Anyone using Apparmor? - Page 2

Hungry Man · #26 March 12th, 2012, 02:42 AM

Yeah I do that every time.

x942 · #27 March 12th, 2012, 02:49 AM

Try doing a:

Code:

cat  /var/log/syslog | grep 'apparmor' > ./apparmor.log

and posting the output to compare to mine.

Mine is at: http://www.box.com/s/9y55lmpb4djj9a7z95ec
It's too big to post apparently.

EDIT: should have done this:

Code:

cat  /var/log/syslog | grep 'chromium' > ./apparmor.log

(i used google-chrome in place of chromium though)
mine shows:

Code:


Mar 11 22:28:58 AccessDenied kernel: [25765.866882] type=1400 audit(1331530138.590:115): apparmor="STATUS" operation="profile_load" name="/opt/google/chrome/google-chrome" pid=15984 comm="apparmor_parser"
Mar 11 22:29:17 AccessDenied kernel: [25784.398009] type=1400 audit(1331530157.130:116): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=15998 comm="apparmor_parser"
Mar 11 22:31:29 AccessDenied kernel: [25917.167672] type=1400 audit(1331530289.978:117): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=16216 comm="apparmor_parser"
Mar 11 22:34:07 AccessDenied kernel: [26075.032137] type=1400 audit(1331530447.938:118): apparmor="ALLOWED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/dev/tty" pid=16265 comm="google-chrome" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.034179] type=1400 audit(1331530447.938:119): apparmor="ALLOWED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/google-chrome" pid=16265 comm="google-chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.035414] type=1400 audit(1331530447.942:120): apparmor="ALLOWED" operation="exec" parent=16265 profile="/opt/google/chrome/google-chrome" name="/bin/readlink" pid=16266 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-28"
Mar 11 22:34:07 AccessDenied kernel: [26075.035795] type=1400 audit(1331530447.942:121): apparmor="ALLOWED" operation="open" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/etc/ld.so.cache" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.035817] type=1400 audit(1331530447.942:122): apparmor="ALLOWED" operation="getattr" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/etc/ld.so.cache" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.035881] type=1400 audit(1331530447.942:123): apparmor="ALLOWED" operation="open" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.035913] type=1400 audit(1331530447.942:124): apparmor="ALLOWED" operation="getattr" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.035946] type=1400 audit(1331530447.942:125): apparmor="ALLOWED" operation="file_mmap" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Mar 11 22:34:07 AccessDenied kernel: [26075.036173] type=1400 audit(1331530447.942:126): apparmor="ALLOWED" operation="file_mprotect" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/bin/readlink" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:37:24 AccessDenied kernel: [26271.387865] type=1400 audit(1331530644.410:2460): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=16316 comm="apparmor_parser"
Mar 11 22:41:32 AccessDenied kernel: [26519.326736] type=1400 audit(1331530892.494:2461): apparmor="ALLOWED" operation="exec" parent=16338 profile="/opt/google/chrome/google-chrome" name="/usr/bin/dirname" pid=16340 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-32"
Mar 11 22:41:32 AccessDenied kernel: [26519.327119] type=1400 audit(1331530892.494:2462): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/etc/ld.so.cache" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327142] type=1400 audit(1331530892.494:2463): apparmor="ALLOWED" operation="getattr" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/etc/ld.so.cache" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327203] type=1400 audit(1331530892.494:2464): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327234] type=1400 audit(1331530892.494:2465): apparmor="ALLOWED" operation="getattr" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327262] type=1400 audit(1331530892.494:2466): apparmor="ALLOWED" operation="file_mmap" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327468] type=1400 audit(1331530892.494:2467): apparmor="ALLOWED" operation="file_mprotect" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/usr/bin/dirname" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327498] type=1400 audit(1331530892.494:2468): apparmor="ALLOWED" operation="file_mprotect" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/ld-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:41:32 AccessDenied kernel: [26519.327756] type=1400 audit(1331530892.494:2469): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/usr/lib/locale/locale-archive" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133260] type=1400 audit(1331530924.318:4580): apparmor="ALLOWED" operation="exec" parent=16401 profile="/opt/google/chrome/google-chrome" name="/usr/bin/dirname" pid=16403 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-3b"
Mar 11 22:42:04 AccessDenied kernel: [26551.133630] type=1400 audit(1331530924.318:4581): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/etc/ld.so.cache" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133653] type=1400 audit(1331530924.318:4582): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/etc/ld.so.cache" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133714] type=1400 audit(1331530924.318:4583): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133744] type=1400 audit(1331530924.318:4584): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133773] type=1400 audit(1331530924.318:4585): apparmor="ALLOWED" operation="file_mmap" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.133974] type=1400 audit(1331530924.318:4586): apparmor="ALLOWED" operation="file_mprotect" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/bin/dirname" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.134003] type=1400 audit(1331530924.318:4587): apparmor="ALLOWED" operation="file_mprotect" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/ld-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.134258] type=1400 audit(1331530924.318:4588): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/lib/locale/locale-archive" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 22:42:04 AccessDenied kernel: [26551.134280] type=1400 audit(1331530924.318:4589): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/lib/locale/locale-archive" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Hungry Man · #28 March 12th, 2012, 03:00 AM

