Anyone using Apparmor?

Discussion in 'all things UNIX' started by Hungry Man, Mar 11, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man
    Offline

    Hungry Man Registered Member

    Yeah I do that every time.
  2. x942
    Offline

    x942 Registered Member

    Try doing a:

    Code:
    cat  /var/log/syslog | grep 'apparmor' > ./apparmor.log 
    and posting the output to compare to mine.

    Mine is at: http://www.box.com/s/9y55lmpb4djj9a7z95ec
    It's too big to post apparently.

    EDIT: should have done this:

    Code:
    cat  /var/log/syslog | grep 'chromium' > ./apparmor.log 
    (i used google-chrome in place of chromium though)
    mine shows:
    Code:
    
    Mar 11 22:28:58 AccessDenied kernel: [25765.866882] type=1400 audit(1331530138.590:115): apparmor="STATUS" operation="profile_load" name="/opt/google/chrome/google-chrome" pid=15984 comm="apparmor_parser"
    Mar 11 22:29:17 AccessDenied kernel: [25784.398009] type=1400 audit(1331530157.130:116): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=15998 comm="apparmor_parser"
    Mar 11 22:31:29 AccessDenied kernel: [25917.167672] type=1400 audit(1331530289.978:117): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=16216 comm="apparmor_parser"
    Mar 11 22:34:07 AccessDenied kernel: [26075.032137] type=1400 audit(1331530447.938:118): apparmor="ALLOWED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/dev/tty" pid=16265 comm="google-chrome" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.034179] type=1400 audit(1331530447.938:119): apparmor="ALLOWED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/google-chrome" pid=16265 comm="google-chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.035414] type=1400 audit(1331530447.942:120): apparmor="ALLOWED" operation="exec" parent=16265 profile="/opt/google/chrome/google-chrome" name="/bin/readlink" pid=16266 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-28"
    Mar 11 22:34:07 AccessDenied kernel: [26075.035795] type=1400 audit(1331530447.942:121): apparmor="ALLOWED" operation="open" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/etc/ld.so.cache" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.035817] type=1400 audit(1331530447.942:122): apparmor="ALLOWED" operation="getattr" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/etc/ld.so.cache" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.035881] type=1400 audit(1331530447.942:123): apparmor="ALLOWED" operation="open" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.035913] type=1400 audit(1331530447.942:124): apparmor="ALLOWED" operation="getattr" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.035946] type=1400 audit(1331530447.942:125): apparmor="ALLOWED" operation="file_mmap" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16266 comm="readlink" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
    Mar 11 22:34:07 AccessDenied kernel: [26075.036173] type=1400 audit(1331530447.942:126): apparmor="ALLOWED" operation="file_mprotect" parent=16265 profile="/opt/google/chrome/google-chrome//null-28" name="/bin/readlink" pid=16266 comm="readlink" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:37:24 AccessDenied kernel: [26271.387865] type=1400 audit(1331530644.410:2460): apparmor="STATUS" operation="profile_replace" name="/opt/google/chrome/google-chrome" pid=16316 comm="apparmor_parser"
    Mar 11 22:41:32 AccessDenied kernel: [26519.326736] type=1400 audit(1331530892.494:2461): apparmor="ALLOWED" operation="exec" parent=16338 profile="/opt/google/chrome/google-chrome" name="/usr/bin/dirname" pid=16340 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-32"
    Mar 11 22:41:32 AccessDenied kernel: [26519.327119] type=1400 audit(1331530892.494:2462): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/etc/ld.so.cache" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327142] type=1400 audit(1331530892.494:2463): apparmor="ALLOWED" operation="getattr" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/etc/ld.so.cache" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327203] type=1400 audit(1331530892.494:2464): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327234] type=1400 audit(1331530892.494:2465): apparmor="ALLOWED" operation="getattr" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327262] type=1400 audit(1331530892.494:2466): apparmor="ALLOWED" operation="file_mmap" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16340 comm="dirname" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327468] type=1400 audit(1331530892.494:2467): apparmor="ALLOWED" operation="file_mprotect" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/usr/bin/dirname" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327498] type=1400 audit(1331530892.494:2468): apparmor="ALLOWED" operation="file_mprotect" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/lib/i386-linux-gnu/ld-2.13.so" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:41:32 AccessDenied kernel: [26519.327756] type=1400 audit(1331530892.494:2469): apparmor="ALLOWED" operation="open" parent=16338 profile="/opt/google/chrome/google-chrome//null-32" name="/usr/lib/locale/locale-archive" pid=16340 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133260] type=1400 audit(1331530924.318:4580): apparmor="ALLOWED" operation="exec" parent=16401 profile="/opt/google/chrome/google-chrome" name="/usr/bin/dirname" pid=16403 comm="google-chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/opt/google/chrome/google-chrome//null-3b"
    Mar 11 22:42:04 AccessDenied kernel: [26551.133630] type=1400 audit(1331530924.318:4581): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/etc/ld.so.cache" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133653] type=1400 audit(1331530924.318:4582): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/etc/ld.so.cache" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133714] type=1400 audit(1331530924.318:4583): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133744] type=1400 audit(1331530924.318:4584): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133773] type=1400 audit(1331530924.318:4585): apparmor="ALLOWED" operation="file_mmap" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/libc-2.13.so" pid=16403 comm="dirname" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.133974] type=1400 audit(1331530924.318:4586): apparmor="ALLOWED" operation="file_mprotect" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/bin/dirname" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.134003] type=1400 audit(1331530924.318:4587): apparmor="ALLOWED" operation="file_mprotect" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/lib/i386-linux-gnu/ld-2.13.so" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.134258] type=1400 audit(1331530924.318:4588): apparmor="ALLOWED" operation="open" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/lib/locale/locale-archive" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Mar 11 22:42:04 AccessDenied kernel: [26551.134280] type=1400 audit(1331530924.318:4589): apparmor="ALLOWED" operation="getattr" parent=16401 profile="/opt/google/chrome/google-chrome//null-3b" name="/usr/lib/locale/locale-archive" pid=16403 comm="dirname" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    
    Last edited: Mar 12, 2012
  3. Hungry Man
    Offline

