AppArmor Support Thread

[jgoguen]

Tht means the firefox or transmission or samba critter may have a user account of sorts in a group of some kind - and defined limits therof.

It's actually not important what the user account is until you look at rules that have the "owner" directive or use the "@{HOME}" expansion.

What I don't get is why I can Save Page As . . . and see - pretty much anything. Maybe even save to most sensitive areas - by default?

AppArmor may (for various reasons) allow you to view areas even if you can't save there. In the default Firefox profile, at least as I have it, Firefox only has write access to ~/Downloads/, ~/.config/ibus/bus/ and ~/.gnome2/firefox*-bin-*. But, it has read access to the home directory and to ~/Public/. So under that profile, if you use Save As in Firefox, you could go into ~/Public/ and view what's there, but you would get an error if you actually tried to save there. Are you experiencing something different? Post your whole profile if you are, we can look at it and try to figure it out.

What if I start iwth a profile that basically says :
audit deny / mrwkl # or anything else goshdarnit

That probably won't work quite as well as you think and would lead to a much larger profile than is necessary What's in the default Firefox profile, which is "/ r", is a good starting point.

[MiniT]

Ah, as I thought originally.
AppArmor is supposed to be a semi-standalone permissions enforcer, yes?
A hand smackin', keep the kids in line, hard nosed old so and so.

Good.

So I'll figure out how to pin my profile for Firefox up here and you'll see DENYs for things that prob'ly shouldn't be allowed by default, but I had access to write to. Thus the DENY rules I wrote.

Suspected issue with my messing in the code . .. we'll see.

miniT

maybe in new post I can add attachment?

[bodhi.zazen]

Well , two problems you have ...

1. Yes, there is a learning curve with apparmor, there is one with selinux as well

2. You are starting with a profile for firefox, try starting with a smaller, easier application and then working your way up to firefox.

http://blog.bodhizazen.net/linux/app...ivoxy-profile/

[jgoguen]

AppArmor is a method for implementing Mandatory Access Control (see http://en.wikipedia.org/wiki/Mandatory_access_control for an overview; SELinux is another implementation). Enjoy your first round of light reading

[MiniT]

Ah there we go. (That's a friendly color, I think I'll stay with it.)
Attachment attached in the attachable position.
So, do your worst.
It seems to be working for what I want. And watch TV on internet.
I can get to everything I need, the /var/log/messages is silent for FF!
That is unless I try to open something forbidden or save to somewhere forbidden. [bong]USER SMACKDOWN! <-- also with the dialog box.

You'll note the limits on folders within my user's home.
I should only be able to write to Downloads and Desktop.
That's how it works at present, with the DENYs in place.
Oh, and despite the comment, OWNER found its way back in.
Without it . . . something wasn't working?
I forget, but this is a single user computer, so who cares right?

Perhaps there's something I should have seen, but the DENYs were necessary to limit writing to directories in home, when she was set to Enforce.

Profile cobbled together for Firefox 5/Linux Mint 10 (Gnome) "Julia"
This OS is based on Ubuntu 10.10(just prettier + some tweaks).

Thanks for helping dudes, you're both awesome.
Oh you slipped in while i was typing and eating oatmeal. . .
. . .
did some reading and will do some more . . .
So folder/file permissions are DAC - user adjustable, relatively insecure. And AppArmor is . . . not simple to describe, but works in relation to kernel to keep programs/processes in line.

OK, it seems like I should have to Explicitly grant access to somewhere, or that by saying Read access is granted, that implies nothing else is OK.
But should NOT have to Deny access to any of the other folders in Home unless I granted it in the first place . . . maybe in the Includes . .?

Is it possible this is a Minty re-imagining of . . . sumthin'? Don't even want to think about that.
I will sieve through the Mint resources I can find and see if they have any advice to offer on this - unless you tell me I am being thick and ITS RIGT THERE in front of my face. First time for everything.

--------------
I feel like I've visited this post before . . .

[MiniT]

Ok.
Me: too many words B4, not enough content.

M.A.C. reading led to more. See helpful (many overlaps) below:

http://en.wikipedia.org/wiki/Mandatory_access_control
Main Page - AppArmor
AppArmor - Community Ubuntu Documentation
AppArmor Detail - openSUSE
SDB:AppArmor geeks - openSUSE
[all variants] Introduction to AppArmor - Ubuntu Forums
AppArmor - Ubuntu Wiki

Also read Ubuntu Security wiki et al, props to Bodhi.zazen.

