Should I use AppArmor?

Should I use AppArmor or am I over doing it when it comes to security?

 

As an alternative to SELinux, AppArmor is easier to use and setup. SELinux would definitely be over doing it depending on whether or not the context of your use is personal use vs. say Enterprise-wide use. I assume you mean for your personal use.

With regard to security, AppArmor is a good idea to use particularly for any Internet-facing application like a web browser - just to be safer rather than sorry, as long as you don't fall victim to any social-engineering schemes. At least give it a test drive to decide if you need it or not.

-- Tom

 

Ubuntu x64 have it installed and on by default. I suggest keeping it on.

 

What are you trying to achieve?
Mrk

 

Thankyou, Im using Linux Mint Maya Ubuntu Precise. Is it already installed an on by default?

 

Will AppArmor interfere with my Firefox Addons?

 

Security for our computers at our NGO. In the past we came under constant attacks both within and outside the NGO. Bringing in outside paid computer people caused a disaster when we found out they were being paid off by organized crime. Even people within our Org are bought off. So a few months ago I took over the computer security and have slowly being changing the computers across from windows to Linux, Firefox, etc and finding ways to make things more secure. We have had no problems now for 2 months. But if AppArmor can provide another layer of protection then great. Im not great with computers, but Im learning fast thanks to Wilders.

 

Apparmor will certainly provide another layer of protection for your systems, if you're using Ubuntu than multiple services are already running in confined profiles.

Apparmor profiles for Firefox should allow addons and if they don't you can always modify them to do so.

 

Yes it is installed by default and already on in Ubuntu precise 12.04. I assume it should be the same for Linux Mint.
Apparmor won't interfere with firefox addons.

 

Can you specify what kinds of attacks? Brute force hacking/ddos/phishing/etc?
This will give us an idea about what kind of security might work, if any.

Now, you portray a difficult picture with politics and man-in-the-middle situations. This is something you will probably never solve with software.

Mrk

 

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

 

Thankyou, so what about grsecurity and PaX? Should I install these?

Also, please excuse my ignorance on this, but do some people use 2 firewalls or is this a stupid idea?

 

That's probably going to send you going overboard. Even if you go with Apparmor, if you don't allow the secured programs exactly what's needed from them in your workstation environment, you could find yourself spending more time trying to fix things that are puzzling in nature instead of getting real work done. At the very least experiment in a separate lab-type setup before you roll it out on the production kiosks, if you do decide to use it.

As for the firewall, you just have to enable them with "sudo ufw enable" (no quotes).

 

Hi lucygrl,

I have a firmware firewall on my (ISP provided) router, and a software firewall that I run as part of my setup in Linux Ubuntu 12.04.4 LTS from a USB flash drive every day.

-- Tom

 

I'm in the process of writing apparmor profiles for thunderbird and abrowser but encounter problems in understanding different aspects of apparmor.

1. "m" stands for mapping into memory and marks the pages executable. As far as I know "ix" declares the programm as executable too. What exactly is the difference between "m" and "ix"? And which one is more secure?

2. What I have read in some thread is that user of apparmor are most concerned about declaring programs as executable in particular "Ux". That's understandable. But what about write access? Isn't it possible to use the apparmore-profiled program to write code into a file that is well known to be often executed by other programs? What about write access to files in /dev/?

3. Some people say that using additional programs such as antivirus software or sandboxing increases the possible attack vector. Does the use of apparmor give an attacker an additional attack vector?

4. Is grsecurity an additional layer of security? Is grsecurity easier or more difficult to learn in comparison to apparmor?

 

You'll find information on http://manpages.ubuntu.com/manpages/precise/en/man5/apparmor.d.5.html and on http://wiki.apparmor.net/index.php/Main_Page

"ix" means that the respective helper application inherits exactly the permissions of the confined application. This can be a problem - more flexible is using (p|P)x and (c|C)x.

And even more so for "ux" as this lacks environment scrubbing (which "Ux" has).

If there is no rule in your profile that allows write access to specific folders/file, there won't be any write access to them. What is not allowed in AppArmor is forbidden. Period.

No as it just adds mandatory access control (MAC) to the standard Linux discretionary access control (DAC). See also http://wiki.apparmor.net/index.php/FAQ

I think that's a question where Hungry Man should come in

 

Grsecurity and Apparmor are two totally different things (excluding RBAC).

Apparmor runs with the kernel enforcing access control on a process.

The easiest way out of a strong apparmor profile is by exploiting the kernel.

Grsecurity makes exploiting the kernel very difficult.

That's the simplest rundown of it but I can answer more specific questions.

 

Thanks for your answers!

Besides of the programs own config files you have to give other files rw access. Even in the well restricted apparmor profiles of Hungry Man you can find rules for rw of files in /dev/. I have no knowledge of how these rules affect the security.

Thanks, this helped me.

But you have to compile your kernel on your own because there is no mainline kernel with Grsecurity included. I suggest that the effort to use Grsecurity must be very high. Is this correct? You also have to compile your kernel every time a kernel security patch is available. Are you still using apparmor and Grsecurity?

