Anyone using Apparmor?

Discussion in 'all things UNIX' started by Hungry Man, Mar 11, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Updated Pidgin profile lets you open links in Chrome + blocks Dac_Override, which for some reason my Pidgin tried to use. It works without it and that's a biiiiiig permission to give it.

     
  2. x942

    x942 Guest

    Awesome! I just finished mine, and didn't notice Dac_Override until you mentioned it. Removed now.

    As far as the kernel goes are you doing something similar to Gentoo Hardened? I've compiled Gentoo Hardened before with PaX and GrSecurity. I have hardened Ubuntu in a similar way too. Can't get Grsecurity to compile with 11.10 though :/
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm considering using this:
    http://kernelsec.cr0.org/

    But when it updates to the latest kernel.

    I might build my own but I'm not ready to do that quite yet.

    I'm also considering compiling all of Gentoo from source in order to secure and optimize it.
     
  4. BrandiCandi

    BrandiCandi Guest

    Ooh- share your details please!
    Apparmor + seccomp + what else?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Everything has an apparmor profile at this point except for a few services and the UI - literally every program I've added has one and most of the applications that come with Ubuntu are profiled as well.

    Chrome's got Seccomp - I might later compile Pidgin from source to include it. Same goes for a few other programs such as Transmission.

    I've removed a lot of packages that came with it. Really anything that I can remove I have removed.

    I'm still considering compiling the kernel myself with optimizations + security. Gotta wait and see.
     
  6. x942

    x942 Guest

    I just found that too. I can't wait for a 3.0.0.18 version. Gentoo is fairly easy as it's well documented. Ubuntu on the other hand.. Not so much. Every guide I found is for the 2.6 kernel.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I was planning on doing Gentoo anyways for performance/ learning. I'm just enjoying the "quiet" of Ubuntu right now haha
     
  8. x942

    x942 Guest

    I would run gentoo myself but always have issues getting LUKS working. Maybe I will build a Gentoo VM to use instead of debian. Just tried grsecurity but not enough space on the VM's hdd. I will have to remake this here.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Pidgin is asking for read access to:

    Path: /usr/share/hunspell/
    Mode: r


    May as well give it to it. I see no damage in it though it functions perfectly fine without it.
     
  10. BrandiCandi

    BrandiCandi Guest

    Then you haven't exhausted your security options for ubuntu. :doubt: What about iptables or ufw?
     
  11. x942

    x942 Guest

    Very true. I have UFW set to default deny. IP Tables block all incoming and outgoing to any Chinese or Russian IP. Maybe we should start a broader thread now. Like "Your linux security setup" or something.
     
  12. BrandiCandi

    BrandiCandi Guest

    Hungryman started this thread about apparmor, until I came along that's what it stayed about. So I've derailed yet another thread :p

    BTW, ufw & iptables don't play nicely together, you want to uninstall ufw if you use iptables. if you use ufw then really what it amounts to is a front-end for iptables so you'd just leave iptables alone & let ufw talk to it instead. I'm currently in the process of screwing up configuring iptables myself so I'm still learning.
     
  13. x942

    x942 Guest

    Lol well, I still think that another broader thread is nice :D

    I have switched to IP Tables only now. Thanks! :thumb:
     
  14. BrandiCandi

    BrandiCandi Guest

  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Had to edit Chrome to fix some permissions issues after an update. I had to give it a surprising amount of room this time likely due to deleting outdated files. I also gave it access to a RAMdisk folder, which shouldn't be an issue. If you're worried you can chmod the folder for no-exec.

    There were also some issues where I'd meant to give write access to some areas. A few needed path variables.

    This should be all fixed. Just set it to enforce once it's reloaded.

    edit: Needed to give rights to a few config folders. I'm no longer using logprof, easier to just figure out the path/rights on my own.

