xref: /OK3568_Linux_fs/kernel/Documentation/admin-guide/LSM/apparmor.rst (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun========
2*4882a593SmuzhiyunAppArmor
3*4882a593Smuzhiyun========
4*4882a593Smuzhiyun
5*4882a593SmuzhiyunWhat is AppArmor?
6*4882a593Smuzhiyun=================
7*4882a593Smuzhiyun
8*4882a593SmuzhiyunAppArmor is MAC style security extension for the Linux kernel.  It implements
9*4882a593Smuzhiyuna task centered policy, with task "profiles" being created and loaded
10*4882a593Smuzhiyunfrom user space.  Tasks on the system that do not have a profile defined for
11*4882a593Smuzhiyunthem run in an unconfined state which is equivalent to standard Linux DAC
12*4882a593Smuzhiyunpermissions.
13*4882a593Smuzhiyun
14*4882a593SmuzhiyunHow to enable/disable
15*4882a593Smuzhiyun=====================
16*4882a593Smuzhiyun
17*4882a593Smuzhiyunset ``CONFIG_SECURITY_APPARMOR=y``
18*4882a593Smuzhiyun
19*4882a593SmuzhiyunIf AppArmor should be selected as the default security module then set::
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun   CONFIG_DEFAULT_SECURITY="apparmor"
22*4882a593Smuzhiyun   CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
23*4882a593Smuzhiyun
24*4882a593SmuzhiyunBuild the kernel
25*4882a593Smuzhiyun
26*4882a593SmuzhiyunIf AppArmor is not the default security module it can be enabled by passing
27*4882a593Smuzhiyun``security=apparmor`` on the kernel's command line.
28*4882a593Smuzhiyun
29*4882a593SmuzhiyunIf AppArmor is the default security module it can be disabled by passing
30*4882a593Smuzhiyun``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the
31*4882a593Smuzhiyunkernel's command line.
32*4882a593Smuzhiyun
33*4882a593SmuzhiyunFor AppArmor to enforce any restrictions beyond standard Linux DAC permissions
34*4882a593Smuzhiyunpolicy must be loaded into the kernel from user space (see the Documentation
35*4882a593Smuzhiyunand tools links).
36*4882a593Smuzhiyun
37*4882a593SmuzhiyunDocumentation
38*4882a593Smuzhiyun=============
39*4882a593Smuzhiyun
40*4882a593SmuzhiyunDocumentation can be found on the wiki, linked below.
41*4882a593Smuzhiyun
42*4882a593SmuzhiyunLinks
43*4882a593Smuzhiyun=====
44*4882a593Smuzhiyun
45*4882a593SmuzhiyunMailing List - apparmor@lists.ubuntu.com
46*4882a593Smuzhiyun
47*4882a593SmuzhiyunWiki - http://wiki.apparmor.net
48*4882a593Smuzhiyun
49*4882a593SmuzhiyunUser space tools - https://gitlab.com/apparmor
50*4882a593Smuzhiyun
51*4882a593SmuzhiyunKernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
52