Then scanned my usr.bin.firefox, its includes, their includes, variables, et cetera.

Came full circle to a post/thread I already had in bookmarks . . .
[SOLVED] How to test that Apparmor is working? - Ubuntu Forums
The name is not what I was looking for. I knew AA was working, just not right. Got the link to BZ's FF profile there - but missed the rest!

This is a problem in App Armor version 2.5.1, for Ubuntu 10.10.4.
If you read that SOLVED:

Yeah, but his profile apparently does not allow writing to a directory he is writing to. So something is wrong somewhere, and I doubt it's the profile.

They did as I did and traced back to user-files. Therein is the problem.

Also discovered potential for JAVA SCRIPTS to have rwk privileges in my HOME! From /etc/apparmor.d/abstractions/ubuntu-browsers.d/java :

owner @{HOME}/ r,
owner @{HOME}/** rwk,

WHat-the . . . !
Does that say what I think it does?!
Please tell me javascripts are not allowed to read/write as they please in my only user's home directory. (no pets allowed!)

I think these are two mistakes that need reporting.
Is it Launchpad? Log in just like this forum?

I suppose my profile for FF is good for now, except the JAVA issue.
I will figure how to report if you can help me fix (if it needs fixing/reporting).

Please set me straight if I need it!

Respectfully,
miniT

[jgoguen]

Does that say what I think it does?!
Please tell me javascripts are not allowed to read/write as they please in my only user's home directory. (no pets allowed!)

No, JavaScript never has access to the file system. That profile snippet is for Java, which is a whole other nasty thing. But yes, that does mean "read $HOME and read/write anything under $HOME". Which I think we both agree is a Bad Thing (although needed for Java to work...) and is a reason why I tend to avoid Java where I can If you don't use Java applets, you could try removing that and see how far you get.

Always remember, despite any naming similarities Java and JavaScript are not related. It tends to help to think less about "JavaScript" and more about "ECMAScript". JavaScript is a dialect of ECMAScript, and so is JScript, QtScript and ActionScript. Thinking of it as ECMAScript also helps to avoid any confusion with Java, which is completely unrelated and wholly separate from JavaScript.

[MiniT]

I'll read up on Java (and ECMA scripts). Thank you.

A load off of the mind!
So, perhaps just striking the line that calls up the java file?
Or edit it's permissions to a strict level with audit DENYs and watch what happens?

Why does it need ALL of Home? That's greedy.

[jgoguen]

I'm not familiar with Java so I'm not sure what the plugin needs under $HOME to make it so greedy. This is part of why bodhi.zazan suggested you start with a smaller program and work up to Firefox

I rarely allow Java applets at home, so I can safely remove the Java abstraction from the Firefox abstraction. However, that does imply a bit of extra work when I actually do need to run Java applets as I need to put that line back, reload AppArmor, restart Firefox and then undo it all again later. AppArmor is anything but "fire and forget", much to the annoyance of people looking for a simple no-maintenance solution

[MiniT]

AppArmor is anything but "fire and forget", much to the annoyance of people looking for a simple no-maintenance solution

Yeah, moving target makes it more fun!

EDIT: fixed this profile, see next post if you like
Speaking of which:
Simple Transmission profile, in complain mode.
One line popped up in /var/log/messages, I couldn't figure out how to fix.

When Trans. profile is complaining, magnet links work from Firefox, open in Trans. But I get a line similar to below, but allowed.
When Trans. profile is enforced, magnet links don't ask to open with Transmission.
No problem with torrent files, though. And I get this in messages:

Code:

Aug 21 10:46:52 mini1012 kernel: [ 2682.813007] type=1400 audit(1313938012.696:49): apparmor="DENIED" operation="file_mprotect" parent=1 profile="/usr/bin/transmission" name="/usr/bin/transmission" pid=2905 comm="transmission" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I have to figure out what the IDs are referring to and allow right?
Oops, there's my inexperience showing!

A link to a similar problem solved would be a fine answer.
Any help appreciated, dudes.

EDIT: something to do with ps or pstree or ptrace commands? am searching . . .
Found the following in my bookmarks LOL, but can become more independent of others' work when I know more about the above.
Transmission profile in Share your AppArmor Profiles - thank you DanneStrat!

MiniT

----------------------------------
you guys