Ubuntu Kylin¼¼ÊõÂÛ̳

 ÕÒ»ØÃÜÂë
²é¿´: 6326|»Ø¸´: 3

AppArmor½éÉÜ

[¸´ÖÆÁ´½Ó]
  • TAµÄÿÈÕÐÄÇé
    ·Ü¶·
    2018-8-22 10:21
  • Ç©µ½ÌìÊý: 80 Ìì

    [LV.6]³£×¡¾ÓÃñII

    ·¢±íÓÚ 2015-4-8 09:19:14 | ÏÔʾȫ²¿Â¥²ã |ÔĶÁģʽ
    Ô­ÎÄÁ´½Ó£ºhttp://www.lenky.info/archives/2014/05/2405

    AppArmorÊÇÒ»¿îÓëSeLinuxÀàËÆµÄ°²È«¿ò¼Ü/¹¤¾ß£¬ÆäÖ÷Òª×÷ÓÃÊÇ¿ØÖÆÓ¦ÓóÌÐòµÄ¸÷ÖÖȨÏÞ£¬ÀýÈç¶Ôij¸öĿ¼/ÎļþµÄ¶Á/д£¬¶ÔÍøÂç¶Ë¿ÚµÄ´ò¿ª/¶Á/дµÈµÈ¡£
    À´Ö®NovellÍøÕ¾µÄÒýÓãº
    1. AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
    ¸´ÖÆ´úÂë
    AppArmorͨ¹ýÒ»¸öÅäÖÃÎļþ£¨¼´profile£©À´Ö¸¶¨Ò»¸öÓ¦ÓóÌÐòµÄÏà¹ØÈ¨ÏÞ¡£ÔÚ´ó¶àÊýÇé¿öÏ£¬¿ÉÒÔͨ¹ýÏÞÖÆÓ¦ÓóÌÐòµÄijЩ²»±ØÒªµÄȨÏÞÀ´ÌáÉýϵͳ°²È«ÐÔ£¬±ÈÈçÖ¸¶¨Firefox²»ÄÜ·ÃÎÊϵͳĿ¼£¬ÕâÑù¼´±ãÊÇʹÓÃFirefox·ÃÎÊÁ˶ñÒâÍøÒ³£¬Ò²¿ÉÒÔ±ÜÃâ¶ñÒâÍøÒ³Í¨¹ýFirefox·ÃÎʵ½ÏµÍ³Ä¿Â¼¡£
    AppArmorÊÇUbuntuµÄĬÈÏÑ¡Ôñ£¬µ«ÔÚĬÈÏÇé¿öÏ£¬ÏµÍ³×Ô´ø°²×°µÄprofileÅäÖÃÎļþºÜÉÙ£¬Í¨¹ýÃüÁsudo apt-get install apparmor-profiles£¬¿ÉÒÔ°²×°¶îÍâµÄAppArmor-profileÎļþ¡£
    ÔÚUbuntuÏÂͨ¹ýÃüÁîsudo apparmor_status¿ÉÒԲ鿴µ±Ç°AppArmorµÄ״̬¡£
    Ö´ÐÐsudo apt-get install apparmor-profilesÃüÁî֮ǰµÄ×Ô´øprofileÅäÖãº
    1. lenky@local:~$ sudo apparmor_status
    2. apparmor module is loaded.
    3. 20 profiles are loaded.
    4. 20 profiles are in enforce mode.
    5.      /sbin/dhclient
    6.      /usr/bin/evince
    7.      /usr/bin/evince-previewer
    8.      /usr/bin/evince-previewer//sanitized_helper
    9.      /usr/bin/evince-thumbnailer
    10.      /usr/bin/evince-thumbnailer//sanitized_helper
    11.      /usr/bin/evince//sanitized_helper
    12.      /usr/lib/NetworkManager/nm-dhcp-client.action
    13.      /usr/lib/connman/scripts/dhclient-script
    14.      /usr/lib/cups/backend/cups-pdf
    15.      /usr/lib/lightdm/lightdm-guest-session
    16.      /usr/lib/lightdm/lightdm-guest-session//chromium
    17.      /usr/lib/telepathy/mission-control-5
    18.      /usr/lib/telepathy/telepathy-*
    19.      /usr/lib/telepathy/telepathy-*//pxgsettings
    20.      /usr/lib/telepathy/telepathy-*//sanitized_helper
    21.      /usr/lib/telepathy/telepathy-ofono
    22.      /usr/sbin/cups-browsed
    23.      /usr/sbin/cupsd
    24.      /usr/sbin/tcpdump
    25. 0 profiles are in complain mode.
    26. 4 processes have profiles defined.
    27. 4 processes are in enforce mode.
    28.      /usr/lib/telepathy/mission-control-5 (2438)
    29.      /usr/sbin/cups-browsed (1070)
    30.      /usr/sbin/cupsd (2881)
    31.      /usr/sbin/cupsd (2884)
    32. 0 processes are in complain mode.
    33. 0 processes are unconfined but have a profile defined.
    34. lenky@local:~$
    ¸´ÖÆ´úÂë
    Ö´ÐÐsudo apt-get install apparmor-profilesÃüÁîÖ®ºóµÄÇé¿ö£º
    1. lenky@local:~$ sudo apparmor_status
    2. apparmor module is loaded.
    3. 47 profiles are loaded.
    4. 23 profiles are in enforce mode.
    5.      /sbin/dhclient
    6.      /usr/bin/evince
    7.      /usr/bin/evince-previewer
    8.      /usr/bin/evince-previewer//sanitized_helper
    9.      /usr/bin/evince-thumbnailer
    10.      /usr/bin/evince-thumbnailer//sanitized_helper
