Share AppArmor Rules!

Discussion in 'all things UNIX' started by ace55, May 14, 2010.

Thread Status:
Not open for further replies.
  1. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    Installed Ubuntu 10.04 a few days ago. Very impressive and I'm now using linux regularly again. I always intended to install hardened gentoo with grsecurity, pax and selinux, but apparmor is so easy to use and ubuntu much easier to install.

    If you don't know what AppArmor is, take a read here: http://ubuntuforums.org/showthread.php?t=1008906. In short, AppArmor provides restrictions of the actions applications can perform, acting as a sort of sandbox and providing protection against zero day attacks.

    Anyway, I have AppArmor configured for Chromium. Found the config on: http://bodhizazen.net/aa-profiles/. Several others are there, including Wireshark.

    I'm looking for configs for pptpd and snort, if anyone has some solid ones. Otherwise, I might very well write some rules myself and post them once they are done.

    Feel free to use this thread to share/request AppArmor configs or share how much you love AppArmor.
     
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Here is my share of apparmor profiles for:
    - amule
    - googleearth
    - rhythmbox
    - totem
    - vlc

    Do not hesitate to review and correct if necessary.

    No need to say it is provided as is and may not correspond to your needs.
     

    Attached Files:

  3. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Hey, ace55, thanks for those links, time to do some studying. :shifty:

    Acadia
     
  4. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    - amsn as well
     

    Attached Files:

    • amsn.txt
      File size:
      671 bytes
      Views:
      17
  5. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I think one has to be careful not to blindly load a pre-built profile. For instance the streamtuner profile from the above link references audacious. I use vlc. However I also know that most folks here will never be caught out by something like that. :)
     
  7. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    The beauty of apparmor profiles is that it allows total transparency so you know what you are getting, Bodhizazen is a good starting point for someone just starting out with apparmor.
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    My KVIRC profile:

    Code:
    # Last Modified: Mon May  3 17:49:39 2010
    #include <tunables/global>
    
    /usr/bin/kvirc {
      #include <abstractions/base>
      #include <abstractions/evince>
      #include <abstractions/fonts>
      #include <abstractions/nameservice>
      #include <abstractions/private-files-strict>
      #include <abstractions/ubuntu-konsole>
    
    
    
      owner /home/*/** wkl,
      /home/*/** r,
      /proc/filesystems r,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/lib*so* mr,
    
    }

    My Pidgin profile:

    Code:
    # Last Modified: Tue May 11 18:19:27 2010
    #include <tunables/global>
    
    /usr/bin/pidgin {
      #include <abstractions/base>
      #include <abstractions/evince>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/private-files-strict>
    
      capability sys_ptrace,
    
    
    
      /dev/oss/oss_hdaudio0/pcm0 w,
      owner /home/*/ r,
      owner /home/*/** rwk,
      owner /proc/*/fd/ r,
      /proc/filesystems r,
      /usr/bin/gconftool-2 rix,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/lib*so* mr,
    
    }

    My Rhythmbox Profile (notice I have a /storage partition where I keep my music, you probably don't have this and don't need those lines).

    Code:
    # Last Modified: Tue May 11 13:55:04 2010
    #include <tunables/global>
    
    /usr/bin/rhythmbox {
      #include <abstractions/base>
      #include <abstractions/evince>
      #include <abstractions/nameservice>
      #include <abstractions/private-files-strict>
      #include <abstractions/python>
    
    
    
