-
AppArmor Support Thread
To avoid cluttering up the Share your AppArmor Profiles thread, please post questions about AppArmor (why something is asking for certain permissions or capabilities, what is the difference between Px and ix and why do I never ever ever use Ux, how do I figure out where the real executable is...) in this thread.
-
Re: AppArmor Support Thread
http://ubuntuforums.org/showpost.php...6&postcount=40 :
Quote:
hello.
xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program.
also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root.
wine asks for:
... operation="capable" name="dac_override" ... profile="/usr/bin/wine"
... operation="capable" name="dac_read_search" ... profile="/usr/bin/wine"
... operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=0 name="/root/.wine/" ... profile="/usr/bin/wine"
-
Re: AppArmor Support Thread
To start off, here's a few questions that have already been asked:
Quote:
Can I have one application use different AppArmor profiles?
Yes, but not easily. You need to make a hard link from the program to a second name for the program. This is because AppArmor enforces profiles by paths. So let's say for example that you have /usr/bin/myprogram that you want to apply two different AppArmor profiles to. Create an AppArmor profile for /usr/bin/myprogram. Then, make a hard link for the path to use in the second application:
Code:
sudo ln /usr/bin/myprogram /usr/bin/myprogram2
Now, create your second AppArmor profile, but instead of /usr/bin/myprogram usr /usr/bin/myprogram2. Once that's done, you can run myprogram to have it use the first profile, or you can run myprogram2 to have it use the second profile.
Quote:
What is the difference between r::, ::x, etc. in the log?
These are the permissions the program is asking for. The colons split the permissions up into user permissions, group permissions, and "other" (neither user nor group) permissions. So r:: means the program is asking for user read permissions. If you see :w:, that means the program wants group write permissions. ::x means "other" execute permissions. Note that when you're giving execute permissions, you can't just give x - you have to give Px, Ux, or ix. More on those later.
Quote:
What is the difference between "requested mask" and "denied mask"?
Requested mask is what the program is asking for. This may be something like rmx::. The "m" permission means it wants permission to use mmap(2) on the executable. Denied mask is what the program isn't getting. Given the previous requested mask, if the denied mask were to be mx:: that would mean that the AppArmor profile allows read permissions, but it does not allow map or execute permissions. Before blindly giving those permissions, however, you should decide whether they're reqlly needed. If you're not certain, you can always ask here.
Quote:
What's the difference between ix, ux, Px, etc.?
AppArmor provides 5 permission flags for execute permissions:
- ux - Unconfined execute
- Ux - Unconfined execute, scrub the environment
- px - execute with a profile written for the application
- Px - execute with a profile written for the application, scrub the environment
- ix - execute using the existing profile
In general, you should never use ux or Ux - that removes AppArmor protection for the executed program! Instead, use Px (or px) if the application being executed has its own profile, or ix if not.
More again later!
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
hello.
xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program.
also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root.
wine asks for:
... operation="capable" name="dac_override" ... profile="/usr/bin/wine"
... operation="capable" name="dac_read_search" ... profile="/usr/bin/wine"
... operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=0 name="/root/.wine/" ... profile="/usr/bin/wine"
.recently-used.xbel is a XML file containing information about the last files opened and what applications have opened those files. This is used in the Recent Documents (Places -> Recent Documents) list, as well as the recent documents list of applications. Some applications don't use this file, but I believe any that are written to take advantage of the GNOME environment do use it.
I'm not sure about the Wine capabilities. It sounds like something that Windows programs would try to override though. dac_override means to bypass read, write and execute permission checks. dac_read_search means to bypass file read permission checks and directory read and execute permission checks. Windows programs may not function properly without those.
-
Re: AppArmor Support Thread
A few more questions that have been asked:
Quote:
Can I use AppArmor to restrict access based on IP address?
No. You can use AppArmor to prevent an application from accessing the network, and you can allow it access to only IPv4 or IPv6, and only TCP or UDP. If the program is run by a specific user, you could instead use iptables to handle this, using the parameters -m owner --uid-owner <userid>. The --uid-owner parameter accepts a user ID, and the iptables rule will match packets coming from a program run by that user. To find a user ID given a username, use this command (replace "username" with the username you want to find the ID for):
Code:
grep username /etc/passwd | cut -d":" -f3
There is no way to use iptables with Ubuntu to restrict access based on the program name, because the Ubuntu Linux kernel is not compiled with the options required to enable the --cmd-owner flag.
Quote:
How do I decide what path to use for the profile?
You need the full path that actually gets run. I'll use Firefox here as an example, since it requires following some links:
- Start with the path to Firefox. Checking the menu shows that the command run is firefox.
- Find where the firefox command is: which firefox (output: /usr/bin/firefox)
- Check to see if this is a link: readlink /usr/bin/firefox (output: firefox-3.0)
- This means that the link points to firefox-3.0 relative to /usr/bin/firefox, and the full path now becomes /usr/bin/firefox-3.0
- Check if this is a link: readlink /usr/bin/firefox-3.0 (output: ../lib/firefox-3.0.5/firefox.sh[/b])
- This means that the link points to ../lib/firefox-3.0.5/firefox.sh relative to /usr/bin/firefox-3.0 and the full path now becomes /usr/lib/firefox-3.0.5/firefox.sh
- Check if this is a link: readlink /usr/lib/firefox-3.0.5/firefox.sh (output: <none>)
- No output means this is not a link. You've now found the full path to use for your profile
Quote:
Just to take that last question one step further, how do I know what name to give the AppArmor profile?
Profile files take a name based off the full path used for the profile. Let's use Firefox as an example again, since we've already found its full path:
- First, take the full path name and remove the first slash. This means that /usr/lib/firefox-3.0.5/firefox.sh becomes usr/lib/firefox-3.0.5/firefox.sh
- Now, convert all remaining slashes to periods. The name now becomes usr.lib.firefox-3.0.5.firefox.sh
- This is the name for the AppArmor profile file. AppArmor profiles are placed in /etc/apparmor.d/
-
Re: AppArmor Support Thread
hello. i asked this: does apparmor work against codecs, flash player, videodriver?
now i know that i cannot make separate profile for flash when it is used with firefox. by the way does not flash package include a separate flash player for swf files?
now i ask these: how to name/create profile file for nvidia and ati videodriver.
can we make separate package for video codecs for they are used with different players. but i think there is another way: to make rules for them in separate file and include that in different profiles. that also applies to rules for flash player that can be used with different browsers.
there are "bad" codec package that is in "multiverse", is it at least partially closed-source? 8:11 gmt: i have posted notice if multiverse package is completely/fully open-source in ubuntu brainstorm.
-
Re: AppArmor Support Thread
/usr/share/libthai/* r,
is in firefox's [apparmor] profile file, but it still asks for it:
Jan 28 09:52:17 linux2008 kernel: [808819.249751] type=1503 audit(1233125537.243:5497): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/usr/share/libthai/thbrk.sbm" pid=29530 profile="/usr/lib/firefox-3.0.5/firefox.sh"
-
Re: AppArmor Support Thread
and [btw] what are these?:
808819.249751
type=1503
audit(1233125537.243:5497)
fsuid=1000
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
how to name/create profile file for nvidia and ati videodriver.
can we make separate package for video codecs for they are used with different players.