    Hungry Man Registered Member

    The logs are virtually identical save for my renderer profile. I've tried disabling, reloading all profiles, enabling the sandbox, reloading again, and then starting but the problem persists.

    Still... I'm fairly satisfied. A rogue tab won't be protected by apparmor but the renderer is, which is satisfactory. The typical linux sandbox alone is at least powerful enough to stop en exploit. With seccomp on top of that I really don't see Chrome as viable attacks surface. I'd be much more worried about Java but Apparmor works with it and it's OpenJDK.

    Actually, the one thing I haven't got covered up is Flash. Though if it runs as a chrome process maybe I do? Not sure.
  4. x942
    Offline

    x942 Registered Member

    how does it break exactly? Not starting at all?

    Yeah that should be plenty, I mean you have chrome chroot sandbox + apparmor on the renderer + seccomp should be fine against 99.9% of exploits out there.

    i always use OpenJDK just because it's open so hoping it gets audited more. I also have apparmor protecting it. If it wasn't for libreoffice and minecraft I would just uninstall it all together.

    Flash should be covered, again im not sure because on windows it used to only sandbox the bundled flash and not the external flash plugin. I know you should be able to use apparmor on it though it you created a profile, I did this with SELinux on Fedora so I can't see why apparmor wouldn't work.

    Something I just remembered is
    Code:
     sudo update-rc.d apparmor defaults 
    to return to defaults. But I don't know if you want to do it now.
  5. Hungry Man
    Offline

    Hungry Man Registered Member

    Click - nothing happens.

    Honestly, yeah. It's not like there are any exploits in the wild for the seccomp sandbox - it's not enabled by default and it's rarely used in linux. I doubt a single exploit out there takes it into account. Under a targeted attack they'd really have their work cut out for them.

    I'll look into a flash sandbox. If it runs in a plugin process i have to create a new profile.
  6. Hungry Man
    Offline

    Hungry Man Registered Member

    EDIT: Success or so it would seem. I've got Google Chrome running in a really convoluted sandbox that I will likely scrap and recreate at a later time lol

    EDIT2: Removed the really overly complex Chrome profile. I'm keeping the Java plugin profile though. I'll just add a renderer apparmor sandbox I think and leave it at that.

