Anyone using Apparmor?

Nice. I see you are making progress I mostly have a stock XUbuntu with chrome dev, keepassx, Truecrypt, virtualbox, and a few CLI tools installed. Everything else came with XUbuntu.

 

I have Virtualbox for a ChromiumOS VM that I tried out. I'm leaving it installed because I may want to test malware in an XP or 7 VM at some point.

I may as well set it up with AppArmor considering I'll be running malware on it.

 

Yes. If you are running malware in it I would take every precaution. I normally mount a USB WiFi card and disable networking on the host to prevent any communication. I have encountered some malware that tries to exploit systems on the same LAN so I also setup an isolated AP.

I have a dedicated machine for these VM's now though, so not AS paranoid as I once was.

 

Yeah I'll probably set up some network stuff to keep everything in the virtual box where it is (apparmor actually has some network options) and I believe the services that handle some areas of the network can actually be run with apparmor profiles as well - though that would be less useful as they could still probably do what's needed.

I'm not too worried though. I don't plan to test any malware out for a few months and by then I should be fine.

 

Ok. Still working on the VM (making progress) but here's the transmission-GTK (torrent client that comes with Ubuntu) that I've just set up.

Part of it I took from someone else's and the rest is from manual/ autodep/ logprof.

Code:

# Last Modified: Sat Mar 31 03:32:03 2012
#include <tunables/global>

/usr/bin/transmission-gtk {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/private-files>


  deny /etc/passwd r,
  deny @{HOME}/.Private/ r,
  deny @{HOME}/.bash* rw,
  deny @{HOME}/.zshrc rw,
  deny @{HOME}/Private/ r,
  deny @{PROC}/ r,
  deny @{PROC}/* r,

  /etc/gtk-3.0/settings.ini r,
  /etc/nsswitch.conf r,
  /etc/pkcs11/modules/ r,
  /home/** rw,
  /home/downloads/** rwk,
  /proc/sys/kernel/** r,
  /usr/bin/transmission-gtk r,
  /usr/share/glib-2.0/schemas/* r,
  /usr/share/icons/Humanity/actions/24/* r,
  /usr/share/themes/Ambiance/gtk-3.0/* r,
  /var/lib/dbus/* r,

}

 

My system is starting to feel like a fortress

 

Updated Transmission just a bit:

Here's where I'm at so far with virtualbox (nearly got it working):

Code:

# Last Modified: Sat Mar 31 13:16:49 2012
#include <tunables/global>

/usr/share/virtualbox/VBox.sh flags=(complain) {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nvidia>

  capability sys_ptrace,

  network inet stream,
  network inet6 stream,

  deny /etc/passwd r,

  /bin/bash rix,
  /bin/dash rix,
  /bin/which rix,
  /etc/nsswitch.conf r,
  /etc/xdg/Trolltech.conf rk,
  /home/*/.ICEauthority r,
  /home/*/.VirtualBox/* w,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/Trolltech.conf rk,
  /home/*/.config/dconf/user r,
  /home/*/.local/share/* r,
  "/home/*/VirtualBox VMs/*/" w,
  /lib/** r,
  /lib32/** r,
  /lib64/** r,
  /proc/*/cmdline r,
  /proc/*/io r,
  /proc/*/oom_score_adj rw,
  /proc/*/stat r,
  /proc/*/statm r,
  /proc/*/status r,
  /proc/*/task/** r,
  /proc/ati/* r,
  /proc/meminfo r,
  /proc/modules r,
  /proc/sys/kernel/** r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,
  /usr/lib/virtualbox/VirtualBox rix,
  /usr/lib{,32,64}/** mr,
  /usr/share/glib-2.0/** r,
  /usr/share/icons/** r,
  /usr/share/themes/** r,
  /usr/share/virtualbox/** r,

}

 

Virtual box is done. If you use nvidia you'll need to change things up a bit. It might be a bit loose in some areas and a bit tight in others. I gave it superfluous read access in a few areas but if it can lock or write a file it's because it needs to. Explicitly blocked the password file.