    Code:
    # Last Modified: Sat Apr  7 22:30:35 2012
    #include <tunables/global>
    
    /opt/google/chrome/google-chrome flags=(complain) {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/nvidia>
      #include <abstractions/ubuntu-konsole>
      #include <abstractions/user-tmp>
    
      capability ipc_lock,
      capability sys_ptrace,
    
      network inet stream,
      network inet6 stream,
    
      deny /usr/bin/gconftool-2 x,
    
      / r,
      /** rk,
      /bin/bash ix,
      /bin/dash rix,
      /bin/grep rix,
      /bin/mkdir rix,
      /bin/ps rix,
      /bin/readlink rix,
      /bin/sed rix,
      /bin/which rix,
      /dev/ati/* rwk,
      /etc/passwd m,
      /home/*/.cache/dconf/user rwk,
      /home/*/.cache/google-chrome/** rwk,
      /home/*/.config/autostart/google-chrome.desktop rwk,
      /home/*/.config/google-chrome/ rwk,
      /home/*/.config/google-chrome/** rwk,
      /home/*/.pki/nssdb/** rwk,
      /home/*/.macromedia/** rwk,
      /home/*/.adobe/** rwk,
      /home/*/.fontconfig/** rwk,
      /home/*/.icedtea/** rwk,
      /opt/google/** rwk,
      /opt/google/chrome/* mrwk,
      /opt/google/chrome/PepperFlash/* mrwk,
      /opt/google/chrome/chrome rix,
      /opt/google/chrome/chrome-sandbox px,
      /opt/google/chrome/google-chrome rix,
      /opt/google/chrome/xdg-settings rix,
      /proc/*/oom_score_adj w,
      /root/.local/share/Trash/files/* rwk,
      /root/.local/share/Trash/files/** rwk,
      /run/shm/* mrw,
      owner /tmp/** mrlk,
      /tmp/** rw,
      /usr/bin/basename rix,
      /usr/bin/cut rix,
      /usr/bin/dirname rix,
      /usr/bin/file-roller rix,
      /usr/bin/gvfs-open rix,
      /usr/bin/lsb_release rix,
      /usr/bin/mawk rix,
      /usr/bin/nautilus rix,
      /usr/bin/transmission-gtk px,
      /usr/bin/xdg-mime rix,
      /usr/bin/xdg-open rix,
      /usr/bin/xdg-settings rix,
      /usr/lib{,32,64}/** mr,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/icons/**/*.cache m,
      /usr/share/mime/mime.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/ r,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{PROC}/[0-9]*/auxv r,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
    }
    Fixed up VLC, shouldn't be any issues. Added Media for mounted drives.

    Code:
    # Last Modified: Sat Apr  7 22:33:08 2012
    #include <tunables/global>
    
    /usr/bin/vlc flags=(complain) {
      #include <abstractions/base>
      #include <abstractions/nvidia>
    
      capability ipc_lock,
    
    
      deny /bin/ln rx,
      deny /boot/** r,
      deny /etc/apparmor.d/** r,
      deny /etc/passwd r,
      deny /opt/** r,
      deny /root/** r,
      deny /sbin/** r,
      deny /selinux/** r,
    
      /bin/dash r,
      /bin/grep rix,
      /bin/mv rix,
      /bin/sed rix,
      /bin/sleep rix,
      /bin/which rix,
      /dev/ r,
      /dev/ati/card0 rw,
      /dev/snd/ r,
      /etc/fonts/** r,
      /etc/nsswitch.conf r,
      /etc/pulse/client.conf r,
      /etc/xdg/Trolltech.conf rk,
      /etc/xdg/sni-qt.conf rk,
      /home/** rwk,
      /media/** rwk,
      /proc/*/auxv r,
      /proc/*/cmdline r,
      /proc/*/status r,
      /proc/ati/* r,
      /proc/modules r,
      /run/shm/ r,
      /run/shm/* rw,
      /sys/devices/system/*/ r,
      /tmp/** rw,
      /tmp/**/ rw,
      /usr/** rk,
      /usr/bin/dbus-send rix,
      /usr/bin/xdg-screensaver rix,
      /usr/bin/xprop rix,
      /usr/lib{,32,64}/** mrw,
      /var/cache/** r,
      /var/lib/dbus/machine-id r,
      /var/lib/defoma/fontconfig.d/* r,
    
    }
     
    Last edited: Apr 7, 2012
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    This topic has been insanely helpful lol I've had to restore profiles a few times. Nice to have them in one place.

    preload
    usr.sbin.preload
    xchat
    usr.bin.xchat
     
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    My Pidgin never asked for any capabilities like dac_override. Anyway, here is my profile. Only thing this profile doesn't have is a browser for opening links. Everything else, including sound, fonts, colors, etc. seems to work fine.