No, and no, for the same reason you can't have a profile for the Flash player in Firefox. I believe that Gnash and swfdec both include standalone Flash players, and you could write profiles for those, but unless Firefox executes those as separate processes Flash in Firefox would remain affected only by the Firefox profile. Adobe's Flash plugin is only a plugin, not a standalone player, so you can't write a profile for it. Similarly, because the video drivers are loaded as part of X and not executed, the profile would have to be written for X, not for the video drivers. And video codecs are the same, they're loaded as part of the video player application and so the profile would have to be written for the video player (totem, mplayer, etc.) and not the video codecs themselves. I would love to be wrong on this entire paragraph though, so if anyone can show that I'm wrong please do :)
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
/usr/share/libthai/* r,
is in firefox's [apparmor] profile file, but it still asks for it:
Jan 28 09:52:17 linux2008 kernel: [808819.249751] type=1503 audit(1233125537.243:5497): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/usr/share/libthai/thbrk.sbm" pid=29530 profile="/usr/lib/firefox-3.0.5/firefox.sh"
Did you replace the profile after you edited it?
Code:
sudo apparmor_parser -r < usr.lib.firefox-3.0.5.firefox.sh
-
Re: AppArmor Support Thread
yes, replacing has helped. thank you.
now i see this:
Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"
should i allow it? how does it use it?
and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.
-
Re: AppArmor Support Thread
man iptables:
Quote:
--cmd-owner name
Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature)
this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
i tried this command:
sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
i tried this command:
sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT
That's unfortunate. Indeed it doesn't work. I've updated my post above to reflect this :(
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
yes, replacing has helped. thank you.
now i see this:
Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"
should i allow it? how does it use it?
I'm not sure how that's used. I don't allow it and I haven't run into problems, but I also haven't seen Firefox asking for that program. What were you doing when you saw that? Do you have any steps that allow you to consistently make Firefox ask for /sbin/killall5?
Quote:
Originally Posted by
q.dinar
and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.
Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. So if a file has Linux permissions for read, write, and execute, but the AppArmor profile permissions allow read and execute, you won't be able to write to the file under that profile no matter how hard you try.
-
Re: AppArmor Support Thread
i am quite sad. :( .
you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !
2009-12-22: this can be solved , at least in apparmor of ubuntu 9.10 : there is preinstalled but turned off firefox profile, profile's file name is not important, it is "usr.bin.firefox-3.5" , but in it:
...
#include <tunables/global>
/usr/lib/firefox-3.5.*/firefox {
#include <abstractions/audio>
...
and that works with all versions, i think.
-
Re: AppArmor Support Thread
Yes, you will need to change the file name and the paths in the file to match the new paths. The same would also apply to anything else installed with version information in the path name, like XUL Runner (/usr/lib/xulrunner-1.9/).
AppArmor is definitely not a "set and forget" security system. In fact, any system which claims to be such a thing should be viewed suspiciously. When upgrades are done, or new packages installed, current rules may need to be revised or removed, or new rules may need to be added.
-
Re: AppArmor Support Thread
even when i have just started firefox, and only one blank tab(page) was on the start, it asked for killall5. when i opened new blank tab(page) it asked for it 4 times - but programs usually ask for things several times if not succeeded on first time. i allowed it but now again have denied it, so i see it now in syslog.
"Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. ..."
but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.
i see that when i switch to firefox from other program with clicking to tab on task bar or with alt+tab it asks for killall5 2 times.
-
Re: AppArmor Support Thread
Code:
Feb 16 10:53:31 linux2009 kernel: [ 382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453
Feb 16 10:53:43 linux2009 kernel: [ 395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat"
Feb 16 10:53:43 linux2009 kernel: [ 395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile"
also xchat has asked for killall5.
what is null-complain-profile ?
-
Re: AppArmor Support Thread
-
Re: AppArmor Support Thread
now i have tested with renaming .mozilla . it asks for killall5 with newly created profile. but just now other user has used firefox, but in that time it has not asked for killall5!
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
Code:
Feb 16 10:53:31 linux2009 kernel: [ 382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453
Feb 16 10:53:43 linux2009 kernel: [ 395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat"
Feb 16 10:53:43 linux2009 kernel: [ 395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [ 395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile"
also xchat has asked for killall5.
I think I found this one. /bin/pidof is a symbolic link to /sbin/killall5. So programs that find /bin/pidof and follow the link rather than just calling 'pidof' will find themselves calling /sbin/killall5. My first instinct now is that this is harmless and it's the program trying to find a PID. Hopefully not its own, C has getpid() for that...
Quote:
Originally Posted by
q.dinar
what is null-complain-profile ?
Check out this post over at Novell's forums and see if that applies to you. null-complain-profile is used in learning mode, it complains about absolutely everything.
-
Re: AppArmor Support Thread
there is other message in log.
how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.
OK, I see where you're going with this. Yes, that does seem to be the case, and I'm not sure why, or even if that's the correct behaviour...sounds like a good candidate for a bug to me. You can report bugs here.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
i am quite sad. :( .
you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !
While I agree apparmor requires active monitoring, I would also suggest you file this as a bug report in Launchpad.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.
Very carefully :) I'm only half-joking, and I'm not completely sure where to start. Probably /usr/sbin/gdm and /usr/X11R6/bin/X, and be prepared to do a lot of work tracing why it's not working and what it's asking for. You may want to put the profiles into complain mode so you don't completely lose graphics:
Code:
sudo aa-complain /path/to/profile
Then when you're satisfied and/or ready to test your profile in enforcing mode:
Code:
sudo aa-enforce /path/to/profile
Remember of course that this doesn't give you the ability to have separate profiles for nvidia, nv, radeon, etc., the profile is for X in general.
To get an idea of the programs you'd need to have profiles for (or give execute permissions with 'ix') open a terminal and use this command:
That prints out a process tree. Look for the set starting with '/usr/sbin/gdm'.
-
Re: AppArmor Support Thread
Locking down X or GDM with apparmor will probably be impractical, to say the least.
The things, IMO, you should look at are network facing applications or deamons (firefox, ssh, etc) and not something big like X.
If you need to lock down X or a shell (like bash) take a look at jdong's jailbash.
http://www.friedcpu.net/?p=70
Just make jailbash the default, log in shell
Or something like selinux.
-
Re: AppArmor Support Thread
I just recently installed apparmor and I am fine tuning my profiles. I have got just one more message, related to Firefox, popping up in my log that I want to address.
Mar 20 20:01:08 my-computer kernel: [ 0000.000000] type=0000 audit(000000.000:0000): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/duanedesign/.icons/" pid=5664 profile="/usr/lib/firefox-3.0.7/firefox.sh"
I have in my Firefox profile:
@{HOME}/.icons/** r,
adding the line above did fix five or six log messages like these:
~/.icons/hydroxygen/16x16/categories
~/.icons/hydroxygen/16x16/devices
~/.icons/hydroxygen/16x16/emblems
ECT...
So I get the feeling it is working on some level.
I understand the colon's significance in showing (owner permissions:extended ownership tests: other permissions). Does this provide a clue to help me solve this.
I thank you in advance for any help you can give me.
