telepathy-*
    
22.      /usr/lib/telepathy/telepathy-*//pxgsettings
    
23.      /usr/lib/telepathy/telepathy-*//sanitized_helper
    
24.      /usr/lib/telepathy/telepathy-ofono
    
25.      /usr/sbin/cups-browsed
    
26.      /usr/sbin/cupsd
    
27.      /usr/sbin/tcpdump
    
28. 24 profiles are in complain mode.
    
29.     /sbin/klogd
    
30.     /sbin/syslog-ng
    
31.     /sbin/syslogd
    
32.     /usr/lib/chromium-browser/chromium-browser
    
33.     /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
    
34.     /usr/lib/chromium-browser/chromium-browser//lsb_release
    
35.     /usr/lib/chromium-browser/chromium-browser//xdgsettings
    
36.     /usr/lib/dovecot/deliver
    
37.     /usr/lib/dovecot/dovecot-auth
    
38.     /usr/lib/dovecot/imap
    
39.     /usr/lib/dovecot/imap-login
    
40.     /usr/lib/dovecot/managesieve-login
    
41.     /usr/lib/dovecot/pop3
    
42.     /usr/lib/dovecot/pop3-login
    
43.     /usr/sbin/avahi-daemon
    
44.     /usr/sbin/dnsmasq
    
45.     /usr/sbin/dovecot
    
46.     /usr/sbin/identd
    
47.     /usr/sbin/mdnsd
    
48.     /usr/sbin/nmbd
    
49.     /usr/sbin/nscd
    
50.     /usr/sbin/smbd
    
51.     /usr/{sbin/traceroute,bin/traceroute.db}
    
52.     /{usr/,}bin/ping
    
53. 10 processes have profiles defined.
    
54. 4 processes are in enforce mode.
    
55.     /usr/lib/telepathy/mission-control-5 (2438)
    
56.     /usr/sbin/cups-browsed (1070)
    
57.     /usr/sbin/cupsd (2881)
    
58.     /usr/sbin/cupsd (2884)
    
59. 0 processes are in complain mode.
    
60. 6 processes are unconfined but have a profile defined.
    
61.     /usr/sbin/avahi-daemon (868)
    
62.     /usr/sbin/avahi-daemon (873)
    
63.     /usr/sbin/dnsmasq (2493)
    
64.     /usr/sbin/nmbd (2639)
    
65.     /usr/sbin/smbd (704)
    
66.     /usr/sbin/smbd (1105)
    
67. lenky@local:~$

¸´ÖÆ´úÂë

¿ÉÒÔ¿´µ½Ð°²×°ÁËһЩprofileÅäÖÃÎļþ¡£ApparmorµÄprofileÅäÖÃÎļþ¾ù±£´æÔÚĿ¼/etc/apparmor.d£¬¶ÔÓ¦µÄÈÕÖ¾Îļþ¼Ç¼ÔÚ/var/log/messages¡£
ApparmorʹÓÃÄں˱ê×¼°²È«Îļþϵͳ»úÖÆ£¨/sys/kernel/security£©À´¼ÓÔغͼà¿ØprofilesÎļþ¡£¶øÐéÄâÎļþ/sys/kernel/security/apparmor/profilesÀï¼Ç¼Á˵±Ç°¼ÓÔصÄprofilesÎļþ¡£

1. lenky@local:/var/log$ cat /sys/kernel/security/apparmor/profiles
   
2. cat: /sys/kernel/security/apparmor/profiles: ȨÏÞ²»¹»
   
3. lenky@local:/var/log$ sudo -i
   
4. [sudo] password for lenky:
   
5. root@local:~# cat /sys/kernel/security/apparmor/profiles
   
6. /usr/{sbin/traceroute,bin/traceroute.db} (complain)
   
7. /usr/sbin/smbd (complain)
   
8. /usr/sbin/nscd (complain)
   
9. /usr/sbin/nmbd (complain)
   
10. /usr/sbin/mdnsd (complain)
    
11. /usr/sbin/identd (complain)
    
