Results 1 to 10 of 13

Thread: apparmor: how can I make a "deny network" rule work?

Hybrid View

  1. #1
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    apparmor: how can I make a "deny network" rule work?

    Hi all,

    I'm working on an AA profile. When I use a "deny" rule like this
    Code:
    deny /etc/hosts r,
    the application is denied read access to that file and this fact is not logged by AA.

    But when I use the rule with the "network inet" like this
    Code:
    deny network inet6 stream,
    the application is denied the access but it is logged.

    Why does the deny rule behave differently in these two sample cases? This is a problem for me as AA is spamming the logs with all these DENIED messages. Thanks for any tips...
    5127d464-4548-4993-a138-f546f2fd2a33

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    If apparmor is NOT logging a denial it is a bug and should be reported on Launchpad.

    See also:

    https://wiki.ubuntu.com/DebuggingApparmor
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    Thanks for replying, bodhi.zazen.

    Quote Originally Posted by bodhi.zazen View Post
    If apparmor is NOT logging a denial it is a bug and should be reported on Launchpad.

    See also:

    https://wiki.ubuntu.com/DebuggingApparmor
    I'm sorry, but I don't understand your point. For example this AA wiki page states that "deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule." As far as I understand, if I want a denial to be logged I should prepend it with the "audit" keyword like this
    Code:
    audit deny /etc/hosts r,
    Otherwise, according to AA docs, it should not be logged. Am I missing something here?
    5127d464-4548-4993-a138-f546f2fd2a33

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by arrange View Post
    Thanks for replying, bodhi.zazen.



    I'm sorry, but I don't understand your point. For example this AA wiki page states that "deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule." As far as I understand, if I want a denial to be logged I should prepend it with the "audit" keyword like this
    Code:
    audit deny /etc/hosts r,
    Otherwise, according to AA docs, it should not be logged. Am I missing something here?
    Hard to tell from what you have posted.

    Apparmor should log a denial by default, you do not need the audit keyword to enable logging.

    See:

    http://webapp5.rrz.uni-hamburg.de/Su...les.audit.html

    When you use the rule "audit" in a profile, the denial is "tagged" with the work audit.

    You can then fine these denials (in all the noise) with grep.

    I suggest you follow the logs and watch what happens.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    I followed your advice and created a profile for /usr/bin/head. Then I tested its behavior with deny vs audit deny rule. On my system (Ubuntu 10.10, AA 2.5.1-0ubuntu0.10.10.2) deny rules are not logged:
    Code:
    root@mm:/etc/apparmor.d# jobs
    [1]+  Running                 tail -f /var/log/syslog &
    
    # `head' is set to deny reading the /tmp/file.txt file
    ################################
    root@mm:/etc/apparmor.d# cat usr.bin.head 
    #include <tunables/global>
    
    /usr/bin/head {
      #include <abstractions/base>
      #include <abstractions/nameservice>
    
      deny /tmp/file.txt r,
    }
    
    root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
    Setting /etc/apparmor.d/usr.bin.head to enforce mode.
    Dec  2 21:11:52 mm kernel: [ 3303.662743] type=1400 audit(1291320712.890:236): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=6972 comm="apparmor_parser"
    
    # `head' can't read the file, and the fact is NOT logged
    ###################################
    root@mm:/etc/apparmor.d# head /tmp/file.txt 
    head: cannot open `/tmp/file.txt' for reading: Permission denied
    
    # now we change "deny" → "audit deny"
    ########################################
    root@mm:/etc/apparmor.d# sed -i 's:deny:audit\ deny:' usr.bin.head 
    root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
    Setting /etc/apparmor.d/usr.bin.head to enforce mode.
    Dec  2 21:12:49 mm kernel: [ 3359.804737] type=1400 audit(1291320769.034:237): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=7083 comm="apparmor_parser"
    
    # `head' now can't read the file and it IS logged
    ###################################################
    root@mm:/etc/apparmor.d# head /tmp/file.txt 
    head: cannot open `/tmp/file.txt' for reading: Permission denied
    Dec  2 21:12:56 mm kernel: [ 3367.241958] type=1400 audit(1291320776.470:238): apparmor="DENIED" operation="open" parent=3545 profile="/usr/bin/head" name="/tmp/file.txt" pid=7098 comm="head" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    Is it a bug? I hope not
    5127d464-4548-4993-a138-f546f2fd2a33

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by arrange View Post
    I followed your advice and created a profile for /usr/bin/head. Then I tested its behavior with deny vs audit deny rule. On my system (Ubuntu 10.10, AA 2.5.1-0ubuntu0.10.10.2) deny rules are not logged:
    Code:
    root@mm:/etc/apparmor.d# jobs
    [1]+  Running                 tail -f /var/log/syslog &
    
    # `head' is set to deny reading the /tmp/file.txt file
    ################################
    root@mm:/etc/apparmor.d# cat usr.bin.head 
    #include <tunables/global>
    
    /usr/bin/head {
      #include <abstractions/base>
      #include <abstractions/nameservice>
    
      deny /tmp/file.txt r,
    }
    
    root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
    Setting /etc/apparmor.d/usr.bin.head to enforce mode.
    Dec  2 21:11:52 mm kernel: [ 3303.662743] type=1400 audit(1291320712.890:236): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=6972 comm="apparmor_parser"
    
    # `head' can't read the file, and the fact is NOT logged
    ###################################
    root@mm:/etc/apparmor.d# head /tmp/file.txt 
    head: cannot open `/tmp/file.txt' for reading: Permission denied
    
    # now we change "deny" → "audit deny"
    ########################################
    root@mm:/etc/apparmor.d# sed -i 's:deny:audit\ deny:' usr.bin.head 
    root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
    Setting /etc/apparmor.d/usr.bin.head to enforce mode.
    Dec  2 21:12:49 mm kernel: [ 3359.804737] type=1400 audit(1291320769.034:237): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=7083 comm="apparmor_parser"
    
    # `head' now can't read the file and it IS logged
    ###################################################
    root@mm:/etc/apparmor.d# head /tmp/file.txt 
    head: cannot open `/tmp/file.txt' for reading: Permission denied
    Dec  2 21:12:56 mm kernel: [ 3367.241958] type=1400 audit(1291320776.470:238): apparmor="DENIED" operation="open" parent=3545 profile="/usr/bin/head" name="/tmp/file.txt" pid=7098 comm="head" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    Is it a bug? I hope not
    See post #2
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #7
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    Do you happen to have a link which would confirm that, as you say, "Apparmor should log a denial by default, you do not need the audit keyword to enable logging."? I can't find any. The link you gave me (http://webapp5.rrz.uni-hamburg.de/Su...les.audit.html) does not talk about this.

    Thanks.
    5127d464-4548-4993-a138-f546f2fd2a33

  8. #8
    Join Date
    Apr 2009
    Beans
    8

    Re: apparmor: how can I make a "deny network" rule work?

    Yes, I'm new to ubuntu and apparmor, I have same problem now.

    I added "deny network inet6", but the aa-notify still popup the message to tell me, firefox try to "create inet6 stream".
    the deny keywork look like not work on network's rule.

    anyone know that?
    any workaround?

    thank you.

  9. #9
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    If a post is older than a year or so and hasn't had a new reply in that time, instead of replying to it, create a new thread. In the software world, a lot can change in a very short time, and doing things this way makes it more likely that you will find the best information. You may link to the original discussion in the new thread if you think it may be helpful.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •