Ubuntu's AppArmor system is reasonably and pleasantly non-obnoxious

December 31, 2016

I have historically not had much love for extra access control systems layered on top of Linux, such as SELinux. We don't have very high opinions of Ubuntu's AppArmor system either and have mostly avoided dealing with it, but after recently having to do things with it I have to say that it's at least not particularly obnoxious.

What drove us to having something to do with AppArmor at all was that it keeps getting restarted every so often on machines where we let users run MySQL daemons (for example for user-run web server setups). When users are running MySQL this way, the MySQL database files are of course not where the AppArmor profile expects them to be, so the moment AppArmor starts up, all user-run MySQL daemons fall over dead (or fail to start). Once this had happened a few times we both figured out what was going on and got sick of it, so we needed to permanently defang AppArmor here, which meant actually understanding at least part of AppArmor.

This, well, it wasn't too bad. It was even reasonably okay. Without too much trouble we were able to read the existing AppArmor profile and work out both a way of adding decently appropriate AppArmor access permissions for where our user MySQL databases should be and also a way of permanently disabling MySQL confinement even when AppArmor is running (we opted to do the latter). Figuring out the new rules necessary was a sufficiently pleasant experience that I can actually imagine working with AppArmor and writing AppArmor profiles without hating myself.

Two things that help a bunch are that AppArmor profiles are plain text and they're generally written about paths in the filesystem. Plain text makes them readable, and directly using filesystem paths makes them easy to reason about; it is pretty obvious what allowing the process owner to access their own files under '/w/*/*/**' will do (for one example). AppArmor also has a relatively clean model of site-specific additions and overrides for standard policies, and as yet another plus, the AppArmor status reporting tool actually has useful information about the overall state of your system.

(I will note that the other thing a good text format is good for is having comments. Comments are really good for understanding why something is in a policy. Even file naming can help here.)

I'm sure that AppArmor is strictly less powerful and capable than SELinux, both in theory and in practice based on how people write actual policies (since fine-grained policies are a problem). But it's a lot more usable in practice for a non-expert, sufficiently so that I would be willing to consider using it on one of my machines.

(Other handy links for AppArmor stuff include Ubuntu's page on debugging AppArmor and the quick guide to the profiling language as well as the documentation in general.)

Written on 31 December 2016.
« A few useful standard readline bindings
I wish new editors thought about their overall ecology too »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Dec 31 01:52:10 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.