12. /usr/sbin/dovecot (complain)
    
13. /usr/sbin/dnsmasq (complain)
    
14. /usr/sbin/avahi-daemon (complain)
    
15. /usr/lib/dovecot/pop3-login (complain)
    
16. /usr/lib/dovecot/pop3 (complain)
    
17. /usr/lib/dovecot/managesieve-login (complain)
    
18. /usr/lib/dovecot/imap-login (complain)
    
19. /usr/lib/dovecot/imap (complain)
    
20. /usr/lib/dovecot/dovecot-auth (complain)
    
21. /usr/lib/dovecot/deliver (complain)
    
22. /usr/lib/chromium-browser/chromium-browser (complain)
    
23. /usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
    
24. /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
    
25. /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
    
26. /usr/lib/chromium-browser/chromium-browser//lsb_release (complain)
    
27. /usr/lib/chromium-browser/chromium-browser//sanitized_helper (enforce)
    
28. /usr/lib/chromium-browser/chromium-browser//xdgsettings (complain)
    
29. /sbin/syslog-ng (complain)
    
30. /sbin/syslogd (complain)
    
31. /sbin/klogd (complain)
    
32. /{usr/,}bin/ping (complain)
    
33. /usr/sbin/tcpdump (enforce)
    
34. /usr/lib/telepathy/telepathy-ofono (enforce)
    
35. /usr/lib/telepathy/telepathy-* (enforce)
    
36. /usr/lib/telepathy/telepathy-*//sanitized_helper (enforce)
    
37. /usr/lib/telepathy/telepathy-*//pxgsettings (enforce)
    
38. /usr/lib/telepathy/mission-control-5 (enforce)
    
39. /usr/sbin/cups-browsed (enforce)
    
40. /usr/bin/evince-thumbnailer (enforce)
    
41. /usr/bin/evince-thumbnailer//sanitized_helper (enforce)
    
42. /usr/bin/evince-previewer (enforce)
    
43. /usr/bin/evince-previewer//sanitized_helper (enforce)
    
44. /usr/bin/evince (enforce)
    
45. /usr/bin/evince//sanitized_helper (enforce)
    
46. /usr/lib/lightdm/lightdm-guest-session (enforce)
    
47. /usr/lib/lightdm/lightdm-guest-session//chromium (enforce)
    
48. /usr/sbin/cupsd (enforce)
    
49. /usr/lib/cups/backend/cups-pdf (enforce)
    
50. /usr/lib/connman/scripts/dhclient-script (enforce)
    
51. /usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
    
52. /sbin/dhclient (enforce)
    
53. root@local:~#

¸´ÖÆ´úÂë

profileÎļþÒÔËüËù¶ÔÓ¦µÄÓ¦ÓóÌÐòµÄÍêÕû·¾¶À´ÃüÃû£¬µ±È»£¬ÒªÈ¥³ý¶ÔÇ°ÃæµÄ¸ù·ûºÅ£¨/£©£¬È»ºó°Ñ·¾¶ÖмäµÄ/Ì滻Ϊ.¡£Èç¹ûÊÇÈíÁ¬½Ó£¬»¹±ØÐëת»»µ½×îÖÕµÄÓ¦ÓóÌÐò¡£±ÈÈçfirefoxµÄÇé¿ö£º

1. lenky@local:/var/log$ whereis firefox
   
2. firefox: /usr/bin/firefox /etc/firefox /usr/lib/firefox /usr/bin/X11/firefox /usr/share/man/man1/firefox.1.gz
   
3. lenky@local:/var/log$ file /usr/bin/firefox
   
4. /usr/bin/firefox: symbolic link to `../lib/firefox/firefox.sh'
   