The logs are virtually identical save for my renderer profile. I've tried disabling, reloading all profiles, enabling the sandbox, reloading again, and then starting but the problem persists.

Still... I'm fairly satisfied. A rogue tab won't be protected by apparmor but the renderer is, which is satisfactory. The typical linux sandbox alone is at least powerful enough to stop en exploit. With seccomp on top of that I really don't see Chrome as viable attacks surface. I'd be much more worried about Java but Apparmor works with it and it's OpenJDK.

Actually, the one thing I haven't got covered up is Flash. Though if it runs as a chrome process maybe I do? Not sure.

x942 · #29 March 12th, 2012, 03:09 AM

Quote:

Originally Posted by Hungry Man

The logs are virtually identical save for my renderer profile. I've tried disabling, reloading all profiles, enabling the sandbox, reloading again, and then starting but the problem persists.

Still... I'm fairly satisfied. A rogue tab won't be protected by apparmor but the renderer is, which is satisfactory. The typical linux sandbox alone is at least powerful enough to stop en exploit. With seccomp on top of that I really don't see Chrome as viable attacks surface. I'd be much more worried about Java but Apparmor works with it and it's OpenJDK.

Actually, the one thing I haven't got covered up is Flash. Though if it runs as a chrome process maybe I do? Not sure.

how does it break exactly? Not starting at all?

Yeah that should be plenty, I mean you have chrome chroot sandbox + apparmor on the renderer + seccomp should be fine against 99.9% of exploits out there.

i always use OpenJDK just because it's open so hoping it gets audited more. I also have apparmor protecting it. If it wasn't for libreoffice and minecraft I would just uninstall it all together.

Flash should be covered, again im not sure because on windows it used to only sandbox the bundled flash and not the external flash plugin. I know you should be able to use apparmor on it though it you created a profile, I did this with SELinux on Fedora so I can't see why apparmor wouldn't work.

Something I just remembered is

Code:

 sudo update-rc.d apparmor defaults

to return to defaults. But I don't know if you want to do it now.

Hungry Man · #30 March 12th, 2012, 03:26 AM

Quote:

how does it break exactly? Not starting at all?

Click - nothing happens.

Quote:

Yeah that should be plenty, I mean you have chrome chroot sandbox + apparmor on the renderer + seccomp should be fine against 99.9% of exploits out there.

Honestly, yeah. It's not like there are any exploits in the wild for the seccomp sandbox - it's not enabled by default and it's rarely used in linux. I doubt a single exploit out there takes it into account. Under a targeted attack they'd really have their work cut out for them.

Quote:

i always use OpenJDK just because it's open so hoping it gets audited more. I also have apparmor protecting it. If it wasn't for libreoffice and minecraft I would just uninstall it all together.

Flash should be covered, again im not sure because on windows it used to only sandbox the bundled flash and not the external flash plugin. I know you should be able to use apparmor on it though it you created a profile, I did this with SELinux on Fedora so I can't see why apparmor wouldn't work.