UPDATE: funny I worked on this for over an hour and five minutes after i break down and ask for help I come up with a solution:)
I added the following to my firefox profile:
@{HOME}/.icons/ r,
I started Firefox, and no message in my log. I guess I still have a question do I need both
@{HOME}/.icons/ r,
@{HOME}/.icons/** r,
or is there a better way to get apparmor to allow firefox to access all my icons.
-
Re: AppArmor Support Thread
Short answer - yes, you do need both, but only if the application actually needs to read the directory :) That tends to be true if it doesn't know for sure what the path to the file is, which may be the case here.
The issue is that using ** will match everything in the directory and its subdirectories - but not the directory itself. So using
Code:
@{HOME}/.icons/** r,
will provide read access for all files and directories under /home/<username>/.icons/, but does not provide any access for /home/<username>/.icons/ at all. That's taken care of by the other rule you discovered you need:
This is the rule that gives access to read the directory itself.
Similarly, but going further than needed to answer your question, if you only used
Code:
@{HOME}/.icons/* r,
you still would have no read access for /home/<username>/.icons/, but you would have read access for all files directly inside it, plus all subdirectories directly underneath it - but not the contents of those subdirectories. As an example, you could see that /home/<username>/.icons/16x16/ exists, and you could also see that /home/<username>/.icons/16x16/unknown.png exists, but you would not be able to read that file.
Hope that helps and doesn't raise more questions than it answers - but feel free to ask away if you have any more questions or if I wasn't clear enough :)
-
Re: AppArmor Support Thread
That was going to be my advice :twisted:
Nice to see people learning apparmor.
FYI: I have posted some apparmor profiles for your reference here :
http://bodhizazen.net/aa-profiles/
I am looking for people willing to post their profiles, so if anyone is willing please send me a PM.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
bodhi.zazen
That was going to be my advice :twisted:
I just learn from my betters ;)
-
Re: AppArmor Support Thread
hello.
i have looked at what is run by what with ps fax and with system monitor.
though many programs are run by gdm, among them there is nautilus, they all are run in "x-session-manager" branch and nothing is run by Xorg. only two things: Xorg and x-session-manager are run by gdm directly. what will be if i restrict only Xorg? if videodriver is in Xorg it would work.
how can i restart Xorg? quitting and logging in, i think.
and firefox is not run by x-session-manager. i have just started gedit to check and see that it also does not run in gdm branch.
what do you think about restricting installer of ".deb" files? to install deb files for ubuntu that are got from different sites relatively harmlessly, because deb file can (or always?) contain script and it runs as root. as i know there are many deb files of newer versions of programs that are in ubuntu's own repository and also of programs that are not in the repository and among them closed-source programs.
for example process of installing of deb file should not browse files in /mnt/ subdirectories, i think.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
i have looked at what is run by what with ps fax and with system monitor.
though many programs are run by gdm, among them there is nautilus, they all are run in "x-session-manager" branch and nothing is run by Xorg. only two things: Xorg and x-session-manager are run by gdm directly. what will be if i restrict only Xorg? if videodriver is in Xorg it would work.
I'm not entirely certain what you're asking about here. Are you asking what you will restrict if you use AppArmor on Xorg? You would restrict Xorg, anything loaded by Xorg, and anything run as a child of Xorg. Unless the child has its own profile and you specify Px (or px), or if you specify Ux (or ux). Although, as has been mentioned earlier, there are better places to start for securing your system. If you allow Xorg to listen for incoming connections, then Xorg would be a good (although large and complex) candidate for AppArmor, but if you leave it at the default setting and don't allow remote X connections (note: NOT the same as allowing X forwarding over SSH) then it's not as important IMO.
Quote:
Originally Posted by
q.dinar
how can i restart Xorg? quitting and logging in, i think.
No, that won't restart Xorg, just your login session. You can press Ctrl+Alt+Backspace. That will immediately terminate Xorg (and any GUI programs you have running, and any of their children) and bring you back to the login screen. This was disabled in Jaunty, you can add this to /etc/X11/xorg.conf and restart to enable it again:
Code:
Section "ServerFlags"
Option "DontZap" "False"
EndSection
Note that you should not have two ServerFlags sections, so just merge this with the existing one if you already have a ServerFlags section.
Quote:
Originally Posted by
q.dinar
and firefox is not run by x-session-manager. i have just started gedit to check and see that it also does not run in gdm branch.
No, you're right, they (and IIRC everything else you start) is run as its own process. Restrictions on gdm (or kdm, or Xorg, or x-session-manager, or /usr/bin/bodhi-zazens-super-spyware-script-pretending-to-be-Xorg :)) will not affect these.
Quote:
Originally Posted by
q.dinar
what do you think about restricting installer of ".deb" files? to install deb files for ubuntu that are got from different sites relatively harmlessly, because deb file can (or always?) contain script and it runs as root. as i know there are many deb files of newer versions of programs that are in ubuntu's own repository and also of programs that are not in the repository and among them closed-source programs.
for example process of installing of deb file should not browse files in /mnt/ subdirectories, i think.
Depends on what precisely you're trying to achieve. As you note, these are run as root, and they always have scripts. In fact they can have up to (IIRC) 4 scripts, possibly 6 - pre-install, post-install, pre-remove, and post-remove. There may also be install and remove, I don't recall. However, regardless, I would be much less concerned about what these scripts are doing in /mnt/ or /media/ (which you could deny access to and legitimately expect nothing to break) and much more concerned about what they're doing in /bin/, /sbin/, /usr/bin/, /usr/sbin/..., all of which you would need to allow read, write, and symlink access to. Think for a second. If I trick you into installing "my-malicious-package_1.0.0-0ubuntu1.deb" and I drop stuff in /mnt/ only, then big deal. Provided I don't change other things of course :) Now, let's say that I later also trick you into installing "my-malicious-package_1.0.1-0ubuntu1.deb" which does any (all?) of these clearly malicious things:
- Replace /bin/ls with a modified version. Use your imagination to think of what I could do with that.
- Replace /boot/vmlinuz-2.6.28-11-generic with a modified version. That's your kernel. I'm sure you can think of plenty of things I could do with that ;)
- Replace /usr/bin/firefox with a symlink to my malicious script that "does stuff" before starting the real Firefox
The list of possibilities goes on of course. So is there value in restricting the dpkg installer? Yes, but not as much as you might think.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by jgoguen
You would restrict Xorg, anything loaded by Xorg, and anything run as a child of Xorg.
is video driver code >2009-04-18:completely loaded only by Xorg?loaded completely by Xorg and only by Xorg?<
Quote:
Originally Posted by jgoguen
If you allow Xorg to listen for incoming connections, then Xorg would be a good (although large and complex) candidate for AppArmor, but if you leave it at the default setting and don't allow remote X connections (note: NOT the same as allowing X forwarding over SSH) then it's not as important IMO.
can driver code make connections [by itself] over the internet if Xorg is configured to be not allowed to make remote X connections?
i have not seen anything under Xorg branch in process list. what process can be shown there?
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
is video driver code completely loaded only by Xorg?
Yes, as far as I'm aware.
Quote:
Originally Posted by
q.dinar
can driver code make connections [by itself] over the internet if Xorg is configured to be not allowed to make remote X connections?
Probably not, but I wouldn't rule out the possibility.