    11.      /usr/bin/evince//sanitized_helper
    12.      /usr/lib/NetworkManager/nm-dhcp-client.action
    13.      /usr/lib/chromium-browser/chromium-browser//browser_java
    14.      /usr/lib/chromium-browser/chromium-browser//browser_openjdk
    15.      /usr/lib/chromium-browser/chromium-browser//sanitized_helper
    16.      /usr/lib/connman/scripts/dhclient-script
    17.      /usr/lib/cups/backend/cups-pdf
    18.      /usr/lib/lightdm/lightdm-guest-session
    19.      /usr/lib/lightdm/lightdm-guest-session//chromium
    20.      /usr/lib/telepathy/mission-control-5
    21.      /usr/lib/telepathy/telepathy-*
    22.      /usr/lib/telepathy/telepathy-*//pxgsettings
    23.      /usr/lib/telepathy/telepathy-*//sanitized_helper
    24.      /usr/lib/telepathy/telepathy-ofono
    25.      /usr/sbin/cups-browsed
    26.      /usr/sbin/cupsd
    27.      /usr/sbin/tcpdump
    28. 24 profiles are in complain mode.
    29.     /sbin/klogd
    30.     /sbin/syslog-ng
    31.     /sbin/syslogd
    32.     /usr/lib/chromium-browser/chromium-browser
    33.     /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
    34.     /usr/lib/chromium-browser/chromium-browser//lsb_release
    35.     /usr/lib/chromium-browser/chromium-browser//xdgsettings
    36.     /usr/lib/dovecot/deliver
    37.     /usr/lib/dovecot/dovecot-auth
    38.     /usr/lib/dovecot/imap
    39.     /usr/lib/dovecot/imap-login
    40.     /usr/lib/dovecot/managesieve-login
    41.     /usr/lib/dovecot/pop3
    42.     /usr/lib/dovecot/pop3-login
    43.     /usr/sbin/avahi-daemon
    44.     /usr/sbin/dnsmasq
    45.     /usr/sbin/dovecot
    46.     /usr/sbin/identd
    47.     /usr/sbin/mdnsd
    48.     /usr/sbin/nmbd
    49.     /usr/sbin/nscd
    50.     /usr/sbin/smbd
    51.     /usr/{sbin/traceroute,bin/traceroute.db}
    52.     /{usr/,}bin/ping
    53. 10 processes have profiles defined.
    54. 4 processes are in enforce mode.
    55.     /usr/lib/telepathy/mission-control-5 (2438)
    56.     /usr/sbin/cups-browsed (1070)
    57.     /usr/sbin/cupsd (2881)
    58.     /usr/sbin/cupsd (2884)
    59. 0 processes are in complain mode.
    60. 6 processes are unconfined but have a profile defined.
    61.     /usr/sbin/avahi-daemon (868)
    62.     /usr/sbin/avahi-daemon (873)
    63.     /usr/sbin/dnsmasq (2493)
    64.     /usr/sbin/nmbd (2639)
    65.     /usr/sbin/smbd (704)
    66.     /usr/sbin/smbd (1105)
    67. lenky@local:~$
    ¸´ÖÆ´úÂë
    ¿ÉÒÔ¿´µ½Ð°²×°ÁËһЩprofileÅäÖÃÎļþ¡£ApparmorµÄprofileÅäÖÃÎļþ¾ù±£´æÔÚĿ¼/etc/apparmor.d£¬¶ÔÓ¦µÄÈÕÖ¾Îļþ¼Ç¼ÔÚ/var/log/messages¡£
    ApparmorʹÓÃÄں˱ê×¼°²È«Îļþϵͳ»úÖÆ£¨/sys/kernel/security£©À´¼ÓÔØºÍ¼à¿ØprofilesÎļþ¡£¶øÐéÄâÎļþ/sys/kernel/security/apparmor/profilesÀï¼Ç¼Á˵±Ç°¼ÓÔØµÄprofilesÎļþ¡£
    1. lenky@local:/var/log$ cat /sys/kernel/security/apparmor/profiles
    2. cat: /sys/kernel/security/apparmor/profiles: ȨÏÞ²»¹»
    3. lenky@local:/var/log$ sudo -i
    4. [sudo] password for lenky:
