Restricting linux capabilities with AppArmor
Introduction
AppArmor (Application Armor) is a Linux kernel security module that provides mandatory access control (MAC) to restrict the capabilities of programs.
It enforces security policies, known as profiles, that define the file system and network resources a program can access. By confining applications, AppArmor reduces the potential impact of security breaches, limiting the damage a compromised application can cause.
It is known for its ease of use and integration with various Linux distributions, providing a robust layer of defense to enhance system security.
Key Concepts
- Profiles: AppArmor profiles define the permitted and denied actions for an application, enhancing security by restricting programs to a limited set of resources.
- Modes: AppArmor operates in two modes:
- Enforcement: Enforces the rules defined in the profile, blocking any unauthorized actions.
- Complain: Logs unauthorized actions but does not block them, useful for developing and testing profiles.
Profile Components
Capability Entries: Define allowed capabilities (e.g., network access, raw socket usage).Network Rules: Control access to network resources.File access permissions: Specify file and directory access permissions.
#include <tunables/global>
profile /bin/ping {
# Include common safe defaults
#include <abstractions/base>
#include <abstractions/nameservice>
# Allow necessary capabilities
capability net_raw,
capability setuid,
# Allow raw network access
network inet raw,
# File access permissions
/bin/ping ixr,
/etc/modules.conf r,
}
Common Commands
Best Practices
- Least Privilege: Ensure profiles grant the minimum necessary permissions to applications.
- Regular Updates: Keep profiles up to date with application changes and security patches.
- Testing: Use complain mode to test new or modified profiles before enforcing them.
- Monitoring: Regularly check logs for denied actions to identify potential issues or required profile adjustments.
Kubernetes Integration
In Kubernetes, you can enhance pod security by specifying AppArmor profiles within the securityContext of a pod or container.
Pod-Level AppArmor Profile:
To apply an AppArmor profile to all containers in a pod, include the securityContext in the pod specification:
apiVersion: v1
kind: Pod
metadata:
name: apparmor-pod
spec:
securityContext:
appArmorProfile:
type: Localhost
localhostProfile: my-apparmor-profile
containers:
- name: my-container
image: my-image
Container-Level AppArmor Profile:
To apply an AppArmor profile to a specific container, define the securityContext within the container specification:
apiVersion: v1
kind: Pod
metadata:
name: apparmor-pod
spec:
containers:
- name: my-container
image: my-image
securityContext:
appArmorProfile:
type: Localhost
localhostProfile: my-apparmor-profile
Key Points:
- Profile Types:
RuntimeDefault: Uses the container runtime's default AppArmor profile.Localhost: Uses a profile loaded on the host; specify the profile name inlocalhostProfile.-
Unconfined: Runs the container without AppArmor confinement. -
Profile Availability: Ensure the specified AppArmor profiles are loaded on all nodes where the pods might run. You can verify loaded profiles by checking the
/sys/kernel/security/apparmor/profilesfile on each node. -
Kubernetes Version Compatibility: The use of
securityContextfor AppArmor profiles is supported in Kubernetes versions 1.30 and above. For earlier versions, AppArmor profiles are specified through annotations.
By configuring AppArmor profiles within the securityContext, you can effectively manage and enforce security policies for your applications in Kubernetes, enhancing the overall security of your containerized environments.