I'll look into a flash sandbox. If it runs in a plugin process i have to create a new profile.

Hungry Man · #31 March 15th, 2012, 05:01 PM

EDIT: Success or so it would seem. I've got Google Chrome running in a really convoluted sandbox that I will likely scrap and recreate at a later time lol

EDIT2: Removed the really overly complex Chrome profile. I'm keeping the Java plugin profile though. I'll just add a renderer apparmor sandbox I think and leave it at that.

The goal right now is to convert the Chromium renderer profile:

Quote:

#include <tunables/global>
/dev/chromium/chrome/Hammer/chrome-renderer {
#include <abstractions/base>
#include <abstractions/fonts>
/proc/** r,
/dev/shm/** rwk,
/dev/chromium/chrome/Hammer/** r,
network,
}

to a Chrome renderer profile. I'm just not familiar with linux enough to do it lol

x942 · #32 March 15th, 2012, 08:58 PM

Quote:

Originally Posted by Hungry Man

EDIT: Success or so it would seem. I've got Google Chrome running in a really convoluted sandbox that I will likely scrap and recreate at a later time lol

EDIT2: Removed the really overly complex Chrome profile. I'm keeping the Java plugin profile though. I'll just add a renderer apparmor sandbox I think and leave it at that.

The goal right now is to convert the Chromium renderer profile:

to a Chrome renderer profile. I'm just not familiar with linux enough to do it lol

This is what I got:

Code:

#include <tunables/global>

/opt/google/chrome/google-chrome flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>



  /bin/bash ix,
  /opt/google/chrome/google-chrome r,


  ^null-39 flags=(complain) {

    /etc/ld.so.cache r,
    /lib/libc-2.10.1.so mr,
    /usr/lib/gconv/gconv-modules.cache r,
    /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
    /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
    /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
    /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
    /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
    /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
    /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
    /usr/lib/locale/pt_BR.utf8/LC_NAME r,
    /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
    /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
    /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
    /usr/lib/locale/pt_BR.utf8/LC_TIME r,
    /usr/share/locale/locale.alias r,

  }

  ^null-3b flags=(complain) {

    /etc/ld.so.cache r,
    /lib/libc-2.10.1.so mr,
    /usr/lib/gconv/gconv-modules.cache r,
    /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
    /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
    /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
    /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
    /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
    /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
    /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
    /usr/lib/locale/pt_BR.utf8/LC_NAME r,
    /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
    /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
    /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
    /usr/lib/locale/pt_BR.utf8/LC_TIME r,
    /usr/share/locale/locale.alias r,

  }

  ^null-3d flags=(complain) {
    deny capability chown,
    deny capability dac_override,
    deny capability fsetid,
    deny capability setgid,
    deny capability setuid,
    deny capability sys_admin,
    deny capability sys_chroot,


    deny owner /proc/ r,
    deny /proc/2186/fd/ r,
    deny /proc/2427/fd/ r,

    /dev/urandom r,
    /etc/fonts/** r,
    /etc/ld.so.cache mr,
    /etc/localtime r,
    owner /home/jussier/.fontconfig/c01270a3a4ffb1849c76eac544526ed1-x86.cache-2 r,
    owner /home/jussier/.fonts.conf r,
    /lib/lib*so* mr,
    /opt/google/chrome/chrome.pak mr,
    /opt/google/chrome/libffmpegsumo.so mr,
    /opt/google/chrome/locales/pt-BR.pak mr,

  }

  ^null-45 flags=(complain) {

    /etc/ld.so.cache r,
    /lib/lib*so* mr,
    /usr/lib/gconv/gconv-modules.cache r,
    /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
    /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
    /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
    /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
    /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
    /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
    /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
    /usr/lib/locale/pt_BR.utf8/LC_NAME r,
    /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
    /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
    /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
    /usr/lib/locale/pt_BR.utf8/LC_TIME r,
    /usr/share/locale/locale.alias r,