      / r,
      /boot/initrd.img-2.6.32-21-generic r,
      /boot/vmlinuz-2.6.32-21-generic r,
      /dev/bus/usb/ r,
      /dev/bus/usb/** rw,
      /dev/oss/oss_hdaudio0/pcm0 w,
      /dev/sr0 rw,
      /etc/apt/apt.conf.d/ r,
      /etc/apt/apt.conf.d/* r,
      /etc/apt/preferences.d/ r,
      /etc/apt/sources.list r,
      /etc/apt/sources.list.d/ r,
      /etc/apt/sources.list.d/* r,
      owner /home/*/ r,
      owner /home/*/** wk,
      /home/*/** r,
      owner /proc/*/status r,
      owner /proc/*/task/ r,
      owner /storage/ r,
      owner /storage/Music/ r,
      owner /storage/Music/** r,
      /sys/bus/ r,
      /sys/bus/usb/devices/ r,
      /sys/class/ r,
      /sys/class/usb/ r,
      /sys/devices/** r,
      /usr/bin/gnome-codec-install rix,
      /usr/lib/rhythmbox/rhythmbox-metadata rix,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/lib*so* mr,
      /var/cache/apt/* r,
      /var/lib/apt/extended_states r,
      /var/lib/apt/lists/* r,
    
    }

    My Transmission profile:

    Code:
    # Last Modified: Mon May 10 17:48:58 2010
    #include <tunables/global>
    
    /usr/bin/transmission {
      #include <abstractions/base>
      #include <abstractions/evince>
      #include <abstractions/nameservice>
      #include <abstractions/private-files-strict>
    
    
      owner /home/*/** rwk,
      /proc/*/net/route r,
      /proc/filesystems r,  
      /usr/local/lib/lib*so* mr,
    
    }
    My Chromium profile (Note: the Chromium nightly builds come with a sandbox already enabled, but it doesn't protect files in /home, which this profile does).

    Code:
    # Last Modified: Sun May  9 08:34:16 2010
    #include <tunables/global>
    
    /usr/lib/chromium-browser/chromium-browser {
      #include <abstractions/X>
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/dbus>
      #include <abstractions/evince>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/private-files>
      #include <abstractions/ubuntu-konsole>
      #include <abstractions/user-tmp>
    
      capability chown,
      capability dac_override,
      capability fsetid,
      capability setgid,
      capability setuid,
      capability sys_admin,
      capability sys_chroot,
      capability sys_ptrace,
    
    
      audit deny @{HOME}/.gnome2_private/** mrwlk,
      audit deny @{HOME}/.ssh/** mrwlk,
    
      / r,
      /bin/ r,
      /bin/dash rix,
      /bin/grep rix,
      /bin/ps rUx,
      /bin/readlink rix,
      /bin/uname rUx,
      /bin/which rix,
      /boot/initrd.img-2.6.32-22-generic r,
      /boot/vmlinuz-2.6.32-22-generic r,
      /dev/oss/oss_hdaudio0/pcm0 w,
      /dev/shm/ rw,
      /dev/shm/** mrwk,
      owner /home/*/ r,
      owner /home/*/** mwk,
      /home/*/** r,
      /proc/ r,
      /proc/*/cmdline r,
      owner /proc/*/environ r,
      /proc/*/fd/ r,
      owner /proc/*/oom_adj w,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/filesystems r,
      /proc/meminfo r,
      /proc/stat r,
      /proc/sys/kernel/* r,
      /proc/tty/drivers r,
      /proc/uptime r,
      /proc/version r,
      owner /storage/ r,
      owner /storage/** r,
      /usr/bin/basename rix,
      /usr/bin/cut rix,
      /usr/bin/gconftool-2 rix,
      /usr/bin/setarch rix,
      /usr/bin/xdg-mime rix,
      /usr/bin/xdg-open rix,
      /usr/lib/chromium-browser/** rwkix,
      /usr/lib/nspluginwrapper/i386/linux/npviewer rUx,
      /usr/lib/nspluginwrapper/i386/linux/npviewer.bin rix,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/lib*so* mr,
      /var/lib/flashplugin-installer/npwrapper.libflashplayer.so mr,
    
    }
    I also have profiles for Tor, Samba and a couple others (besides the ones that come with Ubuntu).
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Chronomatic,

    I can't read PDF file through Chromium. Any tip to share?

    Messages log file reports the following:
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343

    Yes, I tinkered with it and fixed a number of issues.

    1) Fixed the problem where Chromium asked to be set as default browser every time. Now if you set it as default, it doesn't ask again.

    2) Fixed an issue with not being able to open proxy settings within Chromium.

    3) Fixed the PDF viewing issue. Now Evince and Okular should both work.

    4) Added more rules so that other files can be opened (Gedit, image viewers, OpenOffice, etc.)

    Let me know if this resolves your issues.

    Here is the revised profile:

    Code:
    
    # Last Modified: Sun May  9 08:34:16 2010
    #include <tunables/global>
    
    /usr/lib/chromium-browser/chromium-browser {
      #include <abstractions/X>
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/dbus>
      #include <abstractions/evince>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/private-files>
      #include <abstractions/ubuntu-konsole>
      #include <abstractions/user-tmp>
    
      capability chown,
      capability dac_override,
      capability fsetid,
      capability setgid,
      capability setuid,
      capability sys_admin,
      capability sys_chroot,
      capability sys_ptrace,
    
    
      audit deny @{HOME}/.gnome2_private/** mrwlk,
      audit deny @{HOME}/.ssh/** mrwlk,
    
      / r,
      /bin/ r,
      /bin/dash rix,
      /bin/grep rix,
      /bin/mkdir rix,
      /bin/mv rix,
      /bin/ps rUx,
      /bin/readlink rix,
      /bin/sed rix,
      /bin/touch rix,
      /bin/uname rUx,
      /bin/which rix,
      /boot/initrd.img-2.6.*generic r,
      /boot/vmlinuz-2.6.*generic r,
      /dev/oss/oss_hdaudio0/pcm0 w,
      /dev/shm/ rw,
      /dev/shm/** mrwk,
      owner /home/*/ r,
      owner /home/*/** mwk,
      /home/*/** r,
      /proc/ r,
      /proc/*/cmdline r,
      owner /proc/*/environ r,
      /proc/*/fd/ r,
      owner /proc/*/oom_adj w,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/filesystems r,
      /proc/meminfo r,
      /proc/stat r,
      /proc/sys/kernel/* r,
      /proc/tty/drivers r,
      /proc/uptime r,
      /proc/version r,
      owner /storage/ r,
      owner /storage/** r,
      /usr/bin/basename rix,
      /usr/bin/cut rix,
      /usr/bin/gawk rix,
      /usr/bin/gconftool-2 rix,
      /usr/bin/gnome-open rix,
      /usr/bin/gnome-network-properties rix,
      /usr/bin/setarch rix,
      /usr/bin/xdg-mime rix,
      /usr/bin/xdg-open rix,
      /usr/lib/chromium-browser/** rwkix,
      /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
      /usr/lib/nspluginwrapper/i386/linux/npviewer rUx,
      /usr/lib/nspluginwrapper/i386/linux/npviewer.bin rix,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/lib*so* mr,
      /var/lib/flashplugin-installer/npwrapper.libflashplayer.so mr,
    
      #PDF viewers
      /usr/bin/evince PUxr,
      /usr/bin/okular Uxr,
    
      # Image viewers
      /usr/bin/eog Uxr,
      /usr/bin/gimp* Uxr,
    
      # Openoffice.org
      /usr/bin/ooffice Uxr,
      /usr/bin/oocalc Uxr,
      /usr/bin/oodraw Uxr,
      /usr/bin/ooimpress Uxr,
      /usr/bin/oowriter Uxr,
      /usr/lib/openoffice/program/soffice Uxr,
    
      # Archivers
      /usr/bin/ark Uxr,
      /usr/bin/file-roller Uxr,
      /usr/bin/xarchiver Uxr,
    
      #Text Editor
      /usr/bin/gedit Uxr,
    
    }
     
  11. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Well I had already done it (1 and 3).
    The issue I encounter on the n°3 is that 2 chromium processes run as unconfined as soon as I include evince abstractions.

    Could you check if you are experiencing it as well?
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Question: Why do you (you = people who use apparmor) feel the need to use hardening in the first place?
    Mrk
     
  13. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    http://www.ghacks.net/2010/03/24/get-to-know-linux-apparmor/

    Apparmor is an extra layer for itw vulnerabilities, for instance all PDF exploits via evince are blocked up apparmor, also since it doesn't use any resources or cause any slowdowns, its a good idea to have it enabled, final layer in Linux security apart from regular updates.
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I mainly use it for my browser, and consider everything else gravy. The browser is obviously the most vulnerable POI on a desktop machine, and even though there are almost no websites actively exploiting Linux browser holes, that doesn't mean there can't be in the future. The nice thing about Chromium is it has a built in sandbox already enabled, so these AA profiles might be a little superfluous (though I don't think the Chromium sandbox protects /home).

    Also AppArmor is very easy to learn and is a good way to get introduced to MAC's. I typically tinker with it for the learning experience.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Well, to use a clear analogy from Windows, there's no reason for sandboxing your browser on that platform either, so there's even less need for something like that on Linux. I think the sandbox stuff is a little overrated.

    As to learning, by all means :)

    Mrk
     
  16. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    You say this all the time but, with all due respect, you are dead wrong (especially if talking about Windows). Sandboxing is highly effective at stopping security exploits.
     
  17. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    Correct. Especially when MAC is implemented at the kernel level, as it is with AppArmor and SELinux. Very strong, yet easy to configure. AppArmor, properly configured, proves as close to 100% security as you are going get on any platform, imo.

    Any arguments that MAC is not necessary because of the unpopularity of Linux is simply security through obscurity. Just because it is not being actively exploited does not mean that it cannot be, and thus additional measures to protect your system must be taken. And who wouldn't when it is so easy to implement all the security you need through one simple solution?
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I did not say sandboxing is not effective. I just say that exploits and security stuff are seriously overrated and overplayed.

    Mrk
     
  19. Nitpick: I think the GrSecurity and TrustedBSD folks would have something to say about that. Heck, even the SELinux maintainers. SELinux and whatnot aren't nearly as easy to configure, but theoretically are much stronger. And even TrustedBSD has holes in it, I've seen reports of BSD servers getting hacked and whatnot.

    That being said, AppArmor is very strong by Windows standards.
     
  20. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    chronomatic or whoever else,

    Sure you don't have the issue of some Chromium's processes running unconfined when evince abstraction is included in chromium's profile?
     
  21. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    Not so sure about SELinux being much stronger. Much more flexible, sure. From what I understand the extra strength of SELinux is in enforcing restrictions on users, not applications - having separate classifications for objects so that they may be classified, for example, based on security clearance - top secret, classified, etc... Not sure how granularly SELinux controls IPC, but apparently AppArmor does not tightly control it. "Process activities not currently mediated by AppArmor are permitted, e.g. confined processes can perform any IPC that DAC permits, other than signals as mediated by CAP_KILL." Source: -http://kerneltrap.org/Linux/AppArmors_Security_Goals

    I definitely need to spend some more time with SELinux - once I get a good least privilege configuration restricting chromium, I can compare that with my AppArmor config. That should be enlightening, and I'll post back in this thread with my findings.

    With Grsecurity though, you do have a point - with ASLR and memory protection, thats a potent extra layer. I'm not sure it is in any way necessary though - even assuming a vulnerability in AppArmor or SELinux, can a single exploit really exploit a vulnerability in an application such as your web browser, and exploit a vulnerability in AppArmor/SELinux at the same time to bypass the MAC imposed? Seems highly improbable. That said, ASLR and memory protections might very well prove useful if you are intentionally executing untrusted code and relying on MAC to guard against any potentially malicious behavior.

    Interesting about TrustedBSD, do you have any links to post-compromise analysis performed on those systems? I have a hard time believing MAC was remotely bypassed, if properly configured!
     
Loading...
Thread Status:
Not open for further replies.