    5. root@local:~# cat /sys/kernel/security/apparmor/profiles
    6. /usr/{sbin/traceroute,bin/traceroute.db} (complain)
    7. /usr/sbin/smbd (complain)
    8. /usr/sbin/nscd (complain)
    9. /usr/sbin/nmbd (complain)
    10. /usr/sbin/mdnsd (complain)
    11. /usr/sbin/identd (complain)
    12. /usr/sbin/dovecot (complain)
    13. /usr/sbin/dnsmasq (complain)
    14. /usr/sbin/avahi-daemon (complain)
    15. /usr/lib/dovecot/pop3-login (complain)
    16. /usr/lib/dovecot/pop3 (complain)
    17. /usr/lib/dovecot/managesieve-login (complain)
    18. /usr/lib/dovecot/imap-login (complain)
    19. /usr/lib/dovecot/imap (complain)
    20. /usr/lib/dovecot/dovecot-auth (complain)
    21. /usr/lib/dovecot/deliver (complain)
    22. /usr/lib/chromium-browser/chromium-browser (complain)
    23. /usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
    24. /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
    25. /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
    26. /usr/lib/chromium-browser/chromium-browser//lsb_release (complain)
    27. /usr/lib/chromium-browser/chromium-browser//sanitized_helper (enforce)
    28. /usr/lib/chromium-browser/chromium-browser//xdgsettings (complain)
    29. /sbin/syslog-ng (complain)
    30. /sbin/syslogd (complain)
    31. /sbin/klogd (complain)
    32. /{usr/,}bin/ping (complain)
    33. /usr/sbin/tcpdump (enforce)
    34. /usr/lib/telepathy/telepathy-ofono (enforce)
    35. /usr/lib/telepathy/telepathy-* (enforce)
    36. /usr/lib/telepathy/telepathy-*//sanitized_helper (enforce)
    37. /usr/lib/telepathy/telepathy-*//pxgsettings (enforce)
    38. /usr/lib/telepathy/mission-control-5 (enforce)
    39. /usr/sbin/cups-browsed (enforce)
    40. /usr/bin/evince-thumbnailer (enforce)
    41. /usr/bin/evince-thumbnailer//sanitized_helper (enforce)
    42. /usr/bin/evince-previewer (enforce)
    43. /usr/bin/evince-previewer//sanitized_helper (enforce)
    44. /usr/bin/evince (enforce)
    45. /usr/bin/evince//sanitized_helper (enforce)
    46. /usr/lib/lightdm/lightdm-guest-session (enforce)
    47. /usr/lib/lightdm/lightdm-guest-session//chromium (enforce)
    48. /usr/sbin/cupsd (enforce)
    49. /usr/lib/cups/backend/cups-pdf (enforce)
    50. /usr/lib/connman/scripts/dhclient-script (enforce)
    51. /usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
    52. /sbin/dhclient (enforce)
    53. root@local:~#
    ¸´ÖÆ´úÂë
    profileÎļþÒÔËüËù¶ÔÓ¦µÄÓ¦ÓóÌÐòµÄÍêÕû·¾¶À´ÃüÃû£¬µ±È»£¬ÒªÈ¥³ý¶ÔÇ°ÃæµÄ¸ù·ûºÅ£¨/£©£¬È»ºó°Ñ·¾¶ÖмäµÄ/Ìæ»»Îª.¡£Èç¹ûÊÇÈíÁ¬½Ó£¬»¹±ØÐëת»»µ½×îÖÕµÄÓ¦ÓóÌÐò¡£±ÈÈçfirefoxµÄÇé¿ö£º
    1. lenky@local:/var/log$ whereis firefox
    2. firefox: /usr/bin/firefox /etc/firefox /usr/lib/firefox /usr/bin/X11/firefox /usr/share/man/man1/firefox.1.gz
    3. lenky@local:/var/log$ file /usr/bin/firefox
    4. /usr/bin/firefox: symbolic link to `../lib/firefox/firefox.sh'
    5. lenky@local:/var/log$ ls /usr/lib/firefox/firefox.sh -l
    6. -rwxr-xr-x 1 root root 2740  4ÔÂ 11 05:10 /usr/lib/firefox/firefox.sh
    ¸´ÖÆ´úÂë