  }

  ^null-47 flags=(complain) {

    /etc/ld.so.cache r,
    /lib/libc-2.10.1.so mr,
    /usr/lib/gconv/gconv-modules.cache r,
    /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
    /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
    /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
    /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
    /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
    /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
    /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
    /usr/lib/locale/pt_BR.utf8/LC_NAME r,
    /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
    /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
    /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
    /usr/lib/locale/pt_BR.utf8/LC_TIME r,
    /usr/share/locale/locale.alias r,

  }

  ^null-49 flags=(complain) {
    capability chown,
    capability dac_override,
    capability sys_admin,
    capability sys_ptrace,


    deny /proc/2427/fd/ r,
    deny /proc/2472/fd/ r,
    deny /proc/2473/fd/ r,
    deny /proc/2481/fd/ r,
    deny /proc/2487/fd/ r,
    deny /proc/2489/fd/ r,
    deny /proc/2538/fd/ r,
    deny /proc/2539/fd/ r,
    deny /proc/2541/fd/ r,
    deny /proc/2543/fd/ r,
    deny /proc/2547/fd/ r,
    deny /proc/2548/fd/ r,
    deny /proc/2631/fd/ r,
    deny /proc/2670/fd/ r,
    deny /proc/2677/fd/ r,
    deny /proc/2680/fd/ r,
    deny /proc/3583/fd/ r,
    deny /proc/3735/fd/ r,
    deny /proc/3747/fd/ r,
    deny /proc/3758/fd/ r,
    deny /proc/3760/fd/ r,
    deny /proc/3763/fd/ r,
    deny owner /proc/6001/fd/ r,
    deny /proc/6691/fd/ r,
    deny /proc/6696/fd/ r,
    deny /proc/6707/fd/ r,
    deny /proc/8339/fd/ r,
    deny /proc/8358/fd/ r,
    deny /proc/8368/fd/ r,
    deny /proc/8501/fd/ r,
    deny /proc/8506/fd/ r,
    deny /proc/8508/fd/ r,
    deny /proc/8520/fd/ r,
    deny /proc/8722/fd/ r,
    deny /proc/8725/fd/ r,
    deny owner /proc/8727/fd/ r,
    deny /proc/9527/fd/ r,
    deny /proc/9528/fd/ r,
    deny /proc/9529/fd/ r,
    deny /proc/9530/fd/ r,
    deny /proc/9565/fd/ r,
    deny /proc/9568/fd/ r,
    deny /proc/9572/fd/ r,
    deny /proc/9574/fd/ r,
    deny /proc/9582/fd/ r,
    deny /proc/9583/fd/ r,
    deny /proc/9770/fd/ r,
    deny /proc/9775/fd/ r,
    deny /proc/9789/fd/ r,
    deny /proc/9791/fd/ r,
    deny /proc/9800/fd/ r,
    deny owner /proc/9800/mounts r,
    deny owner /proc/9800/status r,
    deny /proc/9803/fd/ r,
    deny owner /proc/9804/fd/ r,
    deny owner /proc/9805/fd/ r,
    deny owner /proc/9805/mounts r,
    deny owner /proc/9805/status r,
    deny owner /proc/9807/fd/ r,
    deny /proc/sys/kernel/shmmax r,
    deny /usr/share/zoneinfo/Australia/ r,
    deny /usr/share/zoneinfo/Australia/ACT r,
    deny /usr/share/zoneinfo/Australia/Adelaide r,
    deny /usr/share/zoneinfo/Australia/Brisbane r,
    deny /usr/share/zoneinfo/Australia/Broken_Hill r,
    deny /usr/share/zoneinfo/Australia/Canberra r,
    deny /usr/share/zoneinfo/Australia/Currie r,
    deny /usr/share/zoneinfo/Australia/Darwin r,
    deny /usr/share/zoneinfo/Australia/Eucla r,
    deny /usr/share/zoneinfo/Australia/Hobart r,
    deny /usr/share/zoneinfo/Australia/LHI r,
    deny /usr/share/zoneinfo/Australia/Lindeman r,
    deny /usr/share/zoneinfo/Australia/Lord_Howe r,
    deny /usr/share/zoneinfo/Australia/Melbourne r,
    deny /usr/share/zoneinfo/Australia/NSW r,
    deny /usr/share/zoneinfo/Australia/North r,
    deny /usr/share/zoneinfo/Australia/Perth r,
    deny /usr/share/zoneinfo/Australia/Queensland r,
    deny /usr/share/zoneinfo/Australia/South r,
    deny /usr/share/zoneinfo/Australia/Sydney r,
    deny /usr/share/zoneinfo/Australia/Tasmania r,
    deny /usr/share/zoneinfo/Australia/Victoria r,
    deny /usr/share/zoneinfo/Australia/West r,
    deny /usr/share/zoneinfo/Australia/Yancowinna r,
    deny /usr/share/zoneinfo/Brazil/ r,

