开发学院服务器云计算 Linux Security Framework －－ Apparmor机制介绍... 阅读

Linux Security Framework －－ Apparmor机制介绍

　2012-09-05 09:54:22　来源：WEB开发网　　　

核心提示：（2）通过工具来管理profile，比较著名是：apparmor-utils，Linux Security Framework －－ Apparmor机制介绍(2)，通过如下命令进行安装：sudo apt-get install apparmor-utils此工具最常用的两个命令为：aa-genprof和aa-logp

（2）通过工具来管理profile，比较著名是：apparmor-utils，通过如下命令进行安装：

sudo apt-get install apparmor-utils
此工具最常用的两个命令为：aa-genprof和aa-logprof，前者用来生成profile文件，后者用来查询处于apparmor的日志记录。
再看一个手工编写的profile，熟悉下其语法格式，如果想更详细的学习，参见具体的讲解profile语法格式的文档，如：http://ubuntuforums.org/showthread.php?t=1008906。

#include <tunables/global>
/usr/bin/kopete { //需要限制的应用程序的名称
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
//限制其在对家目录下几个文件的读写权限
deny @{HOME}/.bash* rw,
deny @{HOME}/.cshrc rw,
deny @{HOME}/.profile rw,
deny @{HOME}/.ssh/* rw,
deny @{HOME}/.zshrc rw,
//对以下文件具有读、写、或可执行的权限
/etc/X11/cursors/oxy-white.theme r,
/etc/default/apport r,
/etc/kde4/* r,
/etc/kde4rc r,
/etc/kderc r,
/etc/security/* r,
/etc/ssl/certs/* r,
owner /home/*/ r,
/opt/firefox/firefox.sh Px,
/usr/bin/convert rix,
/usr/bin/kde4 rix,
/usr/bin/kopete r,
/usr/bin/kopete_latexconvert.sh rix,
/usr/bin/launchpad-integration ix,
/usr/bin/xdg-open mrix,
/usr/lib/firefox*/firefox.sh Px,
/usr/lib/kde4/**.so mr,
/usr/lib/kde4/libexec/drkonqi ix,
/usr/share/emoticons/ r,
/usr/share/emoticons/** r,
/usr/share/enchant/** r,
/usr/share/kde4/** r,
/usr/share/kubuntu-default-settings/** r,
/usr/share/locale-langpack/** r,
/usr/share/myspell/** r,
owner @{HOME}/.config/** rwk,
owner @{HOME}/.kde/** rwlk,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.thumbnails/** rw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
}
语法介绍：

r = read
w = write
l = link
k = lock
a = append

ix = inherit = Inherit the parent's profile.
px = requires a separate profile exists for the application, with environment scrubbing.
Px = requires a separate profile exists for the application, without environment scrubbing.
ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
m = allow executable mapping.

上一页 1 2