Add initial draft of AppArmor guide.

1 files changed, 204 insertions, 0 deletions

diff --git a/xml/apparmor.xml b/xml/apparmor.xml
new file mode 100644
index 0000000..032f1f3
--- /dev/null
+++ b/xml/apparmor.xml
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide disclaimer="draft" link="apparmor.xml" lang="en">
+<title>Gentoo AppArmor Guide</title>
+
+<author title="Author">
+    <mail link="kensington@gentoo.org">Michael Palimaka</mail>
+</author>
+
+<abstract>
+This guide provides a brief overview of AppArmor, and gives information
+on how to install and configure it on Gentoo.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
+<license version="3.0"/>
+
+<version>1</version>
+<date>2012-07-10</date>
+
+<chapter>
+<title>Introduction</title>
+
+<section>
+<body>
+<p>
+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
+</p>
+<p>
+For each file path you specify, AppArmor will permit it only the permissions you grant.
+</p>
+<pre caption="Sample profile">
+# ------------------------------------------------------------------
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include &lt;tunables/global&gt;
+
+/sbin/klogd {
+  #include &lt;abstractions/base&gt;
+
+  capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
+  capability syslog,
+
+  network inet stream,
+
+  /boot/System.map*     r,
+  @{PROC}/kmsg          r,
+  @{PROC}/kallsyms      r,
+  /dev/tty              rw,
+
+  /sbin/klogd           rmix,
+  /var/log/boot.msg     rwl,
+  /{,var/}run/klogd.pid    krwl,
+  /{,var/}run/klogd/klogd.pid krwl,
+  /{,var/}run/klogd/kmsg   r,
+}
+</pre>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Initial setup</title>
+
+<section>
+<title>Kernel patching</title>
+<body>
+<p>
+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
+it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
+profiles - deactivation, listing, init script etc. will not work.
+</p>
+<p>
+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>,
+the patches will not cleanly apply. For convenience, a rebased version of the patches is
+<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>.
+</p>
+</body>
+</section>
+
+<section>
+<title>Install utilities</title>
+<body>
+<p>
+The AppArmor userspace utilities currently live in the
+<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>.
+You should install layman, and then add the <c>hardened-dev</c> overlay:
+
+<pre caption="Install userspace utilities">
+# <i>layman -a hardened-dev</i>
+# <i>emerge apparmor-utils</i>
+<comment>You will probably also wish to install some profiles to get started:</comment>
+# <i>emerge apparmor-profiles</i>
+</pre>
+
+</p>
+</body>
+</section>
+
+<section>
+<title>Further configuration</title>
+<body>
+<p>
+You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however
+the default values will suit most users.
+</p>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Working with profiles</title>
+
+<section>
+<body>
+<p>
+Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored
+in subdirectories - you may organise them however it suits you.
+</p>
+
+<pre caption="Sample profile directory listing">
+/etc/apparmor.d $ <i>ls</i>
+abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
+apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd
+bin.ping      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
+disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
+local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute
+</pre>
+
+<p>
+Profiles are referred to by name, including any parent subdirectories if present.
+</p>
+</body>
+</section>
+
+<section>
+<title>Manual control</title>
+<body>
+
+<p>
+To activate a profile, simply set it to enforce mode.
+<pre caption="Manual profile activation">
+# <i>aa-enforce usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+</pre>
+</p>
+
+<p>
+Similarly, to deactive a profile, simply set it to complain mode.
+<pre caption="Manual profile deactivation">
+# <i>aa-complain usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+</pre>
+</p>
+
+<p>
+The current status of your profiles may be viewed using <c>aa-status</c>.
+<pre caption="Profile status listing">
+# <i>aa-status</i>
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+   /bin/ping
+   /sbin/klogd
+   /sbin/syslog-ng
+   /usr/sbin/dnsmasq
+   /usr/sbin/identd
+1 profiles are in complain mode.
+   /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+</pre>
+</p>
+
+</body>
+</section>
+
+<section>
+<title>Automatic control</title>
+<body>
+<p>
+The provided init script will automatically load all profiles located in your profile directory.
+Unless specifically specified otherwise, each profile will be loaded in enforce mode.
+</p>
+</body>
+</section>
+
+</chapter>
+
+</guide>