    ¿ÉÒÔ¿´µ½firefox¶ÔÓ¦µÄ×îÖÕ·¾¶ÊÇ/usr/lib/firefox/firefox.sh£¬Òò´ËÓë´ËÏà¶ÔµÄAppArmorÅäÖÃÎļþΪ£º/etc/apparmor.d/usr.lib.firefox.firefox.sh£¬¼´ÎÒÃÇ¿ÉÒÔÔÚ/etc/apparmor.dĿ¼Ï½¨Á¢Ò»¸öusr.lib.firefox.firefox.shÎļþÀ´¶¨ÒåfirefoxµÄÏà¹ØÈ¨ÏÞ¡£
    Ò»¸öprofileÎļþ¶¨ÒåºÃÖ®ºó£¬µ±Æä¶ÔÓ¦µÄÓ¦ÓóÌÐòÆô¶¯£¨±ÈÈçfirefox£©£¬ËüÒ²¾Í×Ô¶¯¼¤»îÉúЧ¡£ÓÐÁ½ÖÖģʽ£¬·Ö±ðΪ£º
    complain£ºÓ¦ÓóÌÐò·¢ÉúÁ˳¬¹ýÆäȨÏÞÖ®ÍâµÄ¶¯×÷ʱ£¬Apparmor»á½øÐÐlog¼Ç¼£¬µ«ÊDz»»á×èÖ¹Ó¦ÓóÌÐòÏà¹Ø¶¯×÷µÄ³É¹¦Ö´ÐС£
    enforce£ºÓ¦ÓóÌÐò·¢ÉúÁ˳¬¹ýÆäȨÏÞÖ®ÍâµÄ¶¯×÷ʱ£¬Apparmor»á½øÐÐlog¼Ç¼£¬²¢ÇÒ»á×èÖ¹Ó¦ÓóÌÐòÏà¹Ø¶¯×÷µÄ³É¹¦Ö´ÐС£
    ͨ¹ýÃüÁîaa-complain»òaa-enforce¿ÉÒÔÇл»profileÎļþµÄ״̬¡£ÕâÐèÒªÏȰ²×°¶ÔÓ¦µÄutils¹¤¾ß£º

