Can anyone explain and teach me how to use AppArmor in Linux Mint?

Discussion in 'all things UNIX' started by Konata Izumi, Mar 3, 2011.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I need AppArmor when running windows applications thru Wine...
    please teach me how :)
     
  2. katio

    katio Guest

    man aa-genprof
    you need to run it a few times so it can catch all violations in the log.

    With Wine I think you can only enforce wine itself and not more fine-grained individual exes.
     
  3. wat0114

    wat0114 Guest

    Konata, you're getting too hung up on security concerns with Linux. I'd just get it all set up and updated the way you want it, use the free Clozezilla disk to image your installation, then proceed to enjoy using it worry free :)
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Agree completely with wat0114... Don't bring your Windows mindset to Linux, you don't need all that stuff....
     
  5. tlu

    tlu Guest

    I agree with the other comments here. An old but, IMO, still valid discussion that might be helpful for you can be found here. You should not be too worried although the Wine developers decided to be conservative and warn against malware.

    What might be useful: Start winetricks (I think it's automatically installed with wine, otherwise install it with Synaptic) and chose the "sandbox" option - it removes the links to /home.

    If you do this (and do not run wine as root, of course!) no Windows malware should be able to escape the .wine folder. If you really think that you got Windows malware, just delete the .wine folder and you're done. I wouldn't exclude that super-intelligent malware could somehow circumvent this barrier if it's specifically designed for Linux but I'm not aware of any.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Don't go that road. You'll cripple your system without knowing why.
    You've got tons of security as is, you don't need more. Just pr0n away!!!!!
    Mrk
     
  7. katio

    katio Guest

    Do you say that based on your own experience, hearsay, rumours or FUD?

    Apparmor from my experience is very easy (at least compared to SELinux or PAX/RBAC), has far less problems with software crashing without telling you why it happens (dmesg|tail will tell you and aa-genprof is awesome). Yet it offers most of the security one might want to have for whatever reasons. This is wilders*security*. For ordinary desktop activity it might be overkill but your blanket statement makes no sense either.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    katio, before you fire cannon, did you even bother reading what I wrote?

    Reality check: tweaking apparmor is the last thing someone who just installed linux needs to do. The guy asks how to shutdown his machine at a specific time in another thread and you recommend he plays with apparmor, good luck.

    I did not comment on whether apparmor is good or not - just about new users fiddling with it. Chill down. Oh, for the record, the security thingie is so overrated. Boring and overrated. That's hearsay, rumor, fud, experience, and knowledge combined.

    Mrk
     
  9. katio

    katio Guest

    You said it will cripple the system. It doesn't when you take a few minutes to read the man pages. Even then aa-genprof will only cripple one binary at a time and it's easy to undo everything. It's really not that dangerous as you make it to be.

    He's obviously willing to learn. So should we deny him that becaus you think "it's best for him"?

    Your statement sounded very blanket and general.

    Another blanked statement.
    For whom?
    People browsing the web on their home PC with 10 different security "sollutions" running in real time? You bet. But people running with IE, Java, Flash, Adobe and an AV but nothing else?

    People running their telnet on 23 or unpatched webservers?
    There are still far too many. And given all the XSS and sql insertion attacks against very popular high traffic websites lately it's obvious how security is underrated there.
     
  10. tlu

    tlu Guest

    -v , please ;)
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    katio, we won't get anywhere arguing.
    I'll be the first to gracefully bow out of this.

    My conscience won't let me inflict doom on new users by offering them highly powerful and dangerous tools. Like giving dynamite and a box of matches to children.

    Have a good day.

    Cheers,
    Mrk
     
  12. tlu

    tlu Guest

    Although I've never tried SELinux, I've read many statements that confirm your view. However, that doesn't mean that it's easy enough. Let's face it: For most users creating an AppArmor profile is much too difficult. If we accept the assumption that applying AppArmor makes sense/is important, I would expect that my distro (here: Ubuntu) offered more support for the ordinary user.

    In Ubuntu, only a couple of profiles are enabled by default - not among them is, guess what, the Firefox profile. If you know how to enable it (most people don't, I assume) it's easy to set it to enforce mode. But why isn't it done by default? Perhaps because nobody is really interested if problems arise or simply doesn't regard it a necessity?

    Conclusion: As long as no more profiles are enabled by default and carefully maintained, AppArmor will not become a feature for the masses - be it necessary or not.
     
  13. tlu

    tlu Guest

    Although I'm not katio, I would really be interested in the reasons for your statement made earlier.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    I've stated a few ... which ones? That apparmor is dangerous for new users or that security is boring and overrated? Or both? Or something else?
    Mrk
     
  15. tlu

    tlu Guest

    That security is boring and overstated ;)
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Boring is subjective. But what I meant to say is that people invest so much time worrying and tacking care of things that have such simple and practical solutions that the process becomes rather boring to observe.

    Overrated:

    Security comes down to three things: perception, strategy, actual stuff.

    Perception is linked to what we know and what we hear. The Web security sources of all kinds practice the classic fearmongering drama-heightening journalism with a single purpose of increasing their traffic, just like TV news. It is not interesting unless there's some catastrophe lurking about. In the security world, this often translates into: millions of machines infected, you can get infected just by ... insert favorite stuff here.

    Do you ever see a security-related website article saying: operating systems might get compromised if ... but the remedy is to ... No. Normally, it's just there's cacky coming and you ain't got toilet paper. This automatically turns any such source untrustworthy and irrelevant.

    So is there anything special going on? Not really. There's badly configured servers out there, mail spam, people who think they can get rich by answering stupid mail, etc.