    /dev/urandom r,
    /etc/fonts/** r,
    /etc/ld.so.cache mr,
    /etc/localtime r,
    owner /home/jussier/.fontconfig/c01270a3a4ffb1849c76eac544526ed1-x86.cache-2 r,
    owner /home/jussier/.fonts.conf r,
    /lib/libbz2.so.* mr,
    /lib/libc-*.so mr,
    /lib/libdbus-1.so.* mr,
    /lib/libdl-*.so mr,
    /lib/libexpat.so.* mr,
    /lib/libgcc_s.so.* mr,
    /lib/libm-*.so mr,
    /lib/libpcre.so.* mr,
    /lib/libpthread-*.so mr,
    /lib/libresolv-*.so mr,
    /lib/librt-*.so mr,
    /lib/libselinux.so.* mr,
    /lib/libz.so.* mr,
    /opt/google/chrome/chrome.pak mr,
    /opt/google/chrome/libffmpegsumo.so mr,
    /opt/google/chrome/locales/pt-BR.pak mr,
    owner /proc/ r,
    /proc/2186/fd/ r,
    /usr/lib/gconv/gconv-modules.cache mr,
    /usr/lib/lib*so* mr,
    /usr/lib/libORBit-2.so.* mr,
    /usr/lib/libX11.so.* mr,
    /usr/lib/libXau.so.* mr,
    /usr/lib/libXcomposite.so.* mr,
    /usr/lib/libXcursor.so.* mr,
    /usr/lib/libXdamage.so.* mr,
    /usr/lib/libXext.so.* mr,
    /usr/lib/libXfixes.so.* mr,
    /usr/lib/libXi.so.* mr,
    /usr/lib/locale/pt_BR.utf8/LC_ADDRESS mr,
    /usr/lib/locale/pt_BR.utf8/LC_COLLATE mr,
    /usr/lib/locale/pt_BR.utf8/LC_CTYPE mr,
    /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION mr,
    /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT mr,
    /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES mr,
    /usr/lib/locale/pt_BR.utf8/LC_MONETARY mr,
    /usr/lib/locale/pt_BR.utf8/LC_NAME mr,
    /usr/lib/locale/pt_BR.utf8/LC_NUMERIC mr,
    /usr/lib/locale/pt_BR.utf8/LC_PAPER mr,
    /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE mr,
    /usr/lib/locale/pt_BR.utf8/LC_TIME mr,
    /usr/share/locale/locale.alias r,
    /usr/share/zoneinfo/ r,
    /usr/share/zoneinfo/** r,
    /var/cache/fontconfig/17090aa38d5c6f09fb8c5c354938f1d7-x86.cache-2 mr,
    /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-x86.cache-2 r,
    /var/cache/fontconfig/5ca8086aeacc9c68e81a71e7ef846b3b-x86.cache-2 r,
    /var/cache/fontconfig/77e41c5059666d75f92e318d4be8c21e-x86.cache-2 mr,
    /var/cache/fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-x86.cache-2 mr,
    /var/cache/fontconfig/8d4af663993b81a124ee82e610bb31f9-x86.cache-2 mr,
    /var/cache/fontconfig/a1c95d6dfc9a7b34f44445cf81166004-x86.cache-2 r,

  }

  ^null-7f {
    #include <abstractions/base>



  }

  ^null-81 {
    #include <abstractions/base>



  }

  ^null-83 {
    #include <abstractions/base>
    #include <abstractions/fonts>


    capability chown,
    capability dac_override,
    capability sys_admin,
    capability sys_chroot,
    capability sys_ptrace,


    owner /home/*/.fontconfig/*.cache-3 r,
    owner /home/*/.fonts.conf r,
    owner /proc/*/auxv r,
    owner /proc/*/fd/ r,
    /proc/cpuinfo r,
    /proc/filesystems r,
    /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
    owner /tmp/chrome-sandbox-chroot-KHXaUq/ rw,

  }
}

Work's for me on my XUbuntu 11.10 machine with Chrome Dev build. Not sure if I missed anything.

