1
00:00:06,620 --> 00:00:08,900
Sclinux is what you use
on Red Hat and Family.

2
00:00:09,480 --> 00:00:11,039
On Ubuntu,
it's apparmor.

3
00:00:11,880 --> 00:00:17,329
You want to know what's going on? Start by using
sudo aa status that will show you the current state.

4
00:00:17,829 --> 00:00:21,609
Apparmor profiles are stored in etcapparmor
d and they have a name

5
00:00:21,609 --> 00:00:25,390
that corresponds to the full pathname
of the file that it protects.

6
00:00:26,399 --> 00:00:32,670
Only if an application has an apparmor profile, it will be
protected and otherwise it can do whatever it wants to do.

7
00:00:33,289 --> 00:00:39,179
Now you can use sudo apparmorparser a to
load a profile or r to remove a profile.

8
00:00:40,000 --> 00:00:45,036
Sudo aa genprof is what you use
to generate a profile for the new application.

9
00:00:45,036 --> 00:00:50,073
If you want to temporarily disable a
profile and put it in logging mode so

10
00:00:50,073 --> 00:00:55,109
that you can optimize it, sudo aa
complain followed by the name of the profile.

11
00:00:55,850 --> 00:01:01,750
Then you can put it back in enforcing mode
using aa enforce followed by the name of that profile.

12
00:01:02,990 --> 00:01:04,790
Let me demonstrate
what is going on.

13
00:01:07,290 --> 00:01:10,010
Let me start by
using sudo aa status.

14
00:01:11,030 --> 00:01:15,329
That's the apparmor status that's giving me
information about what is currently going on.

15
00:01:16,269 --> 00:01:20,009
What do we see? Well, we
see all the profiles that are

16
00:01:20,009 --> 00:01:23,750
in enforcing mode. These are
the profiles that are really effective.

17
00:01:24,609 --> 00:01:29,000
So these are the protected surfaces,
and you can see that a

18
00:01:29,000 --> 00:01:33,390
couple of surfaces are there and
many services are also not there.

19
00:01:33,989 --> 00:01:38,159
Now what I would like to do, I
would like to show you how you create your

20
00:01:38,159 --> 00:01:42,329
own profile. And I'm going to do that
in a little bit of a ridiculous way.

21
00:01:43,170 --> 00:01:49,675
I'm going to create a profile for my
favorite editor, vi, so that you can experience the

22
00:01:49,675 --> 00:01:56,180
process and you can tweak it for yourself
if you're interested and get more information about it.

23
00:01:56,799 --> 00:02:01,823
Oh no, I have AA GenProf
and AA GenProf is not found. Okay,

24
00:02:01,823 --> 00:02:06,846
I don't have this package. Let
me use sudo apt search on aajamprof.

25
00:02:06,846 --> 00:02:11,870
I want to know what to
install to get access to the package.

26
00:02:13,129 --> 00:02:14,610
Ah,
apparmorutils.

27
00:02:15,150 --> 00:02:20,196
Okay, that works
to do apt

28
00:02:20,196 --> 00:02:25,243
install apparmorutils and
yes, and then

29
00:02:25,243 --> 00:02:30,289
I can
use AA GenProf.

30
00:02:31,289 --> 00:02:34,849
Well, sudo AA
GenProf for vim. I

31
00:02:34,849 --> 00:02:38,409
want to generate
a profile for vim.

32
00:02:38,969 --> 00:02:45,639
Now here is what we need to do. At this point, I need
to leave this screen alone and I need to start using my application.

33
00:02:46,259 --> 00:02:51,199
Now the idea is that in real life you
would use as much as you can about the application.

34
00:02:51,719 --> 00:02:56,634
Now that's not what I'm going to do.
I'm going to keep it very minimal. And

35
00:02:56,634 --> 00:03:01,550
I'm using vim on etc motd there I'm
putting in my message and then I'm done.