    Strategy is about the day after. Let's say your machine gets damaged. If you have backups, you recover, get back online, end of story. That's the most important bit. Then, there's how you manage security. Most people perceive a pile of tactical ideas as something worth using, but they don't really understand the big picture. Security strategy is all about avoiding mistakes, first and foremost. It's about you and not about THEM. You can only control yourself, so you can make sure you don't do whatever it is you're expected to do to get your box molested.

    Which brings me to actual stuff. How malware propagates. There's social engineering, but that's solved only by not procreating. There's active clicks. No different than playing Russian roulette with a Glock. And there's passive infections, which might happen if you stumble across bad code somewhere out there.

    These infections include all kinds of vectors - but they are all universally nullified by very simple practices like - updates, non-populistic or a good choice in software, limited account. In fact, it takes even less than that, but let's be on the safe [sic] side.

    At the end of the day, people who love security will see threats and problems everywhere, when in reality, if you step back, nothing at all is happening. Nothing at all.

    Here's how you solve security in 10 minutes. You can choose any combination. Everything else is just perks and fetishes.

    Router
    Limited account
    Linux
    Noscript
    Don't download crap

    Now, the downside of security is that - change the system and something breaks. Security lovers are not even remotely aware how crippled their machines are with the tons of programs and tweaks running, which just add complexity to the kernel and nothing useful really. 99% of all bsod comes from bad drivers by third-party software. 99% of all software issues are caused by tweaks and misconfigurations. 99% of all files are deleted and lost by careless use. 99% of all computer woes are caused by users, who never have backups.

    You can be a part of the herd or you can stand by and watch smugly.

    Now, give my statistics pool of many dozens of users, all of whom have minimal security, do lots of p2p and whatnot, online gaming, and virtually no security software, the simple conclusion is - these people are not smarter by a parsec than their peers, it's just that they decided not to participate in the fear experiment.


    Cheers,
    Mrk
     
  17. katio

    katio Guest

    IMHO and from personal experience over a year or so it's easier than SRP or Applocker on Windows which are very popular here on wilders and I see nobody warning not to use them.

    It's because it *might* break certain functionality like uploading images or using some 3rd party addons and extensions (which would require the user to run aa-genforce manually to fix it and review the changes). Second reason: because it isn't really needed. I have yet to hear of a single drive by that targeted Firefox on Linux. There was some talk about cross platform flash exploits but nothing in the wild afaik. The only thing that comes close are some Java exploits but here to my knowledge user-interaction was required (allow unsigned applet). It's not for the lack of exploits or possibilities. The default set up is absolutely not secure against targeted attacks. But those don't happen on any scale that would matter to us. Firefox was your example btw, there are many more uses for Apparmor.

    Well written post Mrk! I agree with you on all points.
    But: I don't see how that disagrees in any way with my point of view on Apparmor...

    If you like to improve your security because you feel like it, want to learn more about it or have particular requirements (run internet facing services, allow untrusted remote users, do binary/forensics analysis what have you) go ahead, read the manual and play with it. If you break something you can easily fix it.
    Apparmor is nothing like the mentioned 3rd party windows snake oil crapware. It's a solid MAC system, well integrated into the kernel, next to no measurable performance hit while providing real security improvements. It's fast to deploy (at least on Ubuntu), easy to automate and simple to fix if something goes wrong. The biggest drawback (the only I can come up with) is that it "might" be redundant.
     
  18. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    For a tutorial on how to use AppArmor, see bodhi's sticky on the Ubuntu forums: http://ubuntuforums.org/showthread.php?t=1008906

    It will cover everything you need to know.

    I am with the others, I think it is overkill for a desktop box, but I have no problem with people wanting to learn about MAC systems.
     
  19. wat0114

    wat0114 Guest

    My one concern for anyone new to linux is to first try to understand the basic essentials of the O/S before embarking on something deeper like Apparmor that, as Mrk correctly advises, could break the system. For myself I had no problem diving into Windows AppLocker because I already understood quite well the essentials of using Windows. I'd have no problems encouraging other Windows-experienced users to explore AppLocker as well. As for Linux, I don't want to touch Apparmor just yet because I'm not at this point comfortable enough with Linux on the whole to get myself out of a bind if I screw something up, although I do have images to fall back on as a last resort. The way I perceived it, the OP may not be ready yet to tinker with Apparmor (though of course I could be dead wrong) so I'd hate for him/her to encounter unnecessary frustration, possibly giving up entirely on Linux in the process, which i feel would be a shame :)
     
  20. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Thank you all~

    I will be studyin Linux and how to implement AppArmor for my Wine Apps on Ubuntu later today.
     
  21. observence

    observence Registered Member

    Joined:
    Dec 28, 2010
    Posts:
    20
    2 questions for Konata Izumi,
    1. Did you actually read the above posts?
    2. Do truly understand what has been said?
    I ask because you seem to ignore what has been said.
    Look at Mrkvonic's sig. Do you think Mrk is giving you a bum steer or anyone else in this thread?
    Listen to these people, you will be much happier and have less hassels in the end.
    O
     
  22. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    1. Yes
    2. Yes.

    It's just that I have too much free time to spend in front of the PC... :doubt:

    EDIT: arrghh I'm still lost in the terminal part. this is way too much for my small brain. alright nvm apparmor I'll go find something more productive to do. lol.

    Thanks again guys
     
    Last edited: Mar 12, 2011
  23. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    What else can I say: Good advice. :D. :thumb:.
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    My sig is meaningless. It's sheer egotrip.
    It's a nice pile of acronyms, that's all. How you use it is a different story altogether.

    Mrk
     
  25. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi tlu
    What way is that "v" meant to be facing? :doubt: . :D

    Take Care
    TheQuest :cool:
     
Loading...
Thread Status:
Not open for further replies.