Let me know if it works for you.

Hungry Man · #33 March 15th, 2012, 09:25 PM

I'll give it a try ASAP. I think it can probably be cut down with a few **'s.

x942 · #34 March 15th, 2012, 10:01 PM

Quote:

Originally Posted by Hungry Man

I'll give it a try ASAP. I think it can probably be cut down with a few **'s.

LOL Probably I took some from online and running complain mode. I'm going to cut some stuff down.

Hungry Man · #35 March 15th, 2012, 10:15 PM

When I had my Chrome sandbox setup I had app_armor status displaying sooooo many profiles being active so I turned it off lol It just... didn't look right. I think I had created some sort of infinite regression where I had child processes of themselves lol it was all very confusing but I definitely learned a lot about setting up profiles.

Hungry Man · #36 March 28th, 2012, 12:56 AM

I'm trying to make the Chrome sandbox again but I'm not sure how to treat the /chrome/chrome-sandbox. Should I run it in its own profile? Inherit? Child? No idea.

Hungry Man · #37 March 29th, 2012, 08:00 PM

Anyone using AppArmor with VLC?

x942 · #38 March 30th, 2012, 01:52 AM

Quote:

Originally Posted by Hungry Man

Anyone using AppArmor with VLC?

I have VLC installed is there a profile? Do you want me to try and make one? :p

Hungry Man · #39 March 30th, 2012, 01:04 PM

I don't think there is one. I started making one but it got very convoluted very quickly.

Hungry Man · #40 March 31st, 2012, 01:18 AM

Got a profile set up for Chrome, NaCli, and Chrome's Sandbox. It works but I'm leaving it in complain for a few more days just to be sure.

x942 · #41 March 31st, 2012, 01:35 AM

Quote:

Originally Posted by Hungry Man

Got a profile set up for Chrome, NaCli, and Chrome's Sandbox. It works but I'm leaving it in complain for a few more days just to be sure.

Awesome! Please post when your done!

VLC is giving to many issues. I gave up on it.

Hungry Man · #42 March 31st, 2012, 01:42 AM

I got it working.

All it should need is full write access, some GPU access, full screen/ screen saver access, and I went ahead and denied it read/write access to my passwords.

With this it runs fine. It could use work (with ogl + aa profile it gives a few issues while moving the video around. edit: Already working on fixing this.)

Code:

# Last Modified: Sat Mar 31 01:39:22 2012
#include <tunables/global>

/usr/bin/vlc flags=(complain) {
  #include <abstractions/base>


  deny /etc/passwd r,

  / r,
  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /dev/ r,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rwk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** w,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

x942 · #43 March 31st, 2012, 01:47 AM

Quote:

Originally Posted by Hungry Man

I got it working.

All it should need is full write access, some GPU access, full screen/ screen saver access, and I went ahead and denied it read/write access to my passwords.

With this it runs fine. It could use work (with ogl + aa profile it gives a few issues while moving the video around. edit: Already working on fixing this.)

Code:

# Last Modified: Sat Mar 31 01:39:22 2012
#include <tunables/global>

/usr/bin/vlc flags=(complain) {
  #include <abstractions/base>


  deny /etc/passwd r,

  / r,
  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /dev/ r,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rwk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** w,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

Thanks! I will run it on my Ubuntu Host. (I'm now using a Debian VM for web browsing + SeLinux + Chrome/seccomp. I think the VM adds even more security to the mix).

Hungry Man · #44 March 31st, 2012, 01:49 AM

It's now working (seemingly) perfectly.

