While you can keep your software up to date, you can still be hit with an attack that exploits a vulnerability that is not yet known or for which there is no fix yet.
The idea of AppArmor is to have the kernel limit what a software program can do. In addition to the limitations set by the usual user and group permissions, limitations are imposed based on a set of rules for a specific program.
Often an intruder does not directly gain root privileges. By exploiting a vulnerability in, for instance, a web server, she might be able to start a shell as the user running the web server. With that unprivileged access, she exploits yet another vulnerability in some other software program to gain root access.
With AppArmor, even if an intruder manages to find a vulnerability in some server software, the damage is limited due to the fact that the intruder may not access any files or execute any programs beyond what the application is allowed by AppArmor's rule set to access or execute in routine operation.
This concept is not limited to normal accounts; it also limits to a certain extent what an application running with root privileges may do. A confined process cannot call certain system calls, even if running as root. Thus even if an attacker gained root privileges, she would still be limited in what she might be able to do.
The AppArmor kernel modules (apparmor and aamatch_pcre) hook into the Linux Security Modules Framework of the kernel.
Profiles in /etc/apparmor.d/ are used to configure which application may access and execute which files.
Was this article helpful?