    The goal right now is to convert the Chromium renderer profile:

    to a Chrome renderer profile. I'm just not familiar with linux enough to do it lol
    Last edited: Mar 15, 2012
  7. x942
    Offline

    x942 Registered Member


    This is what I got:
    Code:
    #include <tunables/global>
    
    /opt/google/chrome/google-chrome flags=(complain) {
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/consoles>
    
    
    
      /bin/bash ix,
      /opt/google/chrome/google-chrome r,
    
    
      ^null-39 flags=(complain) {
    
        /etc/ld.so.cache r,
        /lib/libc-2.10.1.so mr,
        /usr/lib/gconv/gconv-modules.cache r,
        /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
        /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
        /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
        /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
        /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
        /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
        /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
        /usr/lib/locale/pt_BR.utf8/LC_NAME r,
        /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
        /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
        /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
        /usr/lib/locale/pt_BR.utf8/LC_TIME r,
        /usr/share/locale/locale.alias r,
    
      }
    
      ^null-3b flags=(complain) {
    
        /etc/ld.so.cache r,
        /lib/libc-2.10.1.so mr,
        /usr/lib/gconv/gconv-modules.cache r,
        /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
        /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
        /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
        /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
        /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
        /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
        /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
        /usr/lib/locale/pt_BR.utf8/LC_NAME r,
        /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
        /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
        /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
        /usr/lib/locale/pt_BR.utf8/LC_TIME r,
        /usr/share/locale/locale.alias r,
    
      }
    
      ^null-3d flags=(complain) {
        deny capability chown,
        deny capability dac_override,
        deny capability fsetid,
        deny capability setgid,
        deny capability setuid,
        deny capability sys_admin,
        deny capability sys_chroot,
    
    
        deny owner /proc/ r,
        deny /proc/2186/fd/ r,
        deny /proc/2427/fd/ r,
    
        /dev/urandom r,
        /etc/fonts/** r,
        /etc/ld.so.cache mr,
        /etc/localtime r,
        owner /home/jussier/.fontconfig/c01270a3a4ffb1849c76eac544526ed1-x86.cache-2 r,
        owner /home/jussier/.fonts.conf r,
        /lib/lib*so* mr,
        /opt/google/chrome/chrome.pak mr,
        /opt/google/chrome/libffmpegsumo.so mr,
        /opt/google/chrome/locales/pt-BR.pak mr,
    
      }
    
      ^null-45 flags=(complain) {
    
        /etc/ld.so.cache r,
        /lib/lib*so* mr,
        /usr/lib/gconv/gconv-modules.cache r,
        /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
        /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
        /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
        /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
        /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
        /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
        /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
        /usr/lib/locale/pt_BR.utf8/LC_NAME r,
        /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
        /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
        /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
        /usr/lib/locale/pt_BR.utf8/LC_TIME r,
        /usr/share/locale/locale.alias r,
    
      }
    
      ^null-47 flags=(complain) {
    
        /etc/ld.so.cache r,
        /lib/libc-2.10.1.so mr,
        /usr/lib/gconv/gconv-modules.cache r,
        /usr/lib/locale/pt_BR.utf8/LC_ADDRESS r,
        /usr/lib/locale/pt_BR.utf8/LC_COLLATE r,
        /usr/lib/locale/pt_BR.utf8/LC_CTYPE r,
        /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION r,
        /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT r,
        /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES r,
        /usr/lib/locale/pt_BR.utf8/LC_MONETARY r,
        /usr/lib/locale/pt_BR.utf8/LC_NAME r,
        /usr/lib/locale/pt_BR.utf8/LC_NUMERIC r,
        /usr/lib/locale/pt_BR.utf8/LC_PAPER r,
        /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE r,
        /usr/lib/locale/pt_BR.utf8/LC_TIME r,
        /usr/share/locale/locale.alias r,
    