Quote:
Originally Posted by
q.dinar
i have not seen anything under Xorg branch in process list. what process can be shown there?
You're probably looking for gdm or kdm if you want to see child processes. Keep in mind that everything started by gdm/kdm/xdm may not necessarily be shown as a child process! That's important to remember, since it's possible that you write a profile for gdm and suddenly see that other processes are bound by that same profile.
As has already been said though, locking down X/GDM/KDM/XDM is going to be difficult, including quite likely a lot of time spent editing with no working GUI, and the benefits are unlikely to outweigh the troubles. I will happily help you out, but I want to make sure you have fair warning before you start :) Network applications, like Firefox, Evolution, Pidgin, Thunderbird, XChat, SSH, etc. are better targets for profiles. I hesitate to say SSH though, in that case you're probably better using jdong's jailbash instead. Yes, X can listen on a network, but if you haven't configured it to do so it won't accept incoming connections, so the benefit is limited.
If you really want to, start with a base profile (things that make sense to you for X/GDM/KDM/XDM to need access to), put the profile in complain mode, and then load it and restart. That will let you keep your GUI and see everything it's asking for access to. Check what it legitimately needs, add that to the profile, restart again. Rinse and repeat until it's only complaining about things it doesn't actually need.
You may also find that it's easier (for profile creation, readability, maintenance, and generally making sense of everything 6 months down the road) to create multiple smaller profiles (one for GDM, one for each program called by GDM, and so on) and using the 'Px' execute permissions rather than trying to fit everything into a single profile with lots of 'ix' execute permissions. That advice also applies to other smaller applications too. Rather than writing a profile for Firefox that includes everything needed for file-roller or ark to run, write profiles for file-roller and ark and give Firefox Px access to those programs.
-
Re: AppArmor Support Thread
Is this too permissive?
While I was going through logprof, firefox wanted read access to the following:
Code:
deny owner "/home/*/.BOINC Manager" r,
deny owner /home/*/.DCOPserver_Roadrunner64__0 r,
deny owner /home/*/.aspell.en.prepl r,
deny owner /home/*/.bash_logout r,
deny owner /home/*/.esd_auth r,
deny owner /home/*/.gksu.lock r,
deny owner /home/*/.pulse-cookie r,
deny owner /home/*/.sudo_as_admin_successful r,
deny owner /home/*/.xsession-errors r,
deny /proc/1/cmdline r,
deny /proc/1/stat r,
deny /proc/2/cmdline r,
deny /proc/2/stat r,
deny /proc/3/cmdline r,
deny /proc/3/stat r,
deny /proc/4/cmdline r,
deny /proc/4/stat r,
deny /sbin/killall5 x,
deny /var/run/dbus/system_bus_socket w,
Should I allow them? What do they do and why does firefox wants read access to them? I've denied them for the time being.
-
Re: AppArmor Support Thread
Is firefox working ?
If so, then you are done.
If not, then you will have to allow more things ;)
-
Re: AppArmor Support Thread
There's a lot of files Firefox tries to access that I just can't explain. Files like ~/.viminfo and ~/.rsyncignore (which is a custom file, so it's really weird that Firefox wants it!) make no sense to me for Firefox to have access to, but it seems to try anyway.
As for your profile, basically what bodhi said - if Firefox is working, and you've achieved your goals in creating the profile, then the profile is fine :)
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
jgoguen
As for your profile, basically what bodhi said - if Firefox is working, and you've achieved your goals in creating the profile, then the profile is fine :)
Ah I see. I asked because I don't want to permit things that I'm not suppose to allow.
Quick question: when I remove a profile, do I have to specifically tell AppArmor that the profile is gone (e.g. apparmor_parser -R /etc/apparmor.d/profile), or can I just delete it from /etc/apparmor.d (then reload AA)?
-
Re: AppArmor Support Thread
Delete the profile and re-load apparmor.
You do not need to worry too much about allowing something, remember without apparmor firefox has full access to your system limited only by permissions.
With apparmor firefox has less access limited by the aparmor kernel module and permissions.
In general it should be obvious what to confine, but to be honest this is an area where I prefer selinux ;)
-
Re: AppArmor Support Thread
Hello everyone,
as a first timer, i tried creating a profile for pidgin to get some pratice with apparmor. When in enforce mode, Pidgin wont even load :\
Im not sure i got everything right, but when i do:
Code:
lou@trooper:~$ sudo genprof pidgin
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /usr/bin/pidgin
[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Create New User?
(Y)es / [(N)o]
Username:
I followed the instruction, i saw the messages log entry for pidgin as i took him for a spin, then when i press the S key, the create user appear.... What user are we talking about here? i did not find any help for this :/
Apparmor had created and file for pidgin but it only shows:
Code:
# Last Modified: Sat May 2 13:33:45 2009
#include <tunables/global>
/usr/bin/pidgin flags=(complain) {
#include <abstractions/base>
}
i installed the apparmor_profiles
if i run apparmor_status, pidgin is loaded
Code:
sudo apparmor_status
apparmor module is loaded.
17 profiles are loaded.
5 profiles are in enforce mode.
/usr/share/gdm/guest-session/Xsession
/usr/lib/cups/backend/cups-pdf
/usr/bin/pidgin
/usr/sbin/cupsd
/usr/sbin/avahi-daemon
12 profiles are in complain mode.
/usr/sbin/identd
/usr/sbin/ntpd
/sbin/klogd
/usr/sbin/dnsmasq
/usr/sbin/nmbd
/sbin/syslogd
/usr/sbin/smbd
/sbin/syslog-ng
/usr/sbin/traceroute
/usr/sbin/nscd
/bin/ping
/usr/sbin/mdnsd
5 processes have profiles defined.
1 processes are in enforce mode :
/usr/sbin/cupsd (4792)
0 processes are in complain mode.
4 processes are unconfined but have a profile defined.
/sbin/klogd (4681)
/usr/sbin/avahi-daemon (4727)
/sbin/syslogd (4630)
/usr/sbin/avahi-daemon (4726)
lou@trooper:~$
Thx for any input
--------
does apparmor replace chrooting in a better ways? Can both live together?
Im planning on running apache2 and proftpd. Any tips to apparmor them? or any profile to share?
EDIT: i just saw that a a bit more complex to apparmor apache because of the subprocess. I will need to get further into that. and see if apparmor is really worth it for me.
thx again
lou
-
Re: AppArmor Support Thread
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
loudog23
as a first timer, i tried creating a profile for pidgin to get some pratice with apparmor. When in enforce mode, Pidgin wont even load :\
If you've got the profile you had quoted loaded, that's because AppArmor thinks it should deny everything. Try using this profile as a base, and tweak it to your needs: http://bodhizazen.net/aa-profiles/jg...usr.bin.pidgin
Quote:
Originally Posted by
loudog23
I followed the instruction, i saw the messages log entry for pidgin as i took him for a spin, then when i press the S key, the create user appear.... What user are we talking about here? i did not find any help for this :/
I'm not very familiar with genprof, and I can't figure out why it's asking for a username. Hopefully someone else has some insights. I would completely remove whatever profile is currently there, reload AppArmor (sudo /etc/init.d/apparmor reload) and try sudo aa-genprof /usr/bin/pidgin again. Failing that, or if you just want something to look at for comparison, I would make use of the profile I linked to.
