apparmor profile for iron

Discussion in 'all things UNIX' started by wavycoder, Feb 18, 2014.

Thread Status:
Not open for further replies.
  1. wavycoder

    wavycoder Registered Member

    Joined:
    Feb 18, 2014
    Posts:
    4
    Hi, I am using srware iron on linux mint olivia 64 bit distro with cinnamon desktop.
    I thought I would share this, and point out something peculiar about iron at the same time.
    My /home/ partition is encrypted with ecryptFS, and while I was profiling iron with:
    $ sudo aa-genprof /usr/share/iron/iron
    I noticed the system log said it was accessing or was trying to access pieces of of my /home/username/.ecryptfs/* folders, and I of course denied, does the iron author, or anyone have any reasonable explanation for this peculiar behavior?

    Anywho, here is the apparmor profile, not too specific, however if you are using iron, and if it doesn't work for you put iron into complain mode for awhile.
    $ sudo aa-complain /etc/apparmor.d/usr.share.iron.iron
    ::wait a day or two::
    $ sudo aa-logprof /etc/appamor.d/*
    ::make adjustments, take your time and read the documentation on apparmor::
    $sudo aa-enforce /etc/apparmor.d/usr.share.iron.iron
    $sudo service apparmor restart


    Code:
    
    # Last Modified: Tue Feb 18 11:05:02 2014
    #include <tunables/global>
    
    /usr/share/iron/iron {
      #include <abstractions/base>
      #include <abstractions/nameservice>
      #include <abstractions/ubuntu-konsole>
    
      capability sys_ptrace,
    
    
      deny /etc/passwd r,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui123bJl7OfhbSccsgKAiyGTk--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uj.-Qf5oduZrzW1AwbvLL---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Lr8fcJhqTB4FbKWTPbsWtE--/ rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui123bJl7OfhbSccsgKAiyGTk--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uj.-Qf5oduZrzW1AwbvLL---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Lr8fcJhqTB4FbKWTPbsWtE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1HLMvftdhnpIsMOW1aBOqv---/ rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui123bJl7OfhbSccsgKAiyGTk--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uj.-Qf5oduZrzW1AwbvLL---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1raOjPe.jLbiZVC8XUwkN3E--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Otlja49csTcT0-PRkwSEnE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14ZM1Ehg4HEkzmoNumBFoak--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uLqrBvx745PNlQ-JGvjHG---/ rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui123bJl7OfhbSccsgKAiyGTk--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uj.-Qf5oduZrzW1AwbvLL---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1raOjPe.jLbiZVC8XUwkN3E--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Otlja49csTcT0-PRkwSEnE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14ZM1Ehg4HEkzmoNumBFoak--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uLqrBvx745PNlQ-JGvjHG---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Whgo-XIMYgK.yjAzTuWa5k-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14Hn-CMoB7Jj7gjhsGBN6DU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1hE1PQ.P4LgWD6KTqimRexU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1jLe0e3TlpB7p-PboiFu4yU-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14Hn-CMoB7Jj7gjhsGBN6DU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1hE1PQ.P4LgWD6KTqimRexU--/ECRYPTFS_FNEK_ENCRYPTED.FXZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1qBk-myRCW7rUj1cgcCw8wc2wMpjCJrO7KNwq3F65e1--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui13C9MJqPbch1vEQd7MNARdE-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14Hn-CMoB7Jj7gjhsGBN6DU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1hE1PQ.P4LgWD6KTqimRexU--/ECRYPTFS_FNEK_ENCRYPTED.FXZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1qBk-myRCW7rUj1cgcCw8wc2wMpjCJrO7KNwq3F65e1--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui19tOxlwVuT1ViuudJW-YKuk-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14Hn-CMoB7Jj7gjhsGBN6DU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1hE1PQ.P4LgWD6KTqimRexU--/ECRYPTFS_FNEK_ENCRYPTED.FXZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1qBk-myRCW7rUj1cgcCw8wc2wMpjCJrO7KNwq3F65e1--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1ApM9IiGHvp1tOZe1KdsFJU-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui14Hn-CMoB7Jj7gjhsGBN6DU--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1hE1PQ.P4LgWD6KTqimRexU--/ECRYPTFS_FNEK_ENCRYPTED.FXZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1qBk-myRCW7rUj1cgcCw8wc2wMpjCJrO7KNwq3F65e1--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1tyzdaMC4sBwAVsRlCRyVoU-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1CqPBTwElEPZcdQQBznLbpE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1KtDJiuykXhUUqTBaI9MamE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1mNzqu66L1nGRMqB-dCBz5U-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1CqPBTwElEPZcdQQBznLbpE--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1PzlTB9GipKx.yydpNbufu---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1zEE4BOBOAn1rJhzTtKRMFk-- rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1Guz1.YyBellLgmP2rpsNpk--/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1uj.-Qf5oduZrzW1AwbvLL---/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui13O.CM17E7pYqZyBDQsJjX---/ rw,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZxvcixCOllPkQEBbiEcTZLHE9eNjyYsui1cGJEl7HpaQ2yny9MEpfqcU-- rw,
    