5. lenky@local:/var/log$ ls /usr/lib/firefox/firefox.sh -l
   
6. -rwxr-xr-x 1 root root 2740  4ÔÂ 11 05:10 /usr/lib/firefox/firefox.sh

¸´ÖÆ´úÂë

¿ÉÒÔ¿´µ½firefox¶ÔÓ¦µÄ×îÖÕ·¾¶ÊÇ/usr/lib/firefox/firefox.sh£¬Òò´ËÓë´ËÏà¶ÔµÄAppArmorÅäÖÃÎļþΪ£º/etc/apparmor.d/usr.lib.firefox.firefox.sh£¬¼´ÎÒÃÇ¿ÉÒÔÔÚ/etc/apparmor.dĿ¼Ï½¨Á¢Ò»¸öusr.lib.firefox.firefox.shÎļþÀ´¶¨ÒåfirefoxµÄÏà¹ØȨÏÞ¡£
Ò»¸öprofileÎļþ¶¨ÒåºÃÖ®ºó£¬µ±Æä¶ÔÓ¦µÄÓ¦ÓóÌÐòÆô¶¯£¨±ÈÈçfirefox£©£¬ËüÒ²¾Í×Ô¶¯¼¤»îÉúЧ¡£ÓÐÁ½ÖÖģʽ£¬·Ö±ðΪ£º
complain£ºÓ¦ÓóÌÐò·¢ÉúÁ˳¬¹ýÆäȨÏÞÖ®ÍâµÄ¶¯×÷ʱ£¬Apparmor»á½øÐÐlog¼Ç¼£¬µ«ÊDz»»á×èÖ¹Ó¦ÓóÌÐòÏà¹Ø¶¯×÷µÄ³É¹¦Ö´ÐС£
enforce£ºÓ¦ÓóÌÐò·¢ÉúÁ˳¬¹ýÆäȨÏÞÖ®ÍâµÄ¶¯×÷ʱ£¬Apparmor»á½øÐÐlog¼Ç¼£¬²¢ÇÒ»á×èÖ¹Ó¦ÓóÌÐòÏà¹Ø¶¯×÷µÄ³É¹¦Ö´ÐС£
ͨ¹ýÃüÁîaa-complain»òaa-enforce¿ÉÒÔÇл»profileÎļþµÄ״̬¡£ÕâÐèÒªÏÈ°²×°¶ÔÓ¦µÄutils¹¤¾ß£º

1. sudo apt-get install apparmor-utils

¸´ÖÆ´úÂë

ÊÔÊÔ£º

1. lenky@local:~$ sudo aa-complain tcpdump
   
2. Setting /usr/sbin/tcpdump to complain mode.
   
3. lenky@local:~$ sudo aa-enforce tcpdump
   
4. Setting /usr/sbin/tcpdump to enforce mode.

¸´ÖÆ´úÂë

×öÁËÕâÖÖÐ޸ĺóÐèÒªÖØÆôapparmor£¬ApparmorµÄÆô¶¯¡¢Í£Ö¹µÈ²Ù×÷µÄÏà¹ØÃüÁîÈçÏ£º

1. Start : sudo /etc/init.d/apparmor start
   
2. Stop : sudo /etc/init.d/apparmor stop
   
3. reload: sudo /etc/init.d/apparmor reload
   
4. Show status: sudo /etc/init.d/apparmor status

¸´ÖÆ´úÂë

ÆäËûÃüÁ
aa-unconfinedÓÃÀ´ÏÔʾϵͳÀïÄÇЩӵÓÐtcp/udp¶Ë¿Ú£¬µ«ÓÖδ´¦ÓÚapparmor¼à¿Ø֮ϵĽø³Ì¡£

1. lenky@local:~$ sudo aa-unconfined
   
2. 704 /usr/sbin/smbd not confined
   
3. 868 /usr/sbin/avahi-daemon not confined
   
4. 979 /usr/sbin/sshd not confined
   
5. 1070 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)'
   
6. 2493 /usr/sbin/dnsmasq not confined
   
7. 2639 /usr/sbin/nmbd not confined
   
8. 2881 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
   
9. 9624 /usr/sbin/nginx (nginx: master process /usr/sbin/nginx) not confined

¸´ÖÆ´úÂë

ÕâÑùµÄ½ø³ÌÔ½¶à£¬¶ÔӦϵͳ±»¹¥»÷µÄ·çÏÕÒ²¾ÍÔ½´ó¡£aa-genprofÃüÁîÓÃÀ´Éú³ÉÒ»¸öprofileÎļþ¡£ÊµÀý£ºÀûÓÃÃüÁîsudo aa-genprof nginxÉú³ÉnginxµÄÒ»¸öprofileÎļþ¡£
ÔÚÒ»¸öÖÕ¶Ë1ÀïÖ´ÐУº

1. lenky@local:~$ sudo aa-genprof nginx
   
2. ...
   