Quote:
Originally Posted by
loudog23
does apparmor replace chrooting in a better ways? Can both live together?
Yes and I think so. A chroot jail can be broken out of. AppArmor restrictions aren't so easy to break. As for the two playing nicely together, I don't see why not. It would require some extra thought as to the absolute paths of programs required before and after calling chroot(), and I don't know for sure if AppArmor would apply to absolute paths relative to the real root directory or relative to the chroot() but that wouldn't be too hard to figure out.
Quote:
Originally Posted by
loudog23
Im planning on running apache2 and proftpd. Any tips to apparmor them? or any profile to share?
EDIT: i just saw that a a bit more complex to apparmor apache because of the subprocess. I will need to get further into that. and see if apparmor is really worth it for me.
Whether AppArmor is worth it for you depends on what you're trying to achieve. The answer, especially if you're accepting arbitrary data from an arbitrary source (which you are with both programs you've mentioned) is typically "quite likely" for network applications. Apache would certainly be an interesting beast to configure, but even with subprocesses it wouldn't be that much worse than any other single-process application. Just remember to put your profiles (because you'll quite likely be writing multiple profiles for Apache and its children) into complain mode and check /var/log/messages for AppArmor deny entries. Keep in mind that multiple profiles doesn't mean multiple files - a single file can contain all the profiles you want. This profile is an example of how to handle multiple profiles in one file. If you were trying to restrict mod_perl, mod_php, mod_python, and other Apache modules it would probably get a little weird. To make things a little easier (or harder?) for that, you could find mod_change_hat (which isn't in the Ubuntu repos) and use that. It will allow you to have a sub-profile for each script and a default sub-profile for scripts that don't match an existing sub-profile.
-
Re: AppArmor Support Thread
ty for your reply,
Quick technical question.
I have a private ftp (proftpd), If i can make a profile to succefully connect locally (ip 127.0.1.1), can i assume web request to be allowed too?
I don't have access to another web connection, therefore i can't try it from external source.
-
Re: AppArmor Support Thread
If your profile allows you to connect from localhost, you can safely assume that your AppArmor profile won't prevent other incoming connections. AppArmor can't restrict IP addresses, it can only allow or deny TCP and/or UDP connections for IPv4 and/or IPv6. Doesn't mean your firewall won't be restricting anything though, so be sure to check that, and also check port forwarding on your router (if applicable).
-
Re: AppArmor Support Thread
i am not going to allow some files. but apparmor writes messages to syslog not stopping, continuously, near 3 messages per second in syslog and messgages. how to stop it? apparmor must have such ability, because this is its main target, goal - to block up programs, it is normal, so it should not write so many to log files.
-
Re: AppArmor Support Thread
AppArmor writes one message per access attempt. So if you write a profile for /usr/bin/myprogram that does not allow access to /etc/shadow and /usr/bin/myprogram makes 10 attempts per second to access /etc/shadow, you will get approximately 10 messages per second in your log saying that access was denied.
-
Re: AppArmor Support Thread
Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
Code:
sudo aa-genprof firefox
and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:
but it finds no log messages. However, there is a "null-complain-profile" that is still listed in complain mode. ps -A shows this as being firefox. So, what's the deal with these null-profiles and how does one integrate them with an existing firefox profile?
Also, firefox is asking for dac_overide capabilities. It should not need this!
I saw that there were some bugs filed about AppArmor (in Jaunty) not parsing error logs properly. Some people on launchpad said that installing autid.d helped them. It doesn't work for me -- I'm still getting this strange behavior.
Or maybe I am just not doing it right?
-
Re: AppArmor Support Thread
I'll be profiling the latest Firefox later today. I can't imagine why it's asking for dac_override, but then again I still haven't figured out why it wants to read ~/.rsynclist (a file I created myself for one of my scripts) or why it's looking for a lot of things in /proc/ that aren't related to it...
I'll be starting from my current profile, which is posted here. I'll be removing a lot of stuff and trying to re-integrate the file-roller profile back into Firefox, so I'll be sure to post the result here once I'm done.
-
Re: AppArmor Support Thread
If it helps , my profile is here
http://bodhizazen.net/aa-profiles/bo....10.firefox.sh
All I changed was the version from "10" to "!!"
Have not looked at logs ..
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
bodhi.zazen
That's what I ended up doing. After trying to unsuccessfully aa-genprof firefox, I just went and changed 10 to 11 inside the profile and all seems to be working. I posted the profile in the profiles thread.
-
Re: AppArmor Support Thread
Did I set it up correctly?
Please comment and advice, thanks.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
samiux
It is a fine start, keep going :)
As you become more familiar with the syntax I think you will find it is easy to use.
As this happens you will likely find you rely less on aa-logprof .
I highly suggest you back up a working profile before you edit it (outside of /etc/apparmor.d/).
In terms of paths / directories it depends on what you are serving with apache. Apache may need access to things such as ssl, php, perl, python, cgi, home directories (~/www), svn, etc, etc, etc.
This is one "problem" with apparmor, every users will need to derive his or her own profile and you need to first understand what is normal behavior for apache before you can confine it.
-
Re: AppArmor Support Thread
There is no way to make a profile for all programs in a certain directory, is there?
E.g. I would like to block internet traffic for all programs, except for those which have a profile that allows it?
Or limit the read/write rights for all programs which I run from directory ~/downloaded-files?
/jeli
-
Re: AppArmor Support Thread
Not easily. You could make a set of common profile elements in one file, but you would still require one profile per program. You could do it all in two files, like so:
/etc/apparmor.d/home.bin.common:
Code:
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
<other common allow lines>
The first 4 lines will allow network access. You apply this file in various profiles like below:
/etc/apparmor.d/home.bin.all
Code:
#include <tunables/global>
/home/jgoguen/bin/prog1 {
#include <home.bin.common>
}
/home/jgoguen/bin/prog2 {
#include <home.bin.common>
}
/usr/local/bin/prog3 {
#include <home.bin.common>
}
Change the file names and paths appropriately.
-
Re: AppArmor Support Thread
hello
rookcifer:
Quote:
Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
Code:
sudo aa-genprof firefox
and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:
but it finds no log messages.
i could not make profile automatically and i have not asked about that, i make them "manually" checking log files after every change of profile, reloading it, restarting program, trying different things with program.
once i made profile for konqueror it asked for "w" permission in my home directory when i opened kde.org - default home bookmark of konqueror. i did not allow it. then after some time i tried to test it in test user, but it has not asked for that "w" permssion in home dir. any more.
how konqueror sees home directory content while "@{HOME}/ r, " is not in the profile nor it allowed other way?
-
Re: AppArmor Support Thread
Question: I'm working on an apparmor profile for apache2. It's currently in complain mode, and I get the following complaint (among others):
Sep 9 00:23:19 elcamino kernel: [118235.056951] type=1504 audit(1252470199.886:18401): operation="clone" task=22233 pid=22233 profile="null-complain-profile"
How do I set the profile to allow this "clone" operation (I assume this is when it forks..?)?
-
Re: AppArmor Support Thread
transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.
I have noticed some quirks like this too. Sometimes when you deny something, it will still ask even though there is a clearly a "deny" line already in the profile.
Then there is the infamous error:
"Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401."