 

These are my apparmor profiles for the Tor Browser Bundle.

torbrowser.start-tor-browser

Code:

#include <tunables/global>

/home/sim/Programs/tor-browser_en-US/start-tor-browser {

  #include <abstractions/base>

  /home/sim/Programs/tor-browser_en-US/Browser/firefox Px,

  # Tor directory
  @{HOME}/Programs/tor-browser_en-US/Tor/tor           r,
  @{HOME}/Programs/tor-browser_en-US/start-tor-browser r,

  /bin/grep                 rix,
  /etc/magic                r,
  /usr/bin/ldd              rix,
  /{,var/}run/utmp          r,
  /usr/bin/dirname          rix,
  /usr/bin/expr             rix,
  /usr/bin/file             rix,
  /usr/bin/getconf          rix,
  /usr/bin/id               rix,
  /usr/lib{,32,64}/**       mr,
  /usr/share/file/magic.mgc r,
  /usr/share/file/magic/    r,
  /bin/ps                   Cx,

  profile /bin/ps {

    capability sys_ptrace,

    /bin/ps                                             r,
    /dev/tty                                            r,
    /etc/ld.so.cache                                    r,
    /lib/libproc-*.so                                   mr,
    /lib/x86_64-linux-gnu/ld-*.so                       r,
    /lib/x86_64-linux-gnu/libc-*.so                     mr,
    /sys/devices/system/cpu/online                      r,
    /usr/lib/locale/**                                  r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    @{PROC}/[0-9]/stat                                  r,
    @{PROC}/stat                                        r,
    @{PROC}/tty/drivers                                 r,
    /usr/lib/@{multiarch}/gconv/gconv-modules*          mr,
    @{PROC}/sys/kernel/pid_max                          r, 
    @{PROC}/[0-9]*/cmdline                              r, 
    @{PROC}/[0-9]*/status                               r, 
    @{PROC}/[0-9]/cmdline                               r, 
    @{PROC}/[0-9]/status                                r, 
    @{PROC}/                                            r, 
    @{PROC}/meminfo                                     r,
    @{PROC}/uptime                                      r, 
    @{PROC}/[0-9]*/stat                                 r, 
    @{PROC}/version                                     r, 
    /lib/@{multiarch}/libc-*.so                         rm,
    /lib/@{multiarch}/ld-*.so                           r, 
    /dev/null                                           rw,

  }

}

torbrowser.Tor.tor

Code:

#include <tunables/global>

/home/sim/Programs/tor-browser_en-US/Tor/tor {

  #include <abstractions/base>

  network tcp,

  # Tor directory
  @{HOME}/Programs/tor-browser_en-US/Tor/tor       mr,
  @{HOME}/Programs/tor-browser_en-US/Data/Tor/*    rw,
  @{HOME}/Programs/tor-browser_en-US/Data/Tor/lock rwk,
  @{HOME}/Programs/tor-browser_en-US/Lib/*.so      mr,
  @{HOME}/Programs/tor-browser_en-US/Lib/*.so.*    mr,

  /etc/host.conf                 r,
  /etc/nsswitch.conf             r,
  /etc/passwd                    r,
  /etc/resolv.conf               r,
  @{PROC}/meminfo                r,
  @{PROC}/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/       r,

}

torbrowser.Browser.firefox

Code:

#include <tunables/global>

/home/sim/Programs/tor-browser_en-US/Browser/firefox {

  #include <abstractions/base>
  #include <abstractions/user-tmp>

  @{HOME}/Programs/tor-browser_en-US/Tor/tor Px,

  network tcp,

  # Tor directory
  owner @{HOME}/Programs/tor-browser_en-US/.fontconfig/**                  r,
  owner @{HOME}/Programs/tor-browser_en-US/Browser/**                      r,
  owner @{HOME}/Programs/tor-browser_en-US/Browser/*.so                    mr,
  owner @{HOME}/Programs/tor-browser_en-US/Browser/browser/components/*.so mr,
  owner @{HOME}/Programs/tor-browser_en-US/Browser/components/*.so         mr,
  owner @{HOME}/Programs/tor-browser_en-US/Browser/firefox                 rix,
  owner @{HOME}/Programs/tor-browser_en-US/Data/Browser/                   r,
  owner @{HOME}/Programs/tor-browser_en-US/Data/Browser/**                 rwk,

  # Home directory
  owner @{HOME}/Downloads/                               rw,
  owner @{HOME}/Downloads/**                             rw,
  owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini       r,
  owner @{HOME}/.icons/                                  r,
  owner @{HOME}/.icons/**                                r,
  owner @{HOME}/.local/share/icons/                      r,
  owner @{HOME}/.themes/**                               r,
  owner @{HOME}/.Xauthority                              r,