    1. sudo apt-get install apparmor-utils
    ¸´ÖÆ´úÂë
    ÊÔÊÔ£º

    1. lenky@local:~$ sudo aa-complain tcpdump
    2. Setting /usr/sbin/tcpdump to complain mode.
    3. lenky@local:~$ sudo aa-enforce tcpdump
    4. Setting /usr/sbin/tcpdump to enforce mode.
    ¸´ÖÆ´úÂë
    ×öÁËÕâÖÖÐ޸ĺóÐèÒªÖØÆôapparmor£¬ApparmorµÄÆô¶¯¡¢Í£Ö¹µÈ²Ù×÷µÄÏà¹ØÃüÁîÈçÏ£º
    1. Start : sudo /etc/init.d/apparmor start
    2. Stop : sudo /etc/init.d/apparmor stop
    3. reload: sudo /etc/init.d/apparmor reload
    4. Show status: sudo /etc/init.d/apparmor status
    ¸´ÖÆ´úÂë
    ÆäËûÃüÁ
    aa-unconfinedÓÃÀ´ÏÔʾϵͳÀïÄÇЩӵÓÐtcp/udp¶Ë¿Ú£¬µ«ÓÖδ´¦ÓÚapparmor¼à¿ØÖ®ÏµĽø³Ì¡£
    1. lenky@local:~$ sudo aa-unconfined
    2. 704 /usr/sbin/smbd not confined
    3. 868 /usr/sbin/avahi-daemon not confined
    4. 979 /usr/sbin/sshd not confined
    5. 1070 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)'
    6. 2493 /usr/sbin/dnsmasq not confined
    7. 2639 /usr/sbin/nmbd not confined
    8. 2881 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
    9. 9624 /usr/sbin/nginx (nginx: master process /usr/sbin/nginx) not confined
    ¸´ÖÆ´úÂë

    ÕâÑùµÄ½ø³ÌÔ½¶à£¬¶ÔӦϵͳ±»¹¥»÷µÄ·çÏÕÒ²¾ÍÔ½´ó¡£aa-genprofÃüÁîÓÃÀ´Éú³ÉÒ»¸öprofileÎļþ¡£ÊµÀý£ºÀûÓÃÃüÁîsudo aa-genprof nginxÉú³ÉnginxµÄÒ»¸öprofileÎļþ¡£
    ÔÚÒ»¸öÖÕ¶Ë1ÀïÖ´ÐУº
    1. lenky@local:~$ sudo aa-genprof nginx
    2. ...
    3. [(S)can system log for AppArmor events] / (F)inish
    ¸´ÖÆ´úÂë
    Áí¿ªÒ»¸öÖÕ¶Ë2£¬Ö´ÐÐsudo nginx£¬È»ºóÇлØÖÕ¶Ë1£¬°´s½øÐÐɨÃ裬¾¹È»¹ÒÁË£¬Ô­Òò²»Ã÷£¬²»¹Ü£¬Ö±½ÓÔÙÖ´ÐÐsudo aa-genprof nginx£¬°´s½øÐÐɨÃ裬ûÓÐɨÃèµ½¶«Î÷¡£
    Çл»»áÖÕ¶Ë2£¬sudo killall nginx; sudo nginx£¬ÇлØÖÕ¶Ë1£¬°´s½øÐÐɨÃ裬ÓÐÈçÏÂÌáʾ£º
    1. [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
    ¸´ÖÆ´úÂë
    °´a£¬»¹ÓÐÀàËÆÌáʾ£¬Ò»Ö±°´a£¬¼´È«²¿ÉèÖÃΪallow£¬µ½×îºó³öÏÖ£º
    1. (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
    ¸´ÖÆ´úÂë
    °´s±£´æÅäÖá£
    ³öÏÖ£º
    1. [(S)can system log for AppArmor events] / (F)inish
    ¸´ÖÆ´úÂë
    °´f½áÊø