I get this quite often. Sometimes it happens so often I have to reboot. There was a bug filed a long time ago, but nothing has been done about it yet. This is not surprising as AppArmor does not seem to be under development anymore. I suppose TOMOYO might be the way to go in the future.
-
Re: AppArmor Support Thread
The other problem is that apparmor has actually been in development and as such it is very different between each version of Ubuntu.
Documentation of these changes is lagging and your best option is probably reading the man pages.
There are basically two approaches to apparmor. One is to generate a profile, run it in complain mode for some time ( a week ?) , generate logs, then assume such activity is "normal" and allow it all. Then change the profile to enforce and now you should only be logging abnormal activity.
The other approach is to limit access as much as possible. With this second approach you will get a ton of activity in your logs.
Personally I do a blend of the two. Allow full access to $HOME and restrict to the few files or directories such as ~/.ssh or ~/.Private.
Same with etc. Allow applications to at least read the "normal" config files they need, many of these things are in the abstractions. Restrict access to things such as passwd, shadow, and such.
You may also wish to restrict access to /sys and /proc and /etc/init.d/apparmor (restrict the ability of a profile to turn apparmor off).
I also restrict access to things in /sbin such as iptables.
It is much easier to allow all and generate a black list then deny all and allow a white list. Further you can copy-paste your black list between profiles.
Last, in 9.10 there are more and more default profiles. I use the defaults as much as possible.
-
Re: AppArmor Support Thread
Quote:
Originally Posted by bodhi.zazen
Personally I do a blend of the two. Allow full access to $HOME and restrict ...
what is full access? @{HOME}/ and @{HOME}/**?
i said about that i denied even directory listing of home and etc. (programs can directly request subdirectory listing or file in subdirectory not looking directory listings of outer directories, of course...)
i do not know in apparmor how to allow all in area and then deny several things in it. i only know allow marks like r, w, k, l, ix, mrix, rix, rw - they all allow some paths over the all paths denied by default .
-
Re: AppArmor Support Thread
after upgrade to 9.04 once i see at start time some mysql complains of apparmor. now (on firefox upgrade) i have looked for mysql apparmor file and see that it has been disappeared. then i downloaded and looked at files of apparmor-profiles package and see that it also do not include mysql profile, even not in /usr/share/doc/apparmor-profiles/extras/ . why it disappeared and if it has disappeared how it complained? or i do not know where it is?
2009-12-07: found: usr.sbin.mysqld
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
after upgrade to 9.04 once i see at start time some mysql complains of apparmor. now (on firefox upgrade) i have looked for mysql apparmor file and see that it has been disappeared. then i downloaded and looked at files of apparmor-profiles package and see that it also do not include mysql profile, even not in /usr/share/doc/apparmor-profiles/extras/ . why it disappeared and if it has disappeared how it complained? or i do not know where it is?
AppArmor on Karmic has not been without its problems for me. The "aa-logprof" command did not work on the BETA and profile generation was impossible because of it. I filed a bug and one of the devs fixed it. I assume that fix got pushed to the Final release.
At any rate, I don't know about your problem but I would file a bug about it (search for similar bugs first, of course).
-
Re: AppArmor Support Thread
i recently upgraded to 9.10 and now i these messages in my log:
Code:
Nov 1 20:26:51 peace kernel: [ 42.053509] type=1505 audit(1257125211.942:35): operation="profile_replace" pid=1134 name=/bin/ping
Nov 1 20:26:51 peace kernel: [ 42.059470] type=1505 audit(1257125211.946:36): operation="profile_replace" pid=1135 name=/sbin/dhclient3
Nov 1 20:26:51 peace kernel: [ 42.063092] type=1505 audit(1257125211.950:37): operation="profile_replace" pid=1135 name=/usr/lib/NetworkManager/nm-dhcp-client.action
Nov 1 20:26:51 peace kernel: [ 42.063675] type=1505 audit(1257125211.950:38): operation="profile_replace" pid=1135 name=/usr/lib/connman/scripts/dhclient-script
Nov 1 20:26:51 peace kernel: [ 42.070677] type=1505 audit(1257125211.958:39): operation="profile_replace" pid=1136 name=/sbin/klogd
Nov 1 20:26:51 peace kernel: [ 42.078618] type=1505 audit(1257125211.966:40): operation="profile_replace" pid=1137 name=/sbin/syslog-ng
Nov 1 20:26:51 peace kernel: [ 42.085532] type=1505 audit(1257125211.974:41): operation="profile_replace" pid=1138 name=/sbin/syslogd
Nov 1 20:26:51 peace kernel: [ 42.101399] type=1505 audit(1257125211.990:42): operation="profile_replace" pid=1139 name=/usr/bin/evince
Nov 1 20:26:52 peace kernel: [ 42.119482] type=1505 audit(1257125212.006:43): operation="profile_replace" pid=1139 name=/usr/bin/evince-previewer
Nov 1 20:26:52 peace kernel: [ 42.130401] type=1505 audit(1257125212.018:44): operation="profile_replace" pid=1139 name=/usr/bin/evince-thumbnailer
how do i get rid of them safely?
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
keb
i recently upgraded to 9.10 and now i these messages in my log:
Code:
Nov 1 20:26:51 peace kernel: [ 42.053509] type=1505 audit(1257125211.942:35): operation="profile_replace" pid=1134 name=/bin/ping
Nov 1 20:26:51 peace kernel: [ 42.059470] type=1505 audit(1257125211.946:36): operation="profile_replace" pid=1135 name=/sbin/dhclient3
Nov 1 20:26:51 peace kernel: [ 42.063092] type=1505 audit(1257125211.950:37): operation="profile_replace" pid=1135 name=/usr/lib/NetworkManager/nm-dhcp-client.action
Nov 1 20:26:51 peace kernel: [ 42.063675] type=1505 audit(1257125211.950:38): operation="profile_replace" pid=1135 name=/usr/lib/connman/scripts/dhclient-script
Nov 1 20:26:51 peace kernel: [ 42.070677] type=1505 audit(1257125211.958:39): operation="profile_replace" pid=1136 name=/sbin/klogd
Nov 1 20:26:51 peace kernel: [ 42.078618] type=1505 audit(1257125211.966:40): operation="profile_replace" pid=1137 name=/sbin/syslog-ng
Nov 1 20:26:51 peace kernel: [ 42.085532] type=1505 audit(1257125211.974:41): operation="profile_replace" pid=1138 name=/sbin/syslogd
Nov 1 20:26:51 peace kernel: [ 42.101399] type=1505 audit(1257125211.990:42): operation="profile_replace" pid=1139 name=/usr/bin/evince
Nov 1 20:26:52 peace kernel: [ 42.119482] type=1505 audit(1257125212.006:43): operation="profile_replace" pid=1139 name=/usr/bin/evince-previewer
Nov 1 20:26:52 peace kernel: [ 42.130401] type=1505 audit(1257125212.018:44): operation="profile_replace" pid=1139 name=/usr/bin/evince-thumbnailer
how do i get rid of them safely?
Those messages are normal, they are telling you these profiles are loaded.