3. [(S)can system log for AppArmor events] / (F)inish

¸´ÖÆ´úÂë

Áí¿ªÒ»¸öÖÕ¶Ë2£¬Ö´ÐÐsudo nginx£¬È»ºóÇлØÖÕ¶Ë1£¬°´s½øÐÐɨÃ裬¾¹È»¹ÒÁË£¬Ô­Òò²»Ã÷£¬²»¹Ü£¬Ö±½ÓÔÙÖ´ÐÐsudo aa-genprof nginx£¬°´s½øÐÐɨÃ裬ûÓÐɨÃèµ½¶«Î÷¡£
Çл»»áÖÕ¶Ë2£¬sudo killall nginx; sudo nginx£¬ÇлØÖÕ¶Ë1£¬°´s½øÐÐɨÃ裬ÓÐÈçÏÂÌáʾ£º

1. [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore

¸´ÖÆ´úÂë

°´a£¬»¹ÓÐÀàËÆÌáʾ£¬Ò»Ö±°´a£¬¼´È«²¿ÉèÖÃΪallow£¬µ½×îºó³öÏÖ£º

1. (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

¸´ÖÆ´úÂë

°´s±£´æÅäÖá£
³öÏÖ£º

1. [(S)can system log for AppArmor events] / (F)inish

¸´ÖÆ´úÂë

°´f½áÊø

andrewyang83

[ÐøÕýÎÄ]

Ô­ÎÄÁ´½Ó£ºhttp://www.lenky.info/archives/2014/05/2405

²é¿´Éú³ÉµÄprofileÎļþ£º

1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx

¸´ÖÆ´úÂë

1.   /etc/group r,
   
2.   /etc/nginx/conf.d/ r,
   
3.   /etc/nginx/mime.types r,
   
4.   /etc/nginx/nginx.conf r,
   
5.   /etc/nginx/sites-enabled/ r,
   
6.   /etc/nsswitch.conf r,
   
7.   /etc/passwd r,
   
8.   /etc/ssl/openssl.cnf r,
   
9.   /run/nginx.pid w,
   
10.   /usr/sbin/nginx mr,
    
11.   /var/log/nginx/error.log a,

¸´ÖÆ´úÂë

¿ÉÒÔ¿´µ½»¹Óкܶà²Ù×÷ûÓⶻñµ½£¬±ÈÈç¶Ôaccess.logÎļþµÄ·ÃÎÊ¡£
Ö´ÐÐÃüÁsudo aa-logprof
¿ÉÒÔ¼ÌÐøÉèÖÃÕâЩȨÏÞµÄȨÏÞ£º

1. lenky@local:~$ sudo aa-logprof
   
2. Reading log entries from /var/log/syslog.
   
3. Updating AppArmor profiles in /etc/apparmor.d.
   
4. Complain-mode changes:
   
5. WARN: unknown capability: CAP_dac_override
   
6. 
   
7. Profile:    /usr/sbin/nginx
   
8. Capability: dac_override
   
9. Severity:   unknown
   
10. 
    
11. [(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish

¸´ÖÆ´úÂë

¼ÌÐø°´a°ÑËùÓвÙ×÷¶¼ÉèÖÃΪallow£¬×îºó°´s±£´æÅäÖᣴËʱ£¬²Ù×÷ȨÏÞÉèÖøü¶àÁË£º

1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
   
2. # Last Modified: Thu May 29 16:48:58 2014
   
3. #include <tunables/global>
   
4. 
   
