How to know which Apparmor "capabilities" are needed?

Discussion in 'all things UNIX' started by wat0114, Sep 8, 2013.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I've recently built a profile for Chrome, backed up the profiles then decided to experiment with the capabilities, which apparently can be dangerous (I think HungryMan mentions this somewhere :) ), by commenting out all of them...

    #capability dac_override,
    #capability setgid,
    #capability setuid,
    #capability sys_admin,
    #capability sys_chroot,
    #capability sys_ptrace,

    ...reloaded the profile and found nothing has broken so far using Chrome. How does one know what's safe or not and which ones are needed when generating a profile?

    EDIT

    okay I encountered problems with Chrome crashing closed when trying to access anything under the Preferences menu. aa-logprof offers no clues and the capabilities don't take effect after simply reloading the profile; a reboot is needed as well. Just to make things easier on myself I merely added all the capabilities back into the profile. No problems now. I know HM had stated the chrome-sandbox profile contains the capabilities but not the chrome.chrome profile. Still, the chrome.chrome profile needs at least some of them.
     
    Last edited: Sep 8, 2013
  2. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    EDIT Sorry didnt realize this is a tutorial "Securing Google Chrome in Ubuntu 12.04 with AppArmor and Seccomp" looks interesting though
    http://rookcifer.blogspot.com/2012/09/securing-google-chrome-in-ubuntu-1204.html
    updated troubleshooting thread for above thread
    http://ubuntuforums.org/showthread.php?t=2137964

    Or search for apparmor chrome profile

    here is the Hungry Man thread

    https://www.wilderssecurity.com/showthread.php?t=320017&page=2&highlight=apparmor

    Not sure but could be of help until someone replies with an actual answer
     
    Last edited: Sep 8, 2013
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well you have to understand what each of those things is.

    DAC override means that it can override the Discretionary Access Control Permissions.

    SetGID and SetUID means that the executable can change UID/GIDs.

    Sys_Admin means running as root.

    Sys_Chroot means that it can create chroots.

    Sys_Ptrace means that it can modify other processes memory.

    All of the above are necessary for the Chrome Sandbox to function properly. Removing them will prevent the sandbox from restricting Chrome.

    That's why it's best to have a Chrome Sandbox profile separate from your Chrome profile.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    @Warlockz,

    thank you for the links :)

    Thanks HM! Yeah, I kind of knew what most of them meant, except the sys_ptrace and DAC overide. Thanks again.

    Actually I do have a separate chrome-sandbox and a nacl_helper_bootstrap profile as well. Those same capabilities are present in the sandbox profile. For whatever reason, though, they (some of them for sure) are definitely required in the chrome.chrome profile, or it crashes under the circumstances I mention above.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's very strange, and I would suggest looking into exactly which permission is necessary and what's being broken. I suspect it's the ptrace one.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thanks for the tips!
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Good call Hungry :thumb:

    It's the only capability required (so far) in the chrome.chrome profile. I've deleted the ohers, reloaded profile, rebooted pc, and no ill effects so far. BTW, I discovered the hard way that preceding these with a "#" does not work, thus the reason I've deleted them after of course backing up the profiles.

    I suppose allowing sys_ptrace is kind of dangerous because it can modify other's memory, but I don't worry too much at all. I think apparmor's got Chrome locked down pretty solidly, plus it's on Linux, the sandboxes are all enabled, and I've got javascript and images limited to some degree as well, even though it's not nearly the same as noscript. I'm really impressed at how apparmor restricts the program in exactly what it can do, and no more :)
     
    Last edited: Sep 8, 2013
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I personally don't have the cap_sysptrace in my profile, but I know that it can be necessary for plugins to work.

    Apparmor is really good, it's very simply and powerful. I think it does MAC well. And Chrome using seccomp makes things even better.

    Essentially an attacker needs a Chrome only exploit (since kernel exploits are incredibly difficult from renderer, which has virtually no system calls allowed) to get into the broker process, and then they need a kernel exploit on top of that. If you set your system up properly we're talking about a couple of months to break in.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    That's good. Just for interest sake, I re-profiled Chrome, this time restricting it to the specific extensions I'm using - Ad Block, Lastpass, Edit cookie and Click & clean. Also did a bit less globbing here and there throughout for further restrictions. Lots of fun :)
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, my Chrome profile is pretty heavily restricted. One thing I'd suggest is going through and making use of 'owner' rules as well. Apparmor doesn't do a great job of this with its learning mode, but in reality you can probably add a large number.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I might tackle this if I'm at a reasonable comfort level, otherwise I'll just stick to the basics :)
     
Loading...
Thread Status:
Not open for further replies.