    »Ø¸´

    ʹÓõÀ¾ß ¾Ù±¨

  • TAµÄÿÈÕÐÄÇé
    ·Ü¶·
    2018-8-22 10:21
  • Ç©µ½ÌìÊý: 80 Ìì

    [LV.6]³£×¡¾ÓÃñII

     Â¥Ö÷| ·¢±íÓÚ 2015-4-8 09:27:57 | ÏÔʾȫ²¿Â¥²ã
    [ÐøÕýÎÄ]

    Ô­ÎÄÁ´½Ó£ºhttp://www.lenky.info/archives/2014/05/2405

    ²é¿´Éú³ÉµÄprofileÎļþ£º
    1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
    ¸´ÖÆ´úÂë
    1.   /etc/group r,
    2.   /etc/nginx/conf.d/ r,
    3.   /etc/nginx/mime.types r,
    4.   /etc/nginx/nginx.conf r,
    5.   /etc/nginx/sites-enabled/ r,
    6.   /etc/nsswitch.conf r,
    7.   /etc/passwd r,
    8.   /etc/ssl/openssl.cnf r,
    9.   /run/nginx.pid w,
    10.   /usr/sbin/nginx mr,
    11.   /var/log/nginx/error.log a,
    ¸´ÖÆ´úÂë


    ¿ÉÒÔ¿´µ½»¹Óкܶà²Ù×÷ûÓв¶»ñµ½£¬±ÈÈç¶Ôaccess.logÎļþµÄ·ÃÎÊ¡£
    Ö´ÐÐÃüÁsudo aa-logprof
    ¿ÉÒÔ¼ÌÐøÉèÖÃÕâЩȨÏÞµÄȨÏÞ£º
    1. lenky@local:~$ sudo aa-logprof
    2. Reading log entries from /var/log/syslog.
    3. Updating AppArmor profiles in /etc/apparmor.d.
    4. Complain-mode changes:
    5. WARN: unknown capability: CAP_dac_override

    6. Profile:    /usr/sbin/nginx
    7. Capability: dac_override
    8. Severity:   unknown

    9. [(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
    ¸´ÖÆ´úÂë


    ¼ÌÐø°´a°ÑËùÓвÙ×÷¶¼ÉèÖÃΪallow£¬×îºó°´s±£´æÅäÖᣴËʱ£¬²Ù×÷ȨÏÞÉèÖøü¶àÁË£º
    1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
    2. # Last Modified: Thu May 29 16:48:58 2014
    3. #include <tunables/global>

    4. /usr/sbin/nginx flags=(complain)
    5.   #include <abstractions/base>
    6.   #include <abstractions/nis>
    7.   capability dac_override,
    8.   capability dac_read_search,
    9.   capability net_bind_service,
    10.   capability setgid,

    11.   /etc/group r,
    12.   /etc/nginx/conf.d/ r,
    13.   /etc/nginx/mime.types r,
    14.   /etc/nginx/nginx.conf r,
    15.   /etc/nginx/sites-available/default r,
    16.   /etc/nginx/sites-enabled/ r,
    17.   /etc/nsswitch.conf r,
    18.   /etc/passwd r,
    19.   /etc/ssl/openssl.cnf r,
    20.   /run/nginx.pid rw,
    21.   /usr/sbin/nginx mr,
    22.   /usr/share/nginx/html/appamror/allow.html r,
    23.   /usr/share/nginx/html/appamror/deny.html r,
    24.   /var/log/nginx/access.log w,
    25.   /var/log/nginx/error.log w,
    ¸´ÖÆ´úÂë


