AppArmor : प्रोफ़ाइल सक्षम/अक्षम करें2023/09/20

	यदि आपको आवश्यकता नहीं है तो प्रत्येक प्रोफ़ाइल को सक्षम या अक्षम करना संभव है।
[1]	एक पैकेज स्थापित करें जिसमें AppArmor सेटिंग्स के लिए उपकरण शामिल हों।

root@dlp:~#

apt -y install apparmor-utils

[2]	उस प्रोफ़ाइल को अक्षम करें जो वर्तमान में लोड है।

root@dlp:~#

aa-status

apparmor module is loaded.
13 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

# प्रत्येक प्रोफ़ाइल के लिए कॉन्फ़िगरेशन फ़ाइलें नीचे दी गई निर्देशिका के अंतर्गत हैं

root@dlp:~#

ll /etc/apparmor.d

total 92
drwxr-xr-x  8 root root  4096 Dec 15 15:53 ./
drwxr-xr-x 97 root root  4096 Dec 15 11:14 ../
drwxr-xr-x  2 root root  4096 Sep 19 12:51 abi/
drwxr-xr-x  4 root root 12288 Sep 19 12:51 abstractions/
drwxr-xr-x  2 root root  4096 Dec 15 15:43 disable/
drwxr-xr-x  2 root root  4096 Mar 10  2022 force-complain/
drwxr-xr-x  2 root root  4096 Sep 19 12:51 local/
-rw-r--r--  1 root root  1339 Mar 10  2022 lsb_release
-rw-r--r--  1 root root  1189 Mar 10  2022 nvidia_modprobe
-rw-r--r--  1 root root  3461 Jul 19 16:54 sbin.dhclient
drwxr-xr-x  5 root root  4096 Sep 19 12:51 tunables/
-rw-r--r--  1 root root  3465 Dec 15 15:53 usr.bin.man
-rw-r--r--  1 root root  1421 Jun 21  2021 usr.bin.tcpdump
-rw-r--r--  1 root root 28486 Nov 28 13:53 usr.lib.snapd.snap-confine.real
-rw-r--r--  1 root root  1592 Nov 16  2021 usr.sbin.rsyslogd

# उदाहरण के लिए, अक्षम करें [/usr/bin/man]

root@dlp:~#

aa-disable /usr/bin/man

Disabling /usr/bin/man.

root@dlp:~#

aa-status

apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

# अक्षम प्रोफ़ाइल को नीचे दी गई निर्देशिका में ले जाया गया है

root@dlp:~#

ll /etc/apparmor.d/disable

total 8
drwxr-xr-x 2 root root 4096 Dec 15 13:14 ./
drwxr-xr-x 8 root root 4096 Dec  8 10:33 ../
lrwxrwxrwx 1 root root   27 Dec 15 13:14 usr.bin.man -> /etc/apparmor.d/usr.bin.man
lrwxrwxrwx 1 root root   33 Apr 21  2022 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd

[3]	वह प्रोफ़ाइल सक्षम करें जो वर्तमान में अक्षम है.

root@dlp:~#

aa-status

apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

# उदाहरण के लिए, [enforce] मोड के साथ [/usr/bin/man] को सक्षम करें
# [enforce] तरीका : केवल उन कार्रवाइयों की अनुमति दें जो किसी प्रोफ़ाइल में परिभाषित हैं
# [complain] तरीका : अस्वीकृत कार्रवाइयां लॉग की जाती हैं लेकिन वास्तव में उन्हें अस्वीकृत नहीं किया जाता है

root@dlp:~#

aa-enforce /usr/bin/man

Setting /usr/bin/man to enforce mode.

root@dlp:~#

aa-status

apparmor module is loaded.
13 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

मिलान सामग्री