-
Re: AppArmor Support Thread
now i see mysql profile, may be that time i just have not noticed it thinking that it should start with "usr.bin." . but it is "usr.sbin.mysqld".
i have successfully loaded a file in table with "LOAD DATA LOCAL INFILE ..." command, as in http://dev.mysql.com/doc/refman/5.1/...ng-tables.html , from ~/doc/tmp/msql.txt , which is not allowed in apparmor profile for mysqld, i loaded that from mysql command, so "mysql" does not use "mysqld" when loads data in table? i add after a minute: probably they share some binary libraries.
-
apparmor-profiles in 9.10
hello . i have installed extra profiles, they are installed in /usr-share/doc/apparmor..... , i have copied some of them to /etc/apparmor.d/ .
when i runned netstat program these messages appeared:
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374180] type=1503 audit(1261374846.637:173): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/1/fd/"
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374225] type=1503 audit(1261374846.637:174): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/2/fd/"
...
though there is
@{PROC}/[0-9]*/fd r,
in /etc/apparmor.d/bin.netstat
.
and:
Dec 21 08:36:49 dinar-desktop kernel: [ 1356.514076] type=1503 audit(1261373809.777:172): operation="open" pid=2710 parent=2709 profile="/etc/cron.daily/logrotate" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/logrotate.d/"
though there was
/etc/logrotate.d r,
in /etc/apparmor.d/etc.cron.daily.logrotate .
i have now added
/etc/logrotate.d/ r,
to it and will look what will happen during logrotate runned by cron.
also there is some packet for apache change hat, now there is usr.lib.apache2.mpm-prefork.apache2 profile, is it possible to make change hat to "worker" apache?
2009-12-22: and also there is another profile called like /usr/sbin/httpd... , it works with some edition.
-
Re: apparmor-profiles in 9.10
i used netstat this way:
sudo netstat -tunp
and now i have added to its profile:
@{PROC}/[0-9]*/fd/ r,
and it says other messages now, so "trailing slash" is important here. and i hope that adding last slash also fixed that error of logrotate.
2009-12-25 18:39 utc+3 : may be these profiles are written not by mistake but they are not edited since older version of apparmor, there is about changes in path writings: http://en.opensuse.org/AppArmor/Changes_AppArmor_2_1 .
-
Re: AppArmor Support Thread
hello. why tcpdump needs "usb"? and is "usb" "universal serial bus"?
it asked at my computer:
Dec 21 14:53:16 dinar-desktop kernel: [ 4185.081498] type=1503 audit(1261396396.345:195): operation="open" pid=2963 parent=2185 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/dev/bus/usb/"
also there is in its apparmor profile:
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
now i have added
/dev/bus/usb/ r,
but i think i will comment it out.
now it has asked also for /dev/usbmon1 , /dev/usbmon2, /dev/usbmon3 .
may be that is for usb adsl modem ? but mine is not that.
and i have question about installing programs like skype and google earth. if i open their deb file with archive manager (file-roller...?) and check files in control.tar.gz and data.tar.gz ? as i remember and know there is none installer script in skype package and only one binary file. if there is installer script in control.tar.gz, i should check what they do looking at their code content, i think.
i runned some programs as root by mistake(?) sometimes even not blocked up with apparmor. now i have deleted /root/ from tunables/home and suggest to you. now i have runned firefox 3.5 with apparmor profile ant /root/ deleted as root, it could not run, i have checked profile, i see it cannot do much, but do you know what it can do so if runs as root.
unfortunately once i have runned open office as root by mistake in previous installation. now only firefox blocked. now i am going to open files clicking right button first and suggest that to you when working with gksudo nautilus.
-
Re: AppArmor Support Thread
another thing about tcpdump:
sudo tcpdump -qn > /var/log/tcpdump.log
says:
bash: /var/log/tcpdump.log: Permission denied
and nothing is written by apparmor in log files.
by the way, why syslog and messages and kern.log contents are partially dublicated? how to make every of log lines written only in one log file?
-
Re: AppArmor Support Thread
You can use the edit button in the lower right of a post to add to it, instead of creating so many posts.
-
Re: AppArmor Support Thread
hello.
i am now trying to setup worker mpm apache with apparmor. i have renamed apparmor profile for apache to
usr.lib.apache2.mpm-worker.apache2
.
now on
sudo /etc/init.d/apache2 reload
there are:
in apache error log:
[Mon Dec 21 23:21:36 2009] [notice] SIGUSR1 received. Doing graceful restart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Mon Dec 21 23:21:36 2009] [notice] Apache/2.2.12 (Ubuntu) configured -- resuming normal operations
[Mon Dec 21 23:21:36 2009] [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 21 23:21:36 2009] [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
>2009-12-24 8:57 utc+3 : there were dublicated profiles ...<
in syslog:
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.280778] type=1503 audit(1261426896.545:356): operation="change_hat" info="unconfined" error=-1 pid=5670
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.280828] type=1503 audit(1261426896.545:357): operation="change_hat" info="unconfined" error=-1 pid=5670
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.287792] type=1503 audit(1261426896.549:358): operation="change_hat" info="unconfined" error=-1 pid=5698
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.287844] type=1503 audit(1261426896.549:359): operation="change_hat" info="unconfined" error=-1 pid=5698
23:55 utc+3: may be there is bug: http://forge.novell.com/pipermail/ap...ry/000233.html .
2009-12-22 9:40 utc+3 : somehow it works now after some changes of apache profile and "/etc/init.d/apache2 stop" and "/etc/init.d/apache2 start"s and "a2dismod apparmor" and "a2enmod apparmor". 19:15 utc+3 : and after restart of OS.
-
Re: AppArmor Support Thread
empathy says "Failed to execute child process "firefox" (No such file or directory)" when i try to open a url in chat room. there is in empathy profile:
/usr/lib/firefox-3.5.*/firefox.sh Pxr,
and no log, so i do not know what is denied.
why there is in firefox profile (that is in ubuntu 9.10):
/usr/bin/evince PUxr,
? what is PUxr? is it correct?
-
Re: AppArmor Support Thread
hello. i have installed php so that apache uses it through(?) fcgid. now i test apparmor. i test in default vhost, it is in /var/www/ , i applied a "hat" to it - with AAHatName directive in directory tag in virtualhost tag in apache's "default" site configuration file, but i see that hat works only for html files. php is not blocked up, it can read any files. i have made "usr.bin.php5-cgi" profile but it does not work, may be name of it is not correct - i am trying to block up wrong binary program?
how to create profile for php ?
may be i will try apparmor's tool for creating profile...
-
Re: AppArmor Support Thread
Quote:
Originally Posted by
q.dinar
hello . i have installed extra profiles, they are installed in /usr-share/doc/apparmor..... , i have copied some of them to /etc/apparmor.d/ .
when i runned netstat program these messages appeared:
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374180] type=1503 audit(1261374846.637:173): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/1/fd/"
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374225] type=1503 audit(1261374846.637:174): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/2/fd/"
...
though there is
@{PROC}/[0-9]*/fd r,
in /etc/apparmor.d/bin.netstat
Quote:
Originally Posted by
q.dinar
Dec 21 08:36:49 dinar-desktop kernel: [ 1356.514076] type=1503 audit(1261373809.777:172): operation="open" pid=2710 parent=2709 profile="/etc/cron.daily/logrotate" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/logrotate.d/"
though there was
/etc/logrotate.d r,
in /etc/apparmor.d/etc.cron.daily.logrotate .
i have now added
/etc/logrotate.d/ r,
to it and will look what will happen during logrotate runned by cron.