    Èç¹ûûÓÐеIJÙ×÷ÐèÒªÉèÖÃȨÏÞ£¬ÄÇôִÐÐaa-logprofµÄ½á¹ûÊÇÕâÑùµÄ£º
    1. lenky@local:~$ sudo aa-logprof
    2. Reading log entries from /var/log/syslog.
    3. Updating AppArmor profiles in /etc/apparmor.d.
    4. Complain-mode changes:
    5. Enforce-mode changes:
    ¸´ÖÆ´úÂë


    Ö®ËùÒÔÒª°ÑËùÓвÙ×÷¶¼Ä¬ÈÏÉèÖÃΪÔÊÐí£¬ÊÇÒòΪÏÂÃæÒª°ÑÕâ¸öprofile¸ÄΪenforce£¬È»ºóÖØÆônginx£¬Èç¹û²»²¶»ñÈ«²¿²Ù×÷£¬ÄÇôĬÈϽûÖ¹»áµ¼ÖÂnginxÆô¶¯²»ÁË¡£
    1. lenky@local:~$ sudo aa-enforce nginx
    2. Setting /usr/sbin/nginx to enforce mode.
    3. lenky@local:~$ sudo /etc/init.d/apparmor restart
    4. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
    5. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    6.                                                                                                                                                 [ OK ]
    7. lenky@local:~$ sudo /etc/init.d/nginx restart
    8. * Restarting nginx nginx                                                                                                                       [fail]
    9. lenky@local:~$ sudo nginx
    10. nginx: [emerg] socket() 0.0.0.0:80 failed (13: Permission denied)
    ¸´ÖÆ´úÂë


    ÒÔÇ°ÃæµÄprofileÅäÖÃÀ´¿´£¬nginxÈÔÈ»Æô¶¯²»ÁË£¬Ô­ÒòÊÇûÓÐÉèÖÃnginx¶Ô80¶Ë¿ÚµÄȨÏÞ¡£
    »»³ÉÕâ¸ö£¨À´Ö®£ºhttp://jdh8.github.io/linux/apparmor-nginx-php-fpm/£©£º
    1. lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
    2. # Last Modified: Thu May 29 17:11:18 2014
    3. #include <tunables/global>

    4. /usr/sbin/nginx
    5.   #include <abstractions/apache2-common>
    6.   #include <abstractions/base>
    7.   #include <abstractions/nis>


    8.   capability dac_override,
    9.   capability dac_read_search,
    10.   capability net_bind_service,
    11.   capability setgid,
    12.   capability setuid,

    13.   /etc/nginx/** r,
    14.   /etc/ssl/openssl.cnf r,
    15.   /proc/*/auxv r,
    16.   /run/nginx.pid rw,
    17.   /run/nginx.pid.oldbin w,
    18.   /run/php5-fpm.sock rw,
    19.   /srv/www/** r,
    20.   /usr/sbin/nginx mr,
    21.   /usr/share/nginx/html/** r,
    22.   /var/log/nginx/* w,
    ¸´ÖÆ´úÂë


    ÖØÆôÉúЧ£º
    1. lenky@local:~$ sudo /etc/init.d/apparmor restart
    2. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
    3. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    4.                                                                                                                                                 [ OK ]
    5. lenky@local:~$ sudo /etc/init.d/nginx restart
    6. * Restarting nginx nginx                                                                                                                       [ OK ]
    7. lenky@local:~$ wget 127.0.0.1
    8. --2014-05-29 17:13:48--  http://127.0.0.1/
    9. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
    10. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
    11. ³¤¶È£º 612 1
    12. ÕýÔÚ±£´æÖÁ: ¡°index.html¡±

    13. 100%[=============================================================================================================>] 612         --.-K/s   ÓÃʱ 0s   

    14. 2014-05-29 17:13:48 (115 MB/s) - Òѱ£´æ ¡°index.html¡± [612/612])

    15. lenky@local:~$
    ¸´ÖÆ´úÂë


    ÔÙÑéÖ¤£¬ÔÚ/etc/apparmor.d/usr.sbin.nginxÀï¼ÓÒ»ÐУº
    1. deny /usr/share/nginx/html/appamror/deny.html r,
    ¸´ÖÆ´úÂë