36
00:03:02,710 --> 00:03:09,465
Of course, normally I repeat, you want to use
as much functionality as you can but here I just

37
00:03:09,465 --> 00:03:16,219
want to show you how it works. So I'm
okay and I'm going to scan for apparmore events.

38
00:03:16,800 --> 00:03:23,314
So I'm using S and then it will find everything that
has happened while using the application. So it has created a file

39
00:03:23,314 --> 00:03:29,829
viminfo tmp and it's asking me what do you want? Do
you want to allow that? Yeah, I want to allow that.

40
00:03:30,490 --> 00:03:36,129
And it has done a write operation on etc
motd Yeah, I want to allow that as well.

41
00:03:36,889 --> 00:03:43,523
But before continuing, think about what is happening. If
I'm going to allow that, then I can only write

42
00:03:43,523 --> 00:03:50,156
to the etc motd maybe I want to go
for the G option. G is for glob and glob

43
00:03:50,156 --> 00:03:56,789
means that you allow write access to everything in
the etc directory. Well, in fact I like that.

44
00:03:57,270 --> 00:04:02,310
And I'm going to select a
for allow to allow the second operation.

45
00:04:03,039 --> 00:04:09,176
Here I'm continuing and I need to allow a
couple more and a couple more and I'm not

46
00:04:09,176 --> 00:04:15,313
even reading anymore. I want to allow as much
as possible to make sure that we are okay.

47
00:04:15,313 --> 00:04:21,449
Now I'm not sure if I'm okay with
home read, am I? Yeah, let's do that.

48
00:04:21,800 --> 00:04:28,579
I want to be able to read everywhere in the home directory.
Now it's done and I can use S to save the changes.

49
00:04:29,459 --> 00:04:34,370
Then I'm using F to
finish and the profile is ready.

50
00:04:34,870 --> 00:04:38,699
USR bin Vim basic can
we see that in AA status?

51
00:04:40,379 --> 00:04:46,884
AA status pipe grab C5 Vim with
the sudo in front of it. Of

52
00:04:46,884 --> 00:04:53,389
course there we can see that
the Vim basic profile is now active.

53
00:04:53,889 --> 00:05:00,019
I've used the C5 so that you can see the
five lines before as well as the five lines after.

54
00:05:00,910 --> 00:05:04,860
Now I'm going to use
sudo vim on walt on root.

55
00:05:07,310 --> 00:05:12,585
Hello there. I'm using I for
insert and typing my text and

56
00:05:12,585 --> 00:05:17,860
oh boy, I'm getting canned. Open
file for writing. What is that?

57
00:05:18,100 --> 00:05:20,819
Well, this is apparmor
profile doing its work.

58
00:05:21,459 --> 00:05:26,209
Now if you want to know what is
going on then you need to find the profile.

59
00:05:26,949 --> 00:05:32,569
They are in etcapparmor d
and in etcapparmor d we can

60
00:05:32,569 --> 00:05:38,189
see it right here we
have user bin vim basic.

61
00:05:38,990 --> 00:05:44,435
So when I use sudo nano
on user bin vim basic then I

62
00:05:44,435 --> 00:05:49,879
can see what is behind this.
And this is the very simple configuration

63
00:05:49,879 --> 00:05:55,324
that allows Vim from now on,
read access to the home directory, read,

64
00:05:55,324 --> 00:06:00,769
write access to anything in the
etc directory and a couple more files.

65
00:06:01,410 --> 00:06:02,930
And that is
what you can do.

66
00:06:03,810 --> 00:06:08,793
Now in real life, this would only be
the beginning and you will start tweaking your

67
00:06:08,793 --> 00:06:13,776
profile from here. So you would start using
Vim and analyzing what is going on and

68
00:06:13,776 --> 00:06:18,759
modifying your profile until it is really
doing what you want it to do.

69
00:06:19,480 --> 00:06:22,959
And that is how you can
work with Apparmor in a nutshell.