      }
    
      ^null-49 flags=(complain) {
        capability chown,
        capability dac_override,
        capability sys_admin,
        capability sys_ptrace,
    
    
        deny /proc/2427/fd/ r,
        deny /proc/2472/fd/ r,
        deny /proc/2473/fd/ r,
        deny /proc/2481/fd/ r,
        deny /proc/2487/fd/ r,
        deny /proc/2489/fd/ r,
        deny /proc/2538/fd/ r,
        deny /proc/2539/fd/ r,
        deny /proc/2541/fd/ r,
        deny /proc/2543/fd/ r,
        deny /proc/2547/fd/ r,
        deny /proc/2548/fd/ r,
        deny /proc/2631/fd/ r,
        deny /proc/2670/fd/ r,
        deny /proc/2677/fd/ r,
        deny /proc/2680/fd/ r,
        deny /proc/3583/fd/ r,
        deny /proc/3735/fd/ r,
        deny /proc/3747/fd/ r,
        deny /proc/3758/fd/ r,
        deny /proc/3760/fd/ r,
        deny /proc/3763/fd/ r,
        deny owner /proc/6001/fd/ r,
        deny /proc/6691/fd/ r,
        deny /proc/6696/fd/ r,
        deny /proc/6707/fd/ r,
        deny /proc/8339/fd/ r,
        deny /proc/8358/fd/ r,
        deny /proc/8368/fd/ r,
        deny /proc/8501/fd/ r,
        deny /proc/8506/fd/ r,
        deny /proc/8508/fd/ r,
        deny /proc/8520/fd/ r,
        deny /proc/8722/fd/ r,
        deny /proc/8725/fd/ r,
        deny owner /proc/8727/fd/ r,
        deny /proc/9527/fd/ r,
        deny /proc/9528/fd/ r,
        deny /proc/9529/fd/ r,
        deny /proc/9530/fd/ r,
        deny /proc/9565/fd/ r,
        deny /proc/9568/fd/ r,
        deny /proc/9572/fd/ r,
        deny /proc/9574/fd/ r,
        deny /proc/9582/fd/ r,
        deny /proc/9583/fd/ r,
        deny /proc/9770/fd/ r,
        deny /proc/9775/fd/ r,
        deny /proc/9789/fd/ r,
        deny /proc/9791/fd/ r,
        deny /proc/9800/fd/ r,
        deny owner /proc/9800/mounts r,
        deny owner /proc/9800/status r,
        deny /proc/9803/fd/ r,
        deny owner /proc/9804/fd/ r,
        deny owner /proc/9805/fd/ r,
        deny owner /proc/9805/mounts r,
        deny owner /proc/9805/status r,
        deny owner /proc/9807/fd/ r,
        deny /proc/sys/kernel/shmmax r,
        deny /usr/share/zoneinfo/Australia/ r,
        deny /usr/share/zoneinfo/Australia/ACT r,
        deny /usr/share/zoneinfo/Australia/Adelaide r,
        deny /usr/share/zoneinfo/Australia/Brisbane r,
        deny /usr/share/zoneinfo/Australia/Broken_Hill r,
        deny /usr/share/zoneinfo/Australia/Canberra r,
        deny /usr/share/zoneinfo/Australia/Currie r,
        deny /usr/share/zoneinfo/Australia/Darwin r,
        deny /usr/share/zoneinfo/Australia/Eucla r,
        deny /usr/share/zoneinfo/Australia/Hobart r,
        deny /usr/share/zoneinfo/Australia/LHI r,
        deny /usr/share/zoneinfo/Australia/Lindeman r,
        deny /usr/share/zoneinfo/Australia/Lord_Howe r,
        deny /usr/share/zoneinfo/Australia/Melbourne r,
        deny /usr/share/zoneinfo/Australia/NSW r,
        deny /usr/share/zoneinfo/Australia/North r,
        deny /usr/share/zoneinfo/Australia/Perth r,
        deny /usr/share/zoneinfo/Australia/Queensland r,
        deny /usr/share/zoneinfo/Australia/South r,
        deny /usr/share/zoneinfo/Australia/Sydney r,
        deny /usr/share/zoneinfo/Australia/Tasmania r,
        deny /usr/share/zoneinfo/Australia/Victoria r,
        deny /usr/share/zoneinfo/Australia/West r,
        deny /usr/share/zoneinfo/Australia/Yancowinna r,
        deny /usr/share/zoneinfo/Brazil/ r,
    
        /dev/urandom r,
        /etc/fonts/** r,
        /etc/ld.so.cache mr,
        /etc/localtime r,
        owner /home/jussier/.fontconfig/c01270a3a4ffb1849c76eac544526ed1-x86.cache-2 r,
        owner /home/jussier/.fonts.conf r,
        /lib/libbz2.so.* mr,
        /lib/libc-*.so mr,
        /lib/libdbus-1.so.* mr,
        /lib/libdl-*.so mr,
        /lib/libexpat.so.* mr,
        /lib/libgcc_s.so.* mr,
        /lib/libm-*.so mr,
        /lib/libpcre.so.* mr,
        /lib/libpthread-*.so mr,
        /lib/libresolv-*.so mr,
        /lib/librt-*.so mr,
        /lib/libselinux.so.* mr,
        /lib/libz.so.* mr,
        /opt/google/chrome/chrome.pak mr,
        /opt/google/chrome/libffmpegsumo.so mr,
        /opt/google/chrome/locales/pt-BR.pak mr,
        owner /proc/ r,
        /proc/2186/fd/ r,
        /usr/lib/gconv/gconv-modules.cache mr,
        /usr/lib/lib*so* mr,
        /usr/lib/libORBit-2.so.* mr,
        /usr/lib/libX11.so.* mr,
        /usr/lib/libXau.so.* mr,
        /usr/lib/libXcomposite.so.* mr,
        /usr/lib/libXcursor.so.* mr,
        /usr/lib/libXdamage.so.* mr,
        /usr/lib/libXext.so.* mr,
        /usr/lib/libXfixes.so.* mr,
        /usr/lib/libXi.so.* mr,
        /usr/lib/locale/pt_BR.utf8/LC_ADDRESS mr,
        /usr/lib/locale/pt_BR.utf8/LC_COLLATE mr,
        /usr/lib/locale/pt_BR.utf8/LC_CTYPE mr,
        /usr/lib/locale/pt_BR.utf8/LC_IDENTIFICATION mr,
        /usr/lib/locale/pt_BR.utf8/LC_MEASUREMENT mr,
        /usr/lib/locale/pt_BR.utf8/LC_MESSAGES/SYS_LC_MESSAGES mr,
        /usr/lib/locale/pt_BR.utf8/LC_MONETARY mr,
        /usr/lib/locale/pt_BR.utf8/LC_NAME mr,
        /usr/lib/locale/pt_BR.utf8/LC_NUMERIC mr,
        /usr/lib/locale/pt_BR.utf8/LC_PAPER mr,
        /usr/lib/locale/pt_BR.utf8/LC_TELEPHONE mr,
        /usr/lib/locale/pt_BR.utf8/LC_TIME mr,
        /usr/share/locale/locale.alias r,
        /usr/share/zoneinfo/ r,
        /usr/share/zoneinfo/** r,
        /var/cache/fontconfig/17090aa38d5c6f09fb8c5c354938f1d7-x86.cache-2 mr,
        /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-x86.cache-2 r,
        /var/cache/fontconfig/5ca8086aeacc9c68e81a71e7ef846b3b-x86.cache-2 r,
        /var/cache/fontconfig/77e41c5059666d75f92e318d4be8c21e-x86.cache-2 mr,
        /var/cache/fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-x86.cache-2 mr,
        /var/cache/fontconfig/8d4af663993b81a124ee82e610bb31f9-x86.cache-2 mr,
        /var/cache/fontconfig/a1c95d6dfc9a7b34f44445cf81166004-x86.cache-2 r,
    
      }
    
      ^null-7f {
        #include <abstractions/base>
    
    
    
      }
    
      ^null-81 {
        #include <abstractions/base>
    
    
    
      }
    
      ^null-83 {
        #include <abstractions/base>
        #include <abstractions/fonts>
    
    
        capability chown,
        capability dac_override,
        capability sys_admin,
        capability sys_chroot,
        capability sys_ptrace,
    
    
        owner /home/*/.fontconfig/*.cache-3 r,
        owner /home/*/.fonts.conf r,
        owner /proc/*/auxv r,
        owner /proc/*/fd/ r,
        /proc/cpuinfo r,
        /proc/filesystems r,
        /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
        owner /tmp/chrome-sandbox-chroot-KHXaUq/ rw,
    
      }
    }
    Work's for me on my XUbuntu 11.10 machine with Chrome Dev build. Not sure if I missed anything.

    Let me know if it works for you. :thumb:
    Last edited: Mar 15, 2012
  8. Hungry Man
    Offline

    Hungry Man Registered Member

    I'll give it a try ASAP. I think it can probably be cut down with a few **'s.
  9. x942
    Offline

    x942 Registered Member

    LOL Probably I took some from online and running complain mode. I'm going to cut some stuff down.
  10. Hungry Man
    Offline

    Hungry Man Registered Member

    When I had my Chrome sandbox setup I had app_armor status displaying sooooo many profiles being active so I turned it off lol It just... didn't look right. I think I had created some sort of infinite regression where I had child processes of themselves lol it was all very confusing but I definitely learned a lot about setting up profiles.
  11. Hungry Man
    Offline

    Hungry Man Registered Member

    I'm trying to make the Chrome sandbox again but I'm not sure how to treat the /chrome/chrome-sandbox. Should I run it in its own profile? Inherit? Child? No idea.
  12. Hungry Man
    Offline

    Hungry Man Registered Member

    Anyone using AppArmor with VLC?
  13. x942
    Offline

    x942 Registered Member


    I have VLC installed is there a profile? Do you want me to try and make one? :p
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    I don't think there is one. I started making one but it got very convoluted very quickly.
  15. Hungry Man
    Offline

    Hungry Man Registered Member

    Got a profile set up for Chrome, NaCli, and Chrome's Sandbox. It works but I'm leaving it in complain for a few more days just to be sure.
  16. x942
    Offline

    x942 Registered Member

    Awesome! Please post when your done!

    VLC is giving to many issues. I gave up on it.
  17. Hungry Man
    Offline

    Hungry Man Registered Member

    I got it working.

    All it should need is full write access, some GPU access, full screen/ screen saver access, and I went ahead and denied it read/write access to my passwords.

    With this it runs fine. It could use work (with ogl + aa profile it gives a few issues while moving the video around. edit: Already working on fixing this.)

    Code:
    # Last Modified: Sat Mar 31 01:39:22 2012
    #include <tunables/global>
    
    /usr/bin/vlc flags=(complain) {
      #include <abstractions/base>
    
    
      deny /etc/passwd r,
    
      / r,
      /bin/dash r,
      /bin/grep rix,
      /bin/mv rix,
      /bin/sed rix,
      /dev/ r,
      /etc/fonts/** r,
      /etc/nsswitch.conf r,
      /etc/pulse/client.conf r,
      /etc/xdg/Trolltech.conf rk,
      /etc/xdg/sni-qt.conf rk,
      /home/** rwk,
      /proc/*/auxv r,
      /proc/*/cmdline r,
      /proc/*/status r,
      /proc/modules r,
      /run/shm/ r,
      /run/shm/* rw,
      /sys/devices/system/*/ r,
      /tmp/** w,
      /tmp/**/ rw,
      /usr/** rk,
      /usr/bin/dbus-send rix,
      /usr/bin/xdg-screensaver rix,
      /usr/lib{,32,64}/** mrw,
      /var/cache/** r,
      /var/lib/dbus/machine-id r,
      /var/lib/defoma/fontconfig.d/* r,
    
    }
  18. x942
    Offline

    x942 Registered Member

    Thanks! I will run it on my Ubuntu Host. (I'm now using a Debian VM for web browsing + SeLinux + Chrome/seccomp. I think the VM adds even more security to the mix).
  19. Hungry Man
    Offline

    Hungry Man Registered Member

    It's now working (seemingly) perfectly.

    I'll probably reduce its read rights a bit. I also gave it IPC_Lock, which worries me a bit - though it seemed to function without it so I may take it away at a later time.

    Updated and very rough profile:

    Code:
    # Last Modified: Sat Mar 31 01:45:41 2012
    #include <tunables/global>
    
    /usr/bin/vlc {
      #include <abstractions/base>
      #include <abstractions/nvidia>
    
    
      capability ipc_lock,
    
    
      deny /etc/passwd r,
    
      / r,
      /bin/dash r,
      /bin/grep rix,
      /bin/mv rix,
      /bin/sed rix,
      /bin/sleep rix,
      /bin/which rix,
      /dev/ r,
      /dev/ati/card0 rw,
      /etc/fonts/** r,
      /etc/nsswitch.conf r,
      /etc/pulse/client.conf r,
      /etc/xdg/Trolltech.conf rk,
      /etc/xdg/sni-qt.conf rk,
      /home/** rwk,
      /proc/*/auxv r,
      /proc/*/cmdline r,
      /proc/*/status r,
      /proc/ati/* r,
      /proc/modules r,
      /run/shm/ r,
      /run/shm/* rw,
      /sys/devices/system/*/ r,
      /tmp/** w,
      /tmp/**/ rw,
      /usr/** rk,
      /usr/bin/dbus-send rix,
      /usr/bin/xdg-screensaver rix,
      /usr/lib{,32,64}/** mrw,
      /var/cache/** r,
      /var/lib/dbus/machine-id r,
      /var/lib/defoma/fontconfig.d/* r,
    
    }
  20. Hungry Man
    Offline

    Hungry Man Registered Member

    Nice. The seccomp + VM combo is probably very strong, seccomp's main purpose is to limit kernel exposure to programs and the VM is basically a big emulated kernel/ file system. I'll be very happy when more programs start making use of it.

    Tightening the above profile up a bit.
  21. x942
    Offline

    x942 Registered Member

    The only thing I can think of to make seccomp + VM stronger is by creating an apparmor profile for Virtual Box. Do you think that would add security or just cause issues? I'm scared to try it lol.

    I just used your profile. Chrome won't launch for some reason now (with or with out the profile) I think I will have to reboot here.
  22. Hungry Man
    Offline

    Hungry Man Registered Member

    Chrome? How odd... it shouldn't really effect Chrome as it's for VLC.

    Are you using the VLC plugin for Chrome? That may be causing the issues - I don't use that.

    Or perhaps you accidentally set another profile to enforce via /etc/apparmor.d/* ?

    A VM would probably need so many holes poked it wouldn't be worth it, but I don't think it would hurt.

    Just do auto-dep and set it to complain and in a week you can set it up.
  23. Hungry Man
    Offline

    Hungry Man Registered Member

    Alright, here's what will likely be the final AppArmor for VLC. If you use nVidia you'll need to change a few things, different settings may also need more access.

    I've explicitly denied areas of the file system that it doesn't need/ that I don't want it having access to (passwd, apparmor.d, etc) and the most of what it can do is read pieces of the file system and lock files.

    Code:
    # Last Modified: Sat Mar 31 01:45:41 2012
    #include <tunables/global>
    
    /usr/bin/vlc {
      #include <abstractions/base>
      #include <abstractions/nvidia>
    
    
      capability ipc_lock,
    
    
      deny /etc/passwd r,
      deny /etc/apparmor.d/** r,
      deny /root/** r,
      deny /selinux/** r,
      deny /boot/** r,
      deny /opt/** r,
      deny /sbin/** r,
    
      /bin/dash r,
      /bin/grep rix,
      /bin/mv rix,
      /bin/sed rix,
      /bin/sleep rix,
      /bin/which rix,
      /dev/ r,
      /dev/ati/card0 rw,
      /etc/fonts/** r,
      /etc/nsswitch.conf r,
      /etc/pulse/client.conf r,
      /etc/xdg/Trolltech.conf rk,
      /etc/xdg/sni-qt.conf rk,
      /home/** rk,
      /proc/*/auxv r,
      /proc/*/cmdline r,
      /proc/*/status r,
      /proc/ati/* r,
      /proc/modules r,
      /run/shm/ r,
      /run/shm/* rw,
      /sys/devices/system/*/ r,
      /tmp/** rw,
      /tmp/**/ rw,
      /usr/** rk,
      /usr/bin/dbus-send rix,
      /usr/bin/xdg-screensaver rix,
      /usr/lib{,32,64}/** mrw,
      /var/cache/** r,
      /var/lib/dbus/machine-id r,
      /var/lib/defoma/fontconfig.d/* r,
    
    }
  24. x942
    Offline

    x942 Registered Member

    That was it. The VLC Plugin was causing some issues for me. I removed it (not sure why I even had it enabled) all is good now. The profile works for me.

    Ha. I think I will try it. Probably be one big profile though.
  25. Hungry Man
    Offline

    Hungry Man Registered Member

    I'm trying to profile everything I possible can. I don't have that much installed though lol

    edit: Working on a VM AA profile.
Thread Status:
Not open for further replies.