Wildcard-based AppArmor profiles

Discussion in 'all things UNIX' started by Gullible Jones, Jan 28, 2016.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Just something I figured out: as of Ubuntu 14.04.3, with kernel 3.19.x, you can use wildcards in AppArmor profiles. This way they can apply to more than one program. e.g. the first line of the profile below:

    Code:
    "/**/{wine*,*.exe}" {
      /**/ r,
      /dev/** rw,
      /proc/** rw,
      /sys/** r,
      /usr/** r,
      /lib/** r,
      /etc/** r,
      /tmp/** rw,
      /var/** rw,
      /usr/bin/wine* rix,
      /home/*/.wine/** rwix,
      /home/*/Games/** rwix,
      /home/*/.local/share/** rw,
    }
    
    When the above is applied, all programs run through Wine will be limited to
    - running Wine-related programs (with the same restrictions)
    - messing around in a very small part of the filesystem
    - playing audio and whatnot

    From what I can see here, the performance impact is pretty minimal too; unless you manage to get something stuck in an endless loop. :)

    You do probably want to be careful here - a profile that covers multiple programs is necessarily going to be less strict than a more specific one. Still, this is interesting, and I think it makes AppArmor a lot more versatile than it would be otherwise.

    Edit: also, it's easy to get lost in a string full of wildcards...
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Why would you let everything access /dev or /proc with write permissions?
    Mrk
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Effective permissions for that are the normal set of DAC ones. AppArmor restrictions are applied in addition to DAC; Wine won't be able to write to /dev/sda, unless your /dev permissions were already messed up. Or unless you're running it as root, which nobody should.
     
Loading...