    I did allow it full read access to /home, but it can only write to 7 files, all having to do with pidgin itself. I feel this is pretty safe. If ultra paranoid, you could add deny rules for .ssh, .gnupg, etc.

    Code:
    # Last Modified: Fri May 11 01:09:05 2012
    #include <tunables/global>
    
    /usr/bin/pidgin {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/dbus-session>
      #include <abstractions/enchant>
      #include <abstractions/evince>
      #include <abstractions/fonts>
      #include <abstractions/nameservice>
      #include <abstractions/python>
      #include <abstractions/user-tmp>
    
     
      /home/*/ r,
      /home/*/** r,
      /home/*/.cache/dconf/user rw,
      /home/*/.config/enchant/* rwk,
      /home/*/.config/ibus/bus/ rw,
      /home/*/.gstreamer-0.10/* rw,
      /home/*/.pulse-cookie rwk,
      /home/*/.purple/** rw,
     
      /proc/*/fd/ r,
      /proc/*/loginuid r,
      /proc/filesystems r,
    
      /sys/ r,
      owner /tmp/** rwlk,
      /tmp/** m,
    
      /usr/bin/gconftool-2 rix,
      /usr/bin/pidgin mr,
      /usr/include/python2.7/** r,
    
      /usr/lib{,32,64}/** mr,
      owner /{run,dev}/shm/pulse-shm* rk,
      /{run,dev}/shm/pulse-shm* w,
    
    }
    I only profile network facing apps. I have my browsers, pidgin, xchat, thunderbird, tor, and a few others profiled. Anything that doesn't face the network is a waste of time on a desktop box, imo.

    Also, ptrace is a dangerous capability to allow profiles to have. Unless the app wont run without allowing it, I would deny it. The standard Firefox profile explicitly denies it.
     
    Last edited: May 19, 2012
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It probably asked for dac_override for me because it was getting access denied to areas.

    The one I posted lets me open links in Chrome.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    I know this is an old thread to rejuvenate, but is anyone using a decent Apparmor profile that works for Chromium browser? I have the latest apparmor-utils in Ubuntu 12.04, but if I enforce /etc/apparmor.d/usr.bin.chromium-browser default chromium profile, it prevents chrome from even starting. The logs show some "access denied" entries such as...

    Code:
    apparmor="DENIED" operation="open" parent=32186 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=6749 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    
     apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/dev/null" pid=6755 comm="chromium-browse" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
    
     apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/proc/6755/status" pid=6755 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    ...and if I try to fix by entering the denied masks for the profile paths, then reload the profiles, Chrome still won't launch and the same Access denied entries still show up in the logs. I do have a renderer profile enforced and working:

    Code:
    #include <tunables/global>
    
    /dev/chromium/chrome/Hammer/chrome-renderer {
     #include <abstractions/base>
     #include <abstractions/fonts>
    
     /proc/** r,
     /dev/shm/** rwk,
     /dev/chromium/chrome/Hammer/** r,
     network,
    }
    but nothing else chromium related. Any help is appreciated, although if no success, it's not really a problem because I use Firefox w/NS enforced by its default aa profile.
     
  20. BrandiCandi

    BrandiCandi Guest

  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    That profile I posted there is quite possibly ****/ old. Regardless, deleting deny rules will probably solve your problem after aa-logprof.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Thanks Brandi, I saw that thread just before posting here, although it looked like he was still struggling with it at the end??

    Thanks HM, I'll try something along those lines.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    OMG! it has taken me an epic series of "sudo invoke-rc.d apparmor reload
    " followed by "tail -F /var/log/syslog" entries with /usr.bin.chromium-browser in "complain" mode to finally come up with an apparmor profile that seems to be working after I put it in "enforce" mode - at least for now ;) Most of the allowed entries have ended up under the "#profile chromium_browser_sandbox" heading.

    So far so good, but I fear after adding a plug-in or two I'll ahve to embark on this exercise again :ouch:
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    You don't have to reload apparmor every time. You can just reload the profile.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    True enough; I was just using the 'up-arrow" key to reload the command for all profiles, even though I could have reloaded "sudo apparmor_parser -r /etc/apparmor.d/profile.name" It was just easier under the circumstances to repetisiously select the same command over again :)

    **EDIT**
    Java is absolutely horrendous in Chromium :( It seems to need all kinds of permissions to work. I give up for tonight.
     
    Last edited: Sep 11, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.