Code:

# Last Modified: Sat Mar 31 15:33:21 2012
#include <tunables/global>

/usr/share/virtualbox/VBox.sh {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>

  capability net_raw,
  capability sys_ptrace,

  network inet raw,
  network inet stream,
  network inet6 stream,

  deny /etc/passwd r,

  /bin/bash rix,
  /bin/dash rix,
  /bin/which rix,
  /dev/ati/* rw,
  /dev/vboxdrv rw,
  /etc/xdg/Trolltech.conf rk,
  /home/*/.ICEauthority r,
  /home/*/.VirtualBox/ r,
  /home/*/.VirtualBox/* rw,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/Trolltech.conf rk,
  /home/*/.config/dconf/user r,
  /home/*/.icons/ r,
  /home/*/.local/share/* r,
  "/home/*/Documents/OS Images/*" r,
  "/home/*/VirtualBox VMs/**" rw,
  /lib/** r,
  /lib32/** r,
  /lib64/** r,
  /proc/ r,
  /proc/*/cmdline r,
  /proc/*/io r,
  /proc/*/oom_score_adj rw,
  /proc/*/stat r,
  /proc/*/statm r,
  /proc/*/status r,
  /proc/*/task/** r,
  /proc/ati/* r,
  /proc/meminfo r,
  /proc/modules r,
  /proc/sys/kernel/** r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,
  /run/resolvconf/* r,
  /sys/block/ r,
  /sys/class/*/ r,
  /sys/devices/** r,
  /tmp/** wk,
  /usr/lib/virtualbox/VBoxSVC rix,
  /usr/lib/virtualbox/VBoxTestOGL rix,
  /usr/lib/virtualbox/VBoxXPCOMIPCD rix,
  /usr/lib/virtualbox/VirtualBox rix,
  /usr/lib{,32,64}/** mr,
  /usr/share/glib-2.0/** r,
  /usr/share/icons/ r,
  /usr/share/icons/** rk,
  /usr/share/mime/* r,
  /usr/share/pixmaps/ r,
  /usr/share/themes/** r,
  /usr/share/virtualbox/** r,
  owner /{run,dev}/shm/* rk,
  /{run,dev}/shm/* w,

}

You may want to add
/usr/lib/virtualbox/* rix,

There aren't really any more I can profile on my system. Everything worth profiling is profiled.

Unfortunately we can't build seccomp filters, they have to be compiled into the program. When Ubuntu 12.04 is released we'll hopefully see the most common programs (pidgin, browsers, etc) make use of this. Or perhaps there will be some way to implement them from outside of the program.

Here's Chrome + Chrome Sandbox + nacli


Chrome opt.google.chrome.google-chrome :

Code:

# Last Modified: Sat Mar 31 04:27:39 2012
#include <tunables/global>

/opt/google/chrome/google-chrome {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/ubuntu-konsole>
  #include <abstractions/user-tmp>