  /bin/dash                                              rix,
  /dev/dri/card0                                         rw,
  /etc/X11/cursors/*                                     r,
  /etc/drirc                                             r,
  /etc/fonts/**                                          r,
  /etc/gnome/defaults.list                               r,
  /etc/gnome-vfs-2.0/modules/                            r,
  /etc/gnome-vfs-2.0/modules/default-modules.conf        r,
  /etc/gnome-vfs-2.0/modules/extra-modules.conf          r,
  /etc/mailcap                                           r,
  /etc/mime.types                                        r,
  /etc/passwd                                            r,
  /lib{,32,64}/*.so                                      mr,
  /lib{,32,64}/*.so.*                                    mr,
  owner /{,var/}run/gdm/auth*/database                   r,
  /run/gdm3/**                                           r,
  /sys/devices/system/cpu/present                        r,
  /tmp/.X0-lock                                          r,
  /usr/lib{,32,64}/**                                    mr,
  /usr/local/share/fonts/                                r,
  /usr/share/                                            r,
  /usr/share/applications/*.desktop                      r,
  /usr/share/applications/mimeinfo.cache                 r,
  /usr/share/gnome/applications/mimeapps.list            r,
  /usr/share/gnome/applications/mimeinfo.cache           r,
  /usr/share/fonts/                                      r,
  /usr/share/fonts/**                                    r,
  /usr/share/gvfs/remote-volume-monitors/                r,
  /usr/share/gvfs/remote-volume-monitors/afc.monitor     r,
  /usr/share/gvfs/remote-volume-monitors/gdu.monitor     r,
  /usr/share/gvfs/remote-volume-monitors/gphoto2.monitor r,
  /usr/share/icons/                                      r,
  /usr/share/icons/**                                    r,
  /usr/share/mime/                                       r,
  /usr/share/mime/**                                     r,
  /usr/share/pixmaps/                                    r,
  /usr/share/poppler/**                                  r,
  /usr/share/themes/**                                   r,
  /var/cache/fontconfig/*                                r,
  @{PROC}/[0-9]*/stat                                    r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat                  r,

  # Deny 
  deny /etc/host.conf                           rw,
  deny /etc/hosts                               rw,
  deny /etc/nsswitch.conf                       rw,
  deny /etc/resolv.conf                         rw,
  deny /etc/sound/**                            rw,
  deny /run/resolvconf/resolv.conf              rw,
  deny @{PROC}/[0-9]*/mountinfo                 rw,
  deny @{HOME}/.config/user-dirs.dirs           rw,
  deny @{HOME}/.gtk-bookmarks                   rw,
  deny @{HOME}/.local/share/recently-used.xbel* rw,
  deny /usr/share/libthai/**                    rw,
  deny @{HOME}/.config/ibus/**                  rw,
  deny /var/lib/dbus/machine-id                 rw,
  deny network dgram,

}

I'm not sure how unsecure the sys_ptrace capability and the rw access of /dev/dri/card0 is.

 

sys_ptrace can be pretty dangerous. Does it only work with it enabled?

When you give access to /dev you're allowing read/write access to devices. In the case of /dri/card0 you're giving GPU access. If a program has to write to GPU memory it'll need that.

Once you get it working the first time it's not very hard - you just redownload, repatch, and recompile - very little work. I do it myself. If a new patch comes out I set it all up (5 minutes tops including download time) and then I let it compile in the background or when I go to sleep.

 

Thanks a lot for your help!

The Tor Browser Bundle works without the sys_ptrace capability as well. JavaScript is completely turned off too. I had some trouble with apparmor in combination with ecryptfs but it is fixed now. I will make apparmor profiles for thunderbird and jitsi. After this I will give Grsecurity a try.

 

I have a question about Apparmor.

In my profile I denied the rw access by

deny @{HOME}/.{*^local,themes,icons,config} rw,

According to the appamor policy reference :

{*^} - a proposed glob similar to * with an alternation style list of things it is not allowed to match.
eg. /etc/{*^shadow,passwd} is the same as /etc/* - /etc/{shadow,passwd}

I thought that due to this line Apparmor would deny the access of all files in my home directory starting with a dot except local, themes, icons, and config. But "/var/log/kern.log" says that he is trying to access "/home/sim/.ICEauthority":

Apr 11 13:33:43 sys kernel: [ 6631.093593] type=1400 audit(1397216023.165:412): apparmor="DENIED" operation="open" parent=2549 profile="/opt/tor-browser_en-US/Browser/firefox" name="/home/sim/.ICEauthority" pid=4192 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Do I get the policy wrong?

Another issue I like to know: Do I improve the security of my browser by using "noscript" even though java script is completely disabled in my browser by default?

PS: I would upload all my apparmor profiles but after the update of this forum I'm unable to use the preview option and the buttons for "CODE" et cetera are not there anymore.

 

It seems like, from that log, the file access is denied by apparmor. Is that not the desired effect?

And yes, NoScript does more than whitelist Javascript.

 

You are right. Apparmor denied the access of the file. But apparmor denied the access of the file because it denied everything that is not included in the profile. If apparmor have interpreted the line in my profile in the way I thought it would, it shouldn't show up in "/var/log/kern.log".

 

AppArmor is supposed to deny everything not specifically included. It basically is to filesystem access what AppLocker is to executable whitelisting.

You could include a template in the profile, but I wouldn't recommend it (too easy to mess things up that way). It's better to know what your program requests access to, what you don't want it to access, and where those things might overlap.