I'll probably reduce its read rights a bit. I also gave it IPC_Lock, which worries me a bit - though it seemed to function without it so I may take it away at a later time.

Updated and very rough profile:

Code:

# Last Modified: Sat Mar 31 01:45:41 2012
#include <tunables/global>

/usr/bin/vlc {
  #include <abstractions/base>
  #include <abstractions/nvidia>


  capability ipc_lock,


  deny /etc/passwd r,

  / r,
  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/which rix,
  /dev/ r,
  /dev/ati/card0 rw,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rwk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/ati/* r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** w,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

Hungry Man · #45 March 31st, 2012, 01:51 AM

Quote:

(I'm now using a Debian VM for web browsing + SeLinux + Chrome/seccomp. I think the VM adds even more security to the mix).

Nice. The seccomp + VM combo is probably very strong, seccomp's main purpose is to limit kernel exposure to programs and the VM is basically a big emulated kernel/ file system. I'll be very happy when more programs start making use of it.

Tightening the above profile up a bit.

x942 · #46 March 31st, 2012, 02:00 AM

Quote:

Originally Posted by Hungry Man

Nice. The seccomp + VM combo is probably very strong, seccomp's main purpose is to limit kernel exposure to programs and the VM is basically a big emulated kernel/ file system. I'll be very happy when more programs start making use of it.

Tightening the above profile up a bit.

The only thing I can think of to make seccomp + VM stronger is by creating an apparmor profile for Virtual Box. Do you think that would add security or just cause issues? I'm scared to try it lol.

I just used your profile. Chrome won't launch for some reason now (with or with out the profile) I think I will have to reboot here.

Hungry Man · #47 March 31st, 2012, 02:05 AM

Chrome? How odd... it shouldn't really effect Chrome as it's for VLC.

Are you using the VLC plugin for Chrome? That may be causing the issues - I don't use that.

Or perhaps you accidentally set another profile to enforce via /etc/apparmor.d/* ?

Quote:

The only thing I can think of to make seccomp + VM stronger is by creating an apparmor profile for Virtual Box. Do you think that would add security or just cause issues? I'm scared to try it lol.

A VM would probably need so many holes poked it wouldn't be worth it, but I don't think it would hurt.

Just do auto-dep and set it to complain and in a week you can set it up.

Hungry Man · #48 March 31st, 2012, 02:13 AM

Alright, here's what will likely be the final AppArmor for VLC. If you use nVidia you'll need to change a few things, different settings may also need more access.

I've explicitly denied areas of the file system that it doesn't need/ that I don't want it having access to (passwd, apparmor.d, etc) and the most of what it can do is read pieces of the file system and lock files.

Code:

# Last Modified: Sat Mar 31 01:45:41 2012
#include <tunables/global>

/usr/bin/vlc {
  #include <abstractions/base>
  #include <abstractions/nvidia>


  capability ipc_lock,


  deny /etc/passwd r,
  deny /etc/apparmor.d/** r,
  deny /root/** r,
  deny /selinux/** r,
  deny /boot/** r,
  deny /opt/** r,
  deny /sbin/** r,

  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/which rix,
  /dev/ r,
  /dev/ati/card0 rw,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/ati/* r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** rw,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

x942 · #49 March 31st, 2012, 02:13 AM

Quote:

Originally Posted by Hungry Man

Chrome? How odd... it shouldn't really effect Chrome as it's for VLC.

Are you using the VLC plugin for Chrome? That may be causing the issues - I don't use that.

Or perhaps you accidentally set another profile to enforce via /etc/apparmor.d/* ?

A VM would probably need so many holes poked it wouldn't be worth it, but I don't think it would hurt.

Just do auto-dep and set it to complain and in a week you can set it up.

That was it. The VLC Plugin was causing some issues for me. I removed it (not sure why I even had it enabled) all is good now. The profile works for me.

Ha. I think I will try it. Probably be one big profile though.

Hungry Man · #50 March 31st, 2012, 02:14 AM

I'm trying to profile everything I possible can. I don't have that much installed though lol

edit: Working on a VM AA profile.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search