  capability ipc_lock,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,

  / r,
  /** r,
  /**/ r,
  /bin/bash ix,
  /bin/dash rix,
  /bin/grep rix,
  /bin/mkdir rix,
  /bin/ps rix,
  /bin/readlink rix,
  /bin/which rix,
  /dev/ati/card0 rw,
  /dev/video0 r,
  /etc/debian_version r,
  /etc/lsb-release r,
  /etc/passwd m,
  /etc/pulse/client.conf r,
  /etc/python2.7/* r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.cache/google-chrome/Default/Cache/* rw,
  "/home/*/.cache/google-chrome/Default/Media Cache/*" rw,
  "/home/*/.cache/google-chrome/Profile 1/Cache/*" rw,
  /home/*/.config/dconf/* r,
  /home/*/.config/google-chrome/** rwk,
  /home/*/.gtk-bookmarks r,
  /home/*/.macromedia/Flash_Player/** rw,
  /home/*/.pki/nssdb/* rwk,
  /home/*/.pulse-cookie rwk,
  /home/documents/ r,
  /opt/google/** rw,
  /opt/google/chrome/* mr,
  /opt/google/chrome/PepperFlash/* mr,
  /opt/google/chrome/chrome rix,
  /opt/google/chrome/chrome-sandbox px,
  /opt/google/chrome/xdg-settings rix,
  /proc/*/io r,
  /proc/*/oom_score_adj w,
  /proc/*/stat r,
  /proc/*/statm r,
  /proc/*/status r,
  /proc/*/task/** r,
  /proc/ati/* r,
  /proc/meminfo r,
  /proc/modules r,
  /proc/sys/kernel/pid_max r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,
  /run/shm/* rwm,
  /run/** rw,
  /sys/devices/** r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  owner /tmp/** mrlk,
  /tmp/** w,
  /tmp/*/ rw,
  /usr/bin/basename rix,
  /usr/bin/dirname rix,
  /usr/bin/gvfs-open rix,
  /usr/bin/lsb_release rix,
  /usr/bin/xdg-open rix,
  /usr/bin/xdg-settings rix,
  /usr/include/python2.7/* r,
  /usr/lib{,32,64}/** mr,
  /usr/share/alsa/** r,
  /usr/share/fonts/**/*.pfb m,
  /usr/share/fonts/truetype/**/*.tt[cf] m,
  /usr/share/glib-2.0/schemas/* r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/icons/**/*.cache m,
  /usr/share/mime/mime.cache m,
  /usr/share/pyshared/* r,
  /usr/share/themes/** r,
  /var/lib/dbus/machine-id r,
  /var/tmp/* rw,
  owner /{dev,run}/shm/pulse-shm* m,
  owner @{HOME}/ r,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{PROC}/[0-9]*/auxv r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

}

Sandbox opt.google.chrome.chrome-sandbox:

Code:

# Last Modified: Sat Mar 31 00:09:28 2012
#include <tunables/global>

/opt/google/chrome/chrome-sandbox {
  #include <abstractions/base>
  #include <abstractions/ubuntu-konsole>
  capability chown,
  capability fsetid,
  capability dac_override,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,



  /home/*/.config/google-chrome/Default/** rwk,
  /home/*/.config/google-chrome/Dictionaries/* r,
  /opt/google/** mr,
  /opt/google/chrome/chrome rix,
  /opt/google/chrome/nacl_helper_bootstrap px,
  /proc/ r,
  /proc/*/ r,
  /proc/*/fd/ r,
  /proc/*/oom_score_adj w,
  /proc/*/status r,
  /proc/sys/kernel/shmmax r,
  /run/shm/* rw,
  /sys/devices/system/cpu/** r,
   /lib/libgcc_s.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /usr/lib/libstdc++.so* mr,
    /etc/ld.so.cache r,

    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /opt/google/chrome/ r,
  /opt/google/chrome/google-chrome r,
  /opt/google/chrome/chrome-sandbox r,
/home/documents/ r,
}

NaCli opt.google.chrome.nacl_helper_bootstrap

Code:

# Last Modified: Sat Mar 31 04:24:18 2012
#include <tunables/global>

/opt/google/chrome/nacl_helper_bootstrap {
  #include <abstractions/base>



  /opt/google/chrome/nacl_helper mr,
  /opt/google/chrome/nacl_irt_x86_64.nexe r,
  /run/shm/* mrw,
  /sys/devices/system/cpu/cpu0/** r,
  /tmp/* r,

}

NaCli's profile may need more work. Haven't tested it.

 

AWESOME! Thanks! Every thing works here great. I am making one for libreoffice now

 

If you want to execute or open files from Chrome's downloads folder via the Chrome download manager you need to give it another line but I actually would prefer to keep mine limited and unable to do so.

I actually tested some malware in a completely unpatched VBox + unpatched Flash 11.1 and unpatched Java 6.0. XP fell fast and hard.

On my XP VM for Netflix I'm just keeping it patched + using EMET.

 

Working on AppArmor for Skype. Hopefully I can get my webcam working haha

 

Works for me. Most of this was autodep + logprof but I added a few things in there to hopefully ensure compatibility.

Code:

# Last Modified: Sun Apr  1 17:14:17 2012
# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
# Additional profiling based on work by Андрей Калинин, LP: #226624

#include <tunables/global>

/usr/bin/skype {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/user-tmp>



  /dev/ r,
  /dev/video* mrw,
  /etc/passwd mr,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /lib/ r,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/net/arp r,
  /proc/*/task/ r,
  /proc/**/task/**/stat/ r,
  /proc/*/task/** r,
  /proc/*/task/15771/stat r,
  /proc/*/task/15774/stat r,
  /proc/*/task/15775/stat r,
  /proc/*/task/15776/stat r,
  /proc/*/task/15778/stat r,
  /proc/*/task/15779/stat r,
  /proc/*/task/15780/stat r,
  /proc/*/task/15785/stat r,
  /proc/*/task/15786/stat r,
  /proc/*/task/15787/stat r,
  /proc/*/task/15788/stat r,
  /proc/*/task/15790/stat r,
  /proc/*/task/15811/stat r,
  /proc/*/task/15815/stat r,
  /proc/*/task/15921/stat r,
  /proc/*/task/16142/stat r,
  /proc/*/task/16147/stat r,
  /proc/*/task/16148/stat r,
  /proc/*/task/16149/stat r,
  /proc/*/task/16151/stat r,
  /proc/*/task/16152/stat r,
  /proc/*/task/16153/stat r,
  /proc/*/task/16158/stat r,
  /proc/*/task/16159/stat r,
  /proc/*/task/16160/stat r,
  /proc/*/task/16210/stat r,
  /proc/*/task/16214/stat r,
  /proc/*/task/16215/stat r,
  /proc/*/task/16216/stat r,
  /proc/*/task/16218/stat r,
  /proc/*/task/16219/stat r,
  /proc/*/task/16220/stat r,
  /proc/*/task/16225/stat r,
  /proc/*/task/16226/stat r,
  /proc/*/task/16227/stat r,
  /proc/*/task/16322/stat r,
  /proc/*/task/16323/stat r,
  /proc/*/task/16324/stat r,
  /proc/*/task/16325/stat r,
  /proc/*/task/16327/stat r,
  /proc/*/task/16328/stat r,
  /proc/*/task/16329/stat r,
  /proc/*/task/16334/stat r,
  /proc/*/task/16335/stat r,
  /proc/*/task/16336/stat r,
  /proc/*/task/16663/stat r,
  /proc/*/task/16668/stat r,
  /proc/*/task/16669/stat r,
  /proc/*/task/16670/stat r,
  /proc/*/task/16672/stat r,
  /proc/*/task/16673/stat r,
  /proc/*/task/16674/stat r,
  /proc/*/task/16679/stat r,
  /proc/*/task/16680/stat r,
  /proc/*/task/16681/stat r,
  /proc/sys/kernel/osrelease r,
  /proc/sys/kernel/ostype r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu0/cpufreq/* r,
  /usr/bin/skype mr,
  /usr/lib/ r,
  /usr/local/lib/ r,
  /usr/share/fonts/** mr,
  /usr/share/skype/** mrk,
  /var/cache/libx11/compose/* r,
  /var/lib/dbus/machine-id r,
  owner /{run,dev}/shm/pulse-shm* rwk,
  /{run,dev}/shm/pulse-shm* m,
  @{HOME}/.Skype/ rw,
  @{HOME}/.Skype/** rwk,
  @{HOME}/.config/* rk,
  @{HOME}/.kde/share/config/kioslaverc r,

}

 

Writing a profile for dnscrypt-proxy.

Code:

# Last Modified: Sun Apr  1 21:07:10 2012
#include <tunables/global>

/usr/sbin/dnscrypt-proxy flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/nis>


  capability net_admin,
  capability net_bind_service,



}

edit: This seems to be working fine. Leaving it in complain just in case and I'll check up on it later.

 

Wow- I'll be "borrowing" some of your profiles when I get around to figuring out apparmor. Have you tested the one for skype?

 

Yes. It works with 0 issues that I can see.

If you need any help with AppArmor I've learned quite a lot about it making these profiles over the last few days.

 

Oh, careful... I'll probably take you up on that

It's so intimidating to start into. Did you find any good tutorials? There are many out there but some blow more than others (seems to be the case for linux tutorials in general). Or maybe I just need a basic introduction to the whole thing.

Are you using VirtualBox and did you make a profile for it?

 

Always happy to help!

lol the first time I tried SELinux I completely broke Ubuntu.

Apparmor's way easier as long as you don't profile and break services (though you can profile them if you like.)


I found one good tutorial but I barely used it (http://ubuntuforums.org/showthread.php?t=1008906.) Making profiles is pretty easy and a great way to learn about the file system/ services.

I am. This post contains the profile for VirtualBox as well as my Chrome profiles.

https://www.wilderssecurity.com/showpost.php?p=2036188&postcount=58

If you want to create a profile you can pretty much do

sudo aa-autodep *application name (google-chrome, virtualbox, pidgin, etc) and it will generate a profile for you and you can then edit it from there.

Leaving the generated profile in complain mode and just opening/ closing it and usin git as you normally would for 5 minutes is enough to generate a ton of rules.

You can commit those rules by running:
sudo aa-logprof

And then choosing which rules to allow/deny. The most complex thing is deciding what to do when it executes a profile (you either deny, have it run within the apparmor sandbox, have it run out of the sandbox, or run it in a separate profile altogether) but you can get the hang of that easy.

 

With all of these profiles I can't find any serious holes in my system. This plus a VM for browsing = fortress

I am creating one for Abiword and Thunderbird.

 

Same.

No open ports.
I've removed tons of packages that came with Ubuntu.
Anything I add to the system I profile.

I just hope that developers make use of Mode 2 Seccomp.

P.S. Now attempting to AppArmor Unity + Compiz lol

 

What's mode 2 seccomp? Do you have any good links? I can only find Google's documentation and found it fairly weak.

I have no open ports (UFW Set to default deny incoming)
Removed alot of stuff from Ubuntu XFCE.

My VM was a basic install of Debian. Nothing besides the bare bones. I installed LXDE manually and chrome on top. Nothing else (besides security tools).

 

Seccomp is the sandbox I posted about on Wilders before.
https://www.wilderssecurity.com/showthread.php?t=321095

Also known as seccomp filters. It's basically the Seccomp sandbox that Chrome uses but any application can use it now.

Whereas Linux Security Modules such as Apparmor are all about limiting file access for programs the Seccomp Filter limits what system calls a program can make.

 

Forgot all about that post. Thanks I am using seccomp with Chrome Dev build. I can't wait to see it in Ubuntu 12.04. The beta was too buggy for me this time so I dropped back to 11.10.

 

On 12.04 now. There are definitely a few bugs but mostly with Unity and nto too big a deal. Gave up on apparmor for Unity - got too wide too fast. Once a program requests access to gnome-terminal + DAC_Override I give up lol

I created a pgrep profile. That'll probably break things so I'm leaving it off for now.

 

That just reminded me my only issue was due to unity and causing a kernel panic (which I never recovered from). I am going to dist-upgrade to 12.04 XUbuntu. Maybe it's stabler.

 

Unity's usually the cause of issues I've noticed.

I think I've exhausted the security options for a default Ubuntu.

I'll compile my own kernel with security modifications when 12.04 is stable.