AppArmor knows four different types of profiles: standard profiles, unattached profiles, local profiles and hats. Standard and unattached profiles are stand-alone profiles, each stored in a file under /etc/apparmor.d/. Local profiles and hats are children profiles embedded inside of a parent profile used to provide tighter or alternate confinement for a subtask of an application.
The default AppArmor profile is attached to a program by its name, so a profile name has to match the path to the application it is to confine.
/usr/bin/foo {
...
}
This profile will be automatically used whenever an unconfined process executes /usr/bin/foo.
Unattached profiles do not reside in the file system namespace and therefore are not automatically attached to an application. The name of an unattached profile is preceded by the keyword profile. You can freely choose a profile name, except for the following limitations: the name must not begin with a : or . character. If it contains whitespace, it must be quoted. If the name begins with a /, the profile is considered to be a standard profile, so the following two profiles are identical:
profile /usr/bin/foo {
...
}
/usr/bin/foo {
...
}
Unattached profiles are never used automatically, nor can they be transitioned to through a px rule. They need to be attached to a program by either using a named profile transition (see Section 2.8.7, Named Profile Transitions) or with the change_profile rule (see Section 2.2.5, Change rules).
Unattached profiles are useful for specialized profiles for system utilities that generally should not be confined by a system wide profile (for example, /bin/bash). They can also be used to set up roles or to confine a user.
Local profiles provide a convenient way to provide specialized confinement for utility programs launched by a confined application. They are specified just like standard profiles except they are embedded in a parent profile and begin with the profile keyword:
/parent/profile {
...
profile local/profile {
...
}
}
To transition to a local profile, either use a cx rule (see Section 2.8.2, Discrete Local Profile Execute Mode (cx)) or a named profile transition (see Section 2.8.7, Named Profile Transitions).
AppArmor "hats" are a local profiles with some additional restrictions and an implicit rule allowing for change_hat to be used to transition to them. Refer to Section 6.0, Profiling Your Web Applications Using ChangeHat for a detailed description.
AppArmor provides change_hat and change_profile rules that control domain transitioning. change_hat are specified by defining hats in a profile, while change_profile rules refer to another profile and start with the keyword change_profile:
change_profile /usr/bin/foobar,
Both change_hat and change_profile provide for an application directed profile transition, without having to launch a separate application. change_profile provides a generic one way transition between any of the loaded profiles. change_hat provides for a returnable parent child transition where an application can switch from the parent profile to the hat profile and if it provides the correct secret key return to the parent profile at a later time.
change_profile is best used in situations where an application goes through a trusted setup phase and then can lower its privilege level. Any resources mapped or opened during the start-up phase may still be accessible after the profile change, but the new profile will restrict the opening of new resources, and will even limit some of the resources opened before the switch. Specifically memory resources will still be available while capability and file resources (as long as they are not memory mapped) can be limited.
change_hat is best used in situations where an applications runs a virtual machine or an interpreter that does not provide direct access to the applications resources (e.g. Apache's mod_php). Since change_hat stores the return secret key in the application's memory the phase of reduced privilege should not have direct access to memory. It is also important that file access is properly separated, since the hat can restrict accesses to a file handle but does not close it. If an application does buffering and provides access to the open files with buffering, the accesses to these files may not be seen by the kernel and hence not restricted by the new profile.
WARNING: Safety of Domain Transitions
The change_hat and change_profile domain transitions are less secure than a domain transition done through an exec because they do not affect a processes memory mappings, nor do they close resources that have already been opened.