Anyone using Apparmor?

Updated Pidgin profile lets you open links in Chrome + blocks Dac_Override, which for some reason my Pidgin tried to use. It works without it and that's a biiiiiig permission to give it.

 

Awesome! I just finished mine, and didn't notice Dac_Override until you mentioned it. Removed now.

As far as the kernel goes are you doing something similar to Gentoo Hardened? I've compiled Gentoo Hardened before with PaX and GrSecurity. I have hardened Ubuntu in a similar way too. Can't get Grsecurity to compile with 11.10 though :/

 

I'm considering using this:
http://kernelsec.cr0.org/

But when it updates to the latest kernel.

I might build my own but I'm not ready to do that quite yet.

I'm also considering compiling all of Gentoo from source in order to secure and optimize it.

 

Ooh- share your details please!
Apparmor + seccomp + what else?

 

Everything has an apparmor profile at this point except for a few services and the UI - literally every program I've added has one and most of the applications that come with Ubuntu are profiled as well.

Chrome's got Seccomp - I might later compile Pidgin from source to include it. Same goes for a few other programs such as Transmission.

I've removed a lot of packages that came with it. Really anything that I can remove I have removed.

I'm still considering compiling the kernel myself with optimizations + security. Gotta wait and see.

 

I just found that too. I can't wait for a 3.0.0.18 version. Gentoo is fairly easy as it's well documented. Ubuntu on the other hand.. Not so much. Every guide I found is for the 2.6 kernel.

 

I was planning on doing Gentoo anyways for performance/ learning. I'm just enjoying the "quiet" of Ubuntu right now haha

 

I would run gentoo myself but always have issues getting LUKS working. Maybe I will build a Gentoo VM to use instead of debian. Just tried grsecurity but not enough space on the VM's hdd. I will have to remake this here.

 

Pidgin is asking for read access to:

Path: /usr/share/hunspell/
Mode: r


May as well give it to it. I see no damage in it though it functions perfectly fine without it.

 

Then you haven't exhausted your security options for ubuntu. What about iptables or ufw?

 

Very true. I have UFW set to default deny. IP Tables block all incoming and outgoing to any Chinese or Russian IP. Maybe we should start a broader thread now. Like "Your linux security setup" or something.

 

Hungryman started this thread about apparmor, until I came along that's what it stayed about. So I've derailed yet another thread

BTW, ufw & iptables don't play nicely together, you want to uninstall ufw if you use iptables. if you use ufw then really what it amounts to is a front-end for iptables so you'd just leave iptables alone & let ufw talk to it instead. I'm currently in the process of screwing up configuring iptables myself so I'm still learning.

 

Lol well, I still think that another broader thread is nice

I have switched to IP Tables only now. Thanks!

 

As you wish...

https://www.wilderssecurity.com/showthread.php?t=321482

 

Had to edit Chrome to fix some permissions issues after an update. I had to give it a surprising amount of room this time likely due to deleting outdated files. I also gave it access to a RAMdisk folder, which shouldn't be an issue. If you're worried you can chmod the folder for no-exec.

There were also some issues where I'd meant to give write access to some areas. A few needed path variables.

This should be all fixed. Just set it to enforce once it's reloaded.

edit: Needed to give rights to a few config folders. I'm no longer using logprof, easier to just figure out the path/rights on my own.

Code:

# Last Modified: Sat Apr  7 22:30:35 2012
#include <tunables/global>

/opt/google/chrome/google-chrome flags=(complain) {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/ubuntu-konsole>
  #include <abstractions/user-tmp>

  capability ipc_lock,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,

  deny /usr/bin/gconftool-2 x,

  / r,
  /** rk,
  /bin/bash ix,
  /bin/dash rix,
  /bin/grep rix,
  /bin/mkdir rix,
  /bin/ps rix,
  /bin/readlink rix,
  /bin/sed rix,
  /bin/which rix,
  /dev/ati/* rwk,
  /etc/passwd m,
  /home/*/.cache/dconf/user rwk,
  /home/*/.cache/google-chrome/** rwk,
  /home/*/.config/autostart/google-chrome.desktop rwk,
  /home/*/.config/google-chrome/ rwk,
  /home/*/.config/google-chrome/** rwk,
  /home/*/.pki/nssdb/** rwk,
  /home/*/.macromedia/** rwk,
  /home/*/.adobe/** rwk,
  /home/*/.fontconfig/** rwk,
  /home/*/.icedtea/** rwk,
  /opt/google/** rwk,
  /opt/google/chrome/* mrwk,
  /opt/google/chrome/PepperFlash/* mrwk,
  /opt/google/chrome/chrome rix,
  /opt/google/chrome/chrome-sandbox px,
  /opt/google/chrome/google-chrome rix,
  /opt/google/chrome/xdg-settings rix,
  /proc/*/oom_score_adj w,
  /root/.local/share/Trash/files/* rwk,
  /root/.local/share/Trash/files/** rwk,
  /run/shm/* mrw,
  owner /tmp/** mrlk,
  /tmp/** rw,
  /usr/bin/basename rix,
  /usr/bin/cut rix,
  /usr/bin/dirname rix,
  /usr/bin/file-roller rix,
  /usr/bin/gvfs-open rix,
  /usr/bin/lsb_release rix,
  /usr/bin/mawk rix,
  /usr/bin/nautilus rix,
  /usr/bin/transmission-gtk px,
  /usr/bin/xdg-mime rix,
  /usr/bin/xdg-open rix,
  /usr/bin/xdg-settings rix,
  /usr/lib{,32,64}/** mr,
  /usr/share/fonts/**/*.pfb m,
  /usr/share/fonts/truetype/**/*.tt[cf] m,
  /usr/share/icons/**/*.cache m,
  /usr/share/mime/mime.cache m,
  owner /{dev,run}/shm/pulse-shm* m,
  owner @{HOME}/ r,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{PROC}/[0-9]*/auxv r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

}

Fixed up VLC, shouldn't be any issues. Added Media for mounted drives.

Code:

# Last Modified: Sat Apr  7 22:33:08 2012
#include <tunables/global>

/usr/bin/vlc flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nvidia>

  capability ipc_lock,


  deny /bin/ln rx,
  deny /boot/** r,
  deny /etc/apparmor.d/** r,
  deny /etc/passwd r,
  deny /opt/** r,
  deny /root/** r,
  deny /sbin/** r,
  deny /selinux/** r,

  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/which rix,
  /dev/ r,
  /dev/ati/card0 rw,
  /dev/snd/ r,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rwk,
  /media/** rwk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/ati/* r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** rw,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/bin/xprop rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

 

This topic has been insanely helpful lol I've had to restore profiles a few times. Nice to have them in one place.

preload
usr.sbin.preload

xchat
usr.bin.xchat

 

My Pidgin never asked for any capabilities like dac_override. Anyway, here is my profile. Only thing this profile doesn't have is a browser for opening links. Everything else, including sound, fonts, colors, etc. seems to work fine.

I did allow it full read access to /home, but it can only write to 7 files, all having to do with pidgin itself. I feel this is pretty safe. If ultra paranoid, you could add deny rules for .ssh, .gnupg, etc.

Code:

# Last Modified: Fri May 11 01:09:05 2012
#include <tunables/global>

/usr/bin/pidgin {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/enchant>
  #include <abstractions/evince>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/python>
  #include <abstractions/user-tmp>

 
  /home/*/ r,
  /home/*/** r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/enchant/* rwk,
  /home/*/.config/ibus/bus/ rw,
  /home/*/.gstreamer-0.10/* rw,
  /home/*/.pulse-cookie rwk,
  /home/*/.purple/** rw,
 
  /proc/*/fd/ r,
  /proc/*/loginuid r,
  /proc/filesystems r,

  /sys/ r,
  owner /tmp/** rwlk,
  /tmp/** m,

  /usr/bin/gconftool-2 rix,
  /usr/bin/pidgin mr,
  /usr/include/python2.7/** r,

  /usr/lib{,32,64}/** mr,
  owner /{run,dev}/shm/pulse-shm* rk,
  /{run,dev}/shm/pulse-shm* w,

}

I only profile network facing apps. I have my browsers, pidgin, xchat, thunderbird, tor, and a few others profiled. Anything that doesn't face the network is a waste of time on a desktop box, imo.

Also, ptrace is a dangerous capability to allow profiles to have. Unless the app wont run without allowing it, I would deny it. The standard Firefox profile explicitly denies it.

 

It probably asked for dac_override for me because it was getting access denied to areas.

The one I posted lets me open links in Chrome.

 

I know this is an old thread to rejuvenate, but is anyone using a decent Apparmor profile that works for Chromium browser? I have the latest apparmor-utils in Ubuntu 12.04, but if I enforce /etc/apparmor.d/usr.bin.chromium-browser default chromium profile, it prevents chrome from even starting. The logs show some "access denied" entries such as...

Code:

apparmor="DENIED" operation="open" parent=32186 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=6749 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

 apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/dev/null" pid=6755 comm="chromium-browse" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

 apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/proc/6755/status" pid=6755 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

...and if I try to fix by entering the denied masks for the profile paths, then reload the profiles, Chrome still won't launch and the same Access denied entries still show up in the logs. I do have a renderer profile enforced and working:

Code:

#include <tunables/global>

/dev/chromium/chrome/Hammer/chrome-renderer {
 #include <abstractions/base>
 #include <abstractions/fonts>

 /proc/** r,
 /dev/shm/** rwk,
 /dev/chromium/chrome/Hammer/** r,
 network,
}

but nothing else chromium related. Any help is appreciated, although if no success, it's not really a problem because I use Firefox w/NS enforced by its default aa profile.

 

Try this
http://ubuntuforums.org/showthread.php?t=2014663
I haven't tried it but it looks like the guy got it working with HungryMan's help.

 

That profile I posted there is quite possibly ****/ old. Regardless, deleting deny rules will probably solve your problem after aa-logprof.

 

Thanks Brandi, I saw that thread just before posting here, although it looked like he was still struggling with it at the end??

Thanks HM, I'll try something along those lines.

 

OMG! it has taken me an epic series of "sudo invoke-rc.d apparmor reload
" followed by "tail -F /var/log/syslog" entries with /usr.bin.chromium-browser in "complain" mode to finally come up with an apparmor profile that seems to be working after I put it in "enforce" mode - at least for now Most of the allowed entries have ended up under the "#profile chromium_browser_sandbox" heading.

So far so good, but I fear after adding a plug-in or two I'll ahve to embark on this exercise again

 

You don't have to reload apparmor every time. You can just reload the profile.

 

True enough; I was just using the 'up-arrow" key to reload the command for all profiles, even though I could have reloaded "sudo apparmor_parser -r /etc/apparmor.d/profile.name" It was just easier under the circumstances to repetisiously select the same command over again

**EDIT**
Java is absolutely horrendous in Chromium It seems to need all kinds of permissions to work. I give up for tonight.