5. /usr/sbin/nginx flags=(complain)
   
6.   #include <abstractions/base>
   
7.   #include <abstractions/nis>
   
8.   capability dac_override,
   
9.   capability dac_read_search,
   
10.   capability net_bind_service,
    
11.   capability setgid,
    
12. 
    
13.   /etc/group r,
    
14.   /etc/nginx/conf.d/ r,
    
15.   /etc/nginx/mime.types r,
    
16.   /etc/nginx/nginx.conf r,
    
17.   /etc/nginx/sites-available/default r,
    
18.   /etc/nginx/sites-enabled/ r,
    
19.   /etc/nsswitch.conf r,
    
20.   /etc/passwd r,
    
21.   /etc/ssl/openssl.cnf r,
    
22.   /run/nginx.pid rw,
    
23.   /usr/sbin/nginx mr,
    
24.   /usr/share/nginx/html/appamror/allow.html r,
    
25.   /usr/share/nginx/html/appamror/deny.html r,
    
26.   /var/log/nginx/access.log w,
    
27.   /var/log/nginx/error.log w,

¸´ÖÆ´úÂë

Èç¹ûûÓÐеIJÙ×÷ÐèÒªÉèÖÃȨÏÞ£¬ÄÇôִÐÐaa-logprofµÄ½á¹ûÊÇÕâÑùµÄ£º

1. lenky@local:~$ sudo aa-logprof
   
2. Reading log entries from /var/log/syslog.
   
3. Updating AppArmor profiles in /etc/apparmor.d.
   
4. Complain-mode changes:
   
5. Enforce-mode changes:

¸´ÖÆ´úÂë

Ö®ËùÒÔÒª°ÑËùÓвÙ×÷¶¼Ä¬ÈÏÉèÖÃΪÔÊÐí£¬ÊÇÒòΪÏÂÃæÒª°ÑÕâ¸öprofile¸ÄΪenforce£¬È»ºóÖØÆônginx£¬Èç¹û²»²¶»ñÈ«²¿²Ù×÷£¬ÄÇôĬÈϽûÖ¹»áµ¼ÖÂnginxÆô¶¯²»ÁË¡£

1. lenky@local:~$ sudo aa-enforce nginx
   
2. Setting /usr/sbin/nginx to enforce mode.
   
3. lenky@local:~$ sudo /etc/init.d/apparmor restart
   
4. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
   
5. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
   
6.                                                                                                                                                 [ OK ]
   
7. lenky@local:~$ sudo /etc/init.d/nginx restart
   
8. * Restarting nginx nginx                                                                                                                       [fail]
   
9. lenky@local:~$ sudo nginx
   
10. nginx: [emerg] socket() 0.0.0.0:80 failed (13: Permission denied)

¸´ÖÆ´úÂë

ÒÔÇ°ÃæµÄprofileÅäÖÃÀ´¿´£¬nginxÈÔÈ»Æô¶¯²»ÁË£¬Ô­ÒòÊÇûÓÐÉèÖÃnginx¶Ô80¶Ë¿ÚµÄȨÏÞ¡£
»»³ÉÕâ¸ö£¨À´Ö®£ºhttp://jdh8.github.io/linux/apparmor-nginx-php-fpm/£©£º

1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
   
2. # Last Modified: Thu May 29 17:11:18 2014
   
3. #include <tunables/global>
   
4. 
   
5. /usr/sbin/nginx
   
6.   #include <abstractions/apache2-common>
   
7.   #include <abstractions/base>
   
8.   #include <abstractions/nis>
   
9. 
   
10. 
    
11.   capability dac_override,
    
12.   capability dac_read_search,
    
13.   capability net_bind_service,
    
14.   capability setgid,
    
15.   capability setuid,
    
16. 
    