    ²âÊÔ£º
    1. lenky@local:~$ sudo /etc/init.d/apparmor restart
    2. * Reloading AppArmor profiles                                                                                                                         Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
    3. Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    4.                                                                                                                                                 [ OK ]
    5. lenky@local:~$ sudo /etc/init.d/nginx restart
    6. * Restarting nginx nginx                                                                                                                       [ OK ]
    7. lenky@local:~$
    8. lenky@local:~$ wget 127.0.0.1/appamror/allow.html
    9. --2014-05-29 17:16:28--  http://127.0.0.1/appamror/allow.html
    10. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
    11. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
    12. ³¤¶È£º 33 1
    13. ÕýÔÚ±£´æÖÁ: ¡°allow.html.1¡±

    14. 100%[=============================================================================================================>] 33          --.-K/s   ÓÃʱ 0s   

    15. 2014-05-29 17:16:28 (6.73 MB/s) - Òѱ£´æ ¡°allow.html.1¡± [33/33])

    16. lenky@local:~$ wget 127.0.0.1/appamror/deny.html
    17. --2014-05-29 17:16:34--  http://127.0.0.1/appamror/deny.html
    18. ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
    19. ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 403 Forbidden
    20. 2014-05-29 17:16:34 ´íÎó 403£ºForbidden¡£
    ¸´ÖÆ´úÂë

    ¿ÉÒÔ¿´µ½Ò³Ãædeny.htmlû·¨·ÃÎÊÁË£¬¶øÈ¥µôdenyÐкóÓÖ¿ÉÒÔ·ÃÎÊÁË£¬ËµÃ÷apparmorµÄprofileÉèÖÃÉúЧÁË¡£

    ²Î¿¼£ºhttp://ubuntuforums.org/showthread.php?t=1008906
  • TAµÄÿÈÕÐÄÇé
    ·Ü¶·
    2018-8-22 10:21
  • Ç©µ½ÌìÊý: 80 Ìì

    [LV.6]³£×¡¾ÓÃñII

     Â¥Ö÷| ·¢±íÓÚ 2015-4-8 09:30:12 | ÏÔʾȫ²¿Â¥²ã
    ˵Ã÷£ºÓÉÓÚÔÚ´úÂëºÍÕýÎÄÖÐÕ³ÌùµÄ´úÂëÄÚÈݲ»ÄÜдÈë{},µ¼ÖÂÕ³ÌùµÄ´úÂë¶ÎÖÐÈ¥µôÁË"{"ºÍ"}"
  • TAµÄÿÈÕÐÄÇé
    ã¼ÀÁ
    2019-11-21 10:01
  • Ç©µ½ÌìÊý: 240 Ìì

    [LV.8]ÒÔ̳Ϊ¼ÒI

    ·¢±íÓÚ 2015-4-8 11:44:52 | ÏÔʾȫ²¿Â¥²ã
    andrewyang83 ·¢±íÓÚ 2015-4-8 09:30
    ˵Ã÷£ºÓÉÓÚÔÚ´úÂëºÍÕýÎÄÖÐÕ³ÌùµÄ´úÂëÄÚÈݲ»ÄÜдÈë{},µ¼ÖÂÕ³ÌùµÄ´úÂë¶ÎÖÐÈ¥µôÁË"{"ºÍ"}"

    ÐÁ¿àÁË£¡
    ÄúÐèÒªµÇ¼ºó²Å¿ÉÒÔ»ØÌû µÇ¼ | Á¢¼´×¢²á

    ±¾°æ»ý·Ö¹æÔò

    СºÚÎÝ|ÊÖ»ú°æ|Archiver|Ubuntu Kylin    

    GMT+8, 2019-12-11 11:17 , Processed in 0.014739 second(s), 8 queries , File On.

    Copyright ©2013-2019 Ubuntu Kylin. All Rights Reserved .

    ICP No. 15002470-2 Tianjin

    ¿ìËٻظ´ ·µ»Ø¶¥²¿ ·µ»ØÁбí