Skip to content

Tutorial: create a profile from scratch

In this tutotial, you will create, test, and load a profile for the ping application. ping is a popular network tool used to test the reachability of a host on an IP network.

Note

ping is available by default on many Linux distrubutions, but it can also be installed manually as part of the iputils-ping package set.

Check the current status of AppArmor, existing profiles

Verity that AppArmor is enabled on your system: 

sudo aa-status
apparmor module is loaded.
215 profiles are loaded.
114 profiles are in enforce mode.
...

List all the existing profiles and make sure that you have no profile for ping: 

sudo ls /etc/apparmor.d/

Run ping

Verify that ping works as expected:

ping example.com

PING example.com (23.192.228.84) 56(84) bytes of data.
64 bytes from a23-192-228-84.deploy.static.akamaitechnologies.com (23.192.228.84): icmp_seq=1 ttl=49 time=218 ms
...

Create a basic profile file

Create and open a text file:

sudo vim /etc/apparmor.d/ping

Attach the profile to the ping executable:

/usr/bin/ping {

}

Restrict application's capabilities

To know what to restrict, you must understand the underlying behavior of the application.

ping is a utility that is used for troubleshooting the network, it sends data packets to a specified IP address.

ping sends and receves the packets via raw sockets. A raw socket is a type of sockets that allows to send and receive data by directly access lower level network protocols. Raw sockets are useful for applications such as ping since the data sent or received through them doesn't need to be wrapped in various headers of the network layer which makes the entire process fast and efficient. Becase raw sockets bypass all of the usual protocols, using them for sending or receiving data is a priveleged operation and it is defined by the CAP_NET_RAW capability. See also, Capabilities.

Let's check ping's permissions: 

ls -l /bin/ping
-rwxr-xr-x 1 root root 89768 Apr  8  2024 /bin/ping
Note that its owner is root which means that it has elevated permissions.

Now let's check ping's capabilities: 

getcap /bin/ping
/bin/ping cap_net_raw=ep
cap_net_raw is set to effective and permitted which means that ping can open raw sockets.

Now let's restrict both of these permissions by editing the profile: 

/{usr/,}/bin/ping flag={complain} {
  deny capability net_raw,
  deny capability setuid,
}

Note that the profile is in the complain mode which means the application will be able to perform the restricted operations but the attempts will be logged.

Test the application and check the logs

Load the profile into the kernel: 

apparmor_parser -C /etc/apparmor.d/ping

Run the application again and check the logs: 

ping example.com

There are various ways of monitoring the logs. Some popular tools and files to monitor are:

  • dmesg
  • /var/log/kern.log
  • /var/log/messages
  • aa-notify