17.   /etc/nginx/** r,
    
18.   /etc/ssl/openssl.cnf r,
    
19.   /proc/*/auxv r,
    
20.   /run/nginx.pid rw,
    
21.   /run/nginx.pid.oldbin w,
    
22.   /run/php5-fpm.sock rw,
    
23.   /srv/www/** r,
    
24.   /usr/sbin/nginx mr,
    
25.   /usr/share/nginx/html/** r,
    
26.   /var/log/nginx/* w,

¸´ÖÆ´úÂë

ÖØÆôÉúЧ£º

1. lenky@local:~$ sudo /etc/init.d/apparmor restart
   
2. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
   
3. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
   
4.                                                                                                                                                 [ OK ]
   
5. lenky@local:~$ sudo /etc/init.d/nginx restart
   
6. * Restarting nginx nginx                                                                                                                       [ OK ]
   
7. lenky@local:~$ wget 127.0.0.1
   
8. --2014-05-29 17:13:48--  http://127.0.0.1/
   
9. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
   
10. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
    
11. ³¤¶È£º 612 1
    
12. ÕýÔÚ±£´æÖÁ: ¡°index.html¡±
    
13. 
    
14. 100%[=============================================================================================================>] 612         --.-K/s   ÓÃʱ 0s   
    
15. 
    
16. 2014-05-29 17:13:48 (115 MB/s) - Òѱ£´æ ¡°index.html¡± [612/612])
    
17. 
    
18. lenky@local:~$

¸´ÖÆ´úÂë

ÔÙÑéÖ¤£¬ÔÚ/etc/apparmor.d/usr.sbin.nginxÀï¼ÓÒ»ÐУº

1. deny /usr/share/nginx/html/appamror/deny.html r,

¸´ÖÆ´úÂë

²âÊÔ£º

1. lenky@local:~$ sudo /etc/init.d/apparmor restart
   
2. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
   
3. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
   
4.                                                                                                                                                 [ OK ]
   
5. lenky@local:~$ sudo /etc/init.d/nginx restart
   
6. * Restarting nginx nginx                                                                                                                       [ OK ]
   
7. lenky@local:~$
   
8. lenky@local:~$ wget 127.0.0.1/appamror/allow.html
   
9. --2014-05-29 17:16:28--  http://127.0.0.1/appamror/allow.html
   
10. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
    
11. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
    
12. ³¤¶È£º 33 1
    
13. ÕýÔÚ±£´æÖÁ: ¡°allow.html.1¡±
    
14. 
    
15. 100%[=============================================================================================================>] 33          --.-K/s   ÓÃʱ 0s   
    
16. 
    
17. 2014-05-29 17:16:28 (6.73 MB/s) - Òѱ£´æ ¡°allow.html.1¡± [33/33])
    
18. 
    
19. lenky@local:~$ wget 127.0.0.1/appamror/deny.html
    
20. --2014-05-29 17:16:34--  http://127.0.0.1/appamror/deny.html
    
21. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
    
22. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 403 Forbidden
    
23. 2014-05-29 17:16:34 ´íÎó 403£ºForbidden¡£

¸´ÖÆ´úÂë

¿ÉÒÔ¿´µ½Ò³Ãædeny.htmlû·¨·ÃÎÊÁË£¬¶øÈ¥µôdenyÐкóÓÖ¿ÉÒÔ·ÃÎÊÁË£¬ËµÃ÷apparmorµÄprofileÉèÖÃÉúЧÁË¡£

²Î¿¼£ºhttp://ubuntuforums.org/showthread.php?t=1008906

andrewyang83

˵Ã÷£ºÓÉÓÚÔÚ´úÂëºÍÕýÎÄÖÐÕ³ÌùµÄ´úÂëÄÚÈݲ»ÄÜдÈë{},µ¼ÖÂÕ³ÌùµÄ´úÂë¶ÎÖÐÈ¥µôÁË"{"ºÍ"}"

lmy

andrewyang83 ·¢±íÓÚ 2015-4-8 09:30
˵Ã÷£ºÓÉÓÚÔÚ´úÂëºÍÕýÎÄÖÐÕ³ÌùµÄ´úÂëÄÚÈݲ»ÄÜдÈë{},µ¼ÖÂÕ³ÌùµÄ´úÂë¶ÎÖÐÈ¥µôÁË"{"ºÍ"}"

ÐÁ¿àÁË£¡