      /** mrwk,
      /bin/dash rix,
      /bin/grep rix,
      /bin/ps rix,
      /bin/readlink Cx,
      /bin/which Cx,
      /usr/bin/basename Cx,
      /usr/bin/cut Cx,
      /usr/bin/lsb_release Px,
      /usr/bin/xdg-settings rix,
      /usr/share/iron/iron mrix,
    
    
      profile /bin/readlink {
        #include <abstractions/base>
    
    
        /bin/readlink mr,
    
      }
    
      profile /bin/which {
        #include <abstractions/base>
        #include <abstractions/bash>
    
    
        /bin/dash ix,
        /bin/which r,
    
      }
    
      profile /usr/bin/basename {
        #include <abstractions/base>
    
    
        /usr/bin/basename mr,
    
      }
    
      profile /usr/bin/cut {
        #include <abstractions/base>
    
    
        /usr/bin/cut mr,
    
      }
    }
    
    
     
    Last edited: Feb 18, 2014
  2. wavycoder

    wavycoder Registered Member

    Joined:
    Feb 18, 2014
    Posts:
    4
    A little bit more simplified

    Code:
    # Last Modified: Tue Feb 18 11:05:02 2014
    #include <tunables/global>
    
    /usr/share/iron/iron {
      #include <abstractions/base>
      #include <abstractions/nameservice>
      #include <abstractions/ubuntu-konsole>
    
      capability sys_ptrace,
    
    
      deny /etc/passwd r,
      deny /home/.ecryptfs/username_deleted_for_privacy_replace_with_ur_own_or_use_wildcard_to_deny_universal_access_ecryptfs_folders/* rw,
    
    
      /** mrwk,
      /bin/dash rix,
      /bin/grep rix,
      /bin/ps rix,
      /bin/readlink Cx,
      /bin/which Cx,
      /usr/bin/basename Cx,
      /usr/bin/cut Cx,
      /usr/bin/lsb_release Px,
      /usr/bin/xdg-settings rix,
      /usr/share/iron/iron mrix,
    
    
      profile /bin/readlink {
        #include <abstractions/base>
    
    
        /bin/readlink mr,
    
      }
    
      profile /bin/which {
        #include <abstractions/base>
        #include <abstractions/bash>
    
    
        /bin/dash ix,
        /bin/which r,
    
      }
    
      profile /usr/bin/basename {
        #include <abstractions/base>
    
    
        /usr/bin/basename mr,
    
      }
    
      profile /usr/bin/cut {
        #include <abstractions/base>
    
    
        /usr/bin/cut mr,
    
      }
    }
     
  3. tlu

    tlu Guest

    One of your rules is:

    Code:
    /** mrwk,
    This means that you're giving mrwk permissions to any file or directory in or below / a.k.a. your complete system. Pretty loose if you ask me ;)

    Aside from the fact that I don't see the need for using Iron (the claims on their homepage are either wrong or incomplete) - why don't you use the Chromium profile that comes with apparmor-profiles and modify it to your needs?
     
  4. wavycoder

    wavycoder Registered Member

    Joined:
    Feb 18, 2014
    Posts:
    4

    Thank you for pointing that out! I am moderately new to making apparmor profiles.
    I will try out your suggestion, thanks again!
     
Loading...
Thread Status:
Not open for further replies.