Quote:
Originally Posted by
q.dinar
i used netstat this way:
sudo netstat -tunp
and now i have added to its profile:
@{PROC}/[0-9]*/fd/ r,
and it says other messages now, so "trailing slash" is important here. and i hope that adding last slash also fixed that error of logrotate.
This is the difference with that final slash :) As you've noticed, adding it is necessary to allow reading not only the directory itself but also what is in that directory. I suspect that with the final slash added (assuming you've reloaded the profile) you won't see this particular error from these profiles. Also assuming of course that UNIX permissions also allow what you're trying to do ;)
Quote:
Originally Posted by
q.dinar
hello. why tcpdump needs "usb"? and is "usb" "universal serial bus"?
it asked at my computer:
Dec 21 14:53:16 dinar-desktop kernel: [ 4185.081498] type=1503 audit(1261396396.345:195): operation="open" pid=2963 parent=2185 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/dev/bus/usb/"
also there is in its apparmor profile:
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
now i have added
/dev/bus/usb/ r,
but i think i will comment it out.
now it has asked also for /dev/usbmon1 , /dev/usbmon2, /dev/usbmon3 .
may be that is for usb adsl modem ? but mine is not that.
As you've noticed in previous posts, sometimes access is requested that isn't actually required. As before, my general advice is to grant access you know is needed if the program isn't working properly. If the program works properly with the access you've given it, apply the principle of "if it's not broken, don't fix it" :) I believe you're right though, I think the USB-related access requests are for USB modems. Since you don't have one, you can safely ignore these messages
Quote:
Originally Posted by
q.dinar
and i have question about installing programs like skype and google earth. if i open their deb file with archive manager (file-roller...?) and check files in control.tar.gz and data.tar.gz ? as i remember and know there is none installer script in skype package and only one binary file. if there is installer script in control.tar.gz, i should check what they do looking at their code content, i think.
That is completely up to you. If you want to open the package up and check the installer script, go right ahead. But, if you're going to do that because you don't trust it, I would question the use of Skype, which is a closed program that you can't inspect in any way, more than I would question the installer script :)
Quote:
Originally Posted by
q.dinar
i runned some programs as root by mistake(?) sometimes even not blocked up with apparmor. now i have deleted /root/ from tunables/home and suggest to you. now i have runned firefox 3.5 with apparmor profile ant /root/ deleted as root, it could not run, i have checked profile, i see it cannot do much, but do you know what it can do so if runs as root.
unfortunately once i have runned open office as root by mistake in previous installation. now only firefox blocked. now i am going to open files clicking right button first and suggest that to you when working with gksudo nautilus.
I'm not quite sure what you're asking (or saying?) here. Could you explain it more and I'll see if I can help?
Quote:
Originally Posted by
q.dinar
another thing about tcpdump:
sudo tcpdump -qn > /var/log/tcpdump.log
says:
bash: /var/log/tcpdump.log: Permission denied
and nothing is written by apparmor in log files.
That's because you're being denied by UNIX permissions. Here's what happens with that command:
- The shell attempts to create the file /var/log/tcpdump.log
- The shell attempts to open the file /var/log/tcpdump.log for writing, deleting the existing contents (if any)
- The shell executes tcpdump, setting its stdout file stream to the stream opened in the last step
In your case, step 1 fails so nothing else happens. You should either redirect output to a file somewhere you can write, or use "sudo tcpdump -qn | sudo tee /var/log/tcpdump.log" to get the same result as what I believe you intend based on the command you tried.
Quote:
Originally Posted by
q.dinar
by the way, why syslog and messages and kern.log contents are partially dublicated? how to make every of log lines written only in one log file?
That would require a lot of playing around with the syslog configuration files.
Quote:
Originally Posted by
q.dinar
empathy says "Failed to execute child process "firefox" (No such file or directory)" when i try to open a url in chat room. there is in empathy profile:
/usr/lib/firefox-3.5.*/firefox.sh Pxr,
and no log, so i do not know what is denied.
What is denied is executing firefox. The profile allows executing firefox.sh, but Empathy is trying to execute firefox. If you change the profile accordingly, reload the profile, and restart Empathy it should work fine.
Quote:
Originally Posted by
q.dinar
why there is in firefox profile (that is in ubuntu 9.10):
/usr/bin/evince PUxr,
? what is PUxr? is it correct?
Evince is allowed since that's what is used to read PDF files. PUxr is indeed correct, it's a new sequence for Karmic. "PUx" means "execute this program with an AppArmor profile if one exists, or execute it unconfined if no profile exists".
Quote:
Originally Posted by
q.dinar
hello. i have installed php so that apache uses it through(?) fcgid. now i test apparmor. i test in default vhost, it is in /var/www/ , i applied a "hat" to it - with AAHatName directive in directory tag in virtualhost tag in apache's "default" site configuration file, but i see that hat works only for html files. php is not blocked up, it can read any files. i have made "usr.bin.php5-cgi" profile but it does not work, may be name of it is not correct - i am trying to block up wrong binary program?
how to create profile for php ?
may be i will try apparmor's tool for creating profile...
I think we will need to see the full profiles for all relevant programs to be able to best help here. If you would rather not post profiles, please describe what applications in this scenario are confined, which are executed with and without profiles, and what executable path you specify in the profiles.
-
Re: AppArmor Support Thread
hello. i have written both firefox and firefox sh in empathy profile, it does not work, it even did not ask for firefox through apparmor, there were only ...sh.
>14:47 utc+3 : now i have written ..sh Ux, and it works<
i think if closed source binary is blocked up by apparmor it is quite safe, only thing to check is install scripts, because they are not blocked up by apparmor, but good that they are open-source. can they be closed source (in normal deb file)?
i asked about running gksudo nautilus and double-clicking in it files like ...html, ...doc and running so big programs as root.
thank you.
i am going to publish my old and new profiles.
after restart again apache complained as was before yesterday:
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.691871] type=1503 audit(1261552013.953:459): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/etc/ld.so.cache"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.692017] type=1503 audit(1261552013.953:460): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/lib/libgcc_s.so.1"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.713426] type=1503 audit(1261552013.977:461): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::rw" denied_mask="::rw" fsuid=33 ouid=0 name="/dev/tty"
this is many times. apache profile reload has helped, will look what will happen after restart.
>14:47 utc+3 : i think this is solved now, there were 2 apache profiles, one with incorrect file name thinking it will not affect anything on because there is no such file but i should edit file name in content of profile file.<
11:44 utc+3 : when HANDLING_UNTRUSTED_INPUT is used and when DEFAULT_URI is used and when main profile is used? 2009-12-24 8:54 utc+3 : http://www.mpipks-dresden.mpg.de/~mu...l/bx5dh07.html , http://manpages.ubuntu.com/manpages/...pparmor.8.html , http://www.novell.com/documentation/...a/bx5dh07.html .
11:46 utc+3: i think i know why php is not blocked: because
/ rw,
/** mrwlkix,
is in main profile and in HANDLING_UNTRUSTED_INPUT and in DEFAULT_URI. 13:34 utc+3: now i think it is not because this.