Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33

Thread: Are apparmor profiles available for rhythmbox or Totem?

  1. #1
    Join Date
    Sep 2011
    Beans
    61

    Are apparmor profiles available for rhythmbox or Totem?

    I am looking for apparmor profiles for Rhythmbox and Totem (movie player) for Ubuntu 10.04. If these are available, can anybody please inform me the location? (I have found some such profiles but these were meant for older Ubuntu versions and probably not up-to-date.)

  2. #2
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Are apparmor profiles available for rhythmbox or Totem?

    You can roll your own. Or I can make one and try to link it, but it may or may not work exactly right (depending on which directory your music is in).

    EDIT: Just made one for Rhythmbox. I tested it and it seems to work for almost everything. I am assuming that your music folder (where your MP3's are stored) is somewhere in your /home directory. If you want to edit the music files (that is write to them) from within rhythmbox you may have to give your music directory write access (by appending "w" to the profile). Other than that it seems fully functional.

    Drop the profile into /etc/apparmor.d and name it "usr.bin.rhythmbox". Then set it to enforce mode and restart rhythmbox.

    Code:
    # Last Modified: Mon Apr 30 11:58:21 2012
    #include <tunables/global>
    
    /usr/bin/rhythmbox {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/dbus-session>
      #include <abstractions/evince>
      #include <abstractions/nameservice>
      #include <abstractions/python>
    
    
      
      /dev/sr0 rw,
      /etc/apt/apt.conf.d/ r,
      /etc/apt/apt.conf.d/* r,
      /etc/lsb-release r,
    
      /home/*/** r,
      /home/*/.cache/dconf/user rw,
      /home/*/.cache/rhythmbox/** rwk,
      /home/*/.local/share/rhythmbox/** rwk,
      /home/*/.local/share/webkit/icondatabase/* rwk,
      /home/*/.pulse-cookie rwk,
      /home/*/.config/ibus/bus/ rw,
        
      /proc/*/auxv r,
      /proc/*/cmdline r,
      /proc/*/mounts r,
      /sys/bus/ r,
      /sys/bus/usb/devices/ r,
      /sys/class/ r,
      /sys/class/usb/ r,
      /sys/devices/** r,
      owner /tmp/** lk,
      /tmp/** mrw,
      /usr/bin/gst-install rix,
      /usr/bin/rhythmbox mr,
      /usr/lib{,32,64}/** mrw,
      /usr/lib/rhythmbox/rhythmbox-metadata rix,
      owner /{run,dev}/shm/pulse-shm* k,
      /{run,dev}/shm/pulse-shm* rw,
    
    }
    If you notice something doesn't work (like a plugin) then you may have to look at your logs (/var/log/syslog) and see what it is denying and then make changes accordingly.
    Last edited by rookcifer; May 2nd, 2012 at 08:52 PM.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  3. #3
    Join Date
    Mar 2011
    Beans
    701

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Shouldn't be hard to make a profile for those programs. They pretty much just need read access to a few areas in your home directory, you could pretty much do

    /home/*/** r, and it would only take about 5 minutes to make the rest of the profile.

  4. #4
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Quote Originally Posted by Hungry Man View Post
    Shouldn't be hard to make a profile for those programs. They pretty much just need read access to a few areas in your home directory, you could pretty much do

    /home/*/** r, and it would only take about 5 minutes to make the rest of the profile.
    Well they need more than read access to /home as you can see from the above profile. But, yeah, it's not really hard to make one, you just need to understand what each entry is doing and why.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  5. #5
    Join Date
    Mar 2011
    Beans
    701

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Yeah, it should need read access to its own folders, probably some theme areas, and then a few more, which will take only a few minutes to get through aa-logprof.

  6. #6
    Join Date
    Sep 2011
    Beans
    61

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Thanks for your replies.
    I am willing to learn how to write apparmor profiles. Can anybody please tell me which particular material will be helpful for people like me?

    I confess, I do not understand internal processes which take place related to apparmor. e.g., why in the given profile, there are exactly six particular #include<abstractions/...>? How is python related in the process? How does one figure out that exactly the following directories are to be considered first [/dev/sr0, /etc/apt/apt.conf.d., ..., /etc/lsb-release]? By the way, I am unable to locate /dev/sr0 and /etc/lsb-release. Similarely, exactly how does one figure out which directories among many of the /proc/* and /sys/*, /usr/* are to be considered and the required permissions to be given? The job is non-trivial for me and I certainly can not do it in five minutes.

  7. #7
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Quote Originally Posted by Hungry Man View Post
    Yeah, it should need read access to its own folders, probably some theme areas, and then a few more, which will take only a few minutes to get through aa-logprof.
    It needs write and lock access to various directories as well. That is where care should be taken.

    Thanks for your replies.
    I am willing to learn how to write apparmor profiles. Can anybody please tell me which particular material will be helpful for people like me?
    There's a sticky at the top of the forums that explains the process.

    I confess, I do not understand internal processes which take place related to apparmor. e.g., why in the given profile, there are exactly six particular #include<abstractions/...>?
    Abstractions are like mini-profiles that are there because many programs use the same directories and processes. So instead of writing it out for each profile, they put them in an abstraction so all programs can use it.

    How is python related in the process? How does one figure out that exactly the following directories are to be considered first [/dev/sr0, /etc/apt/apt.conf.d., ..., /etc/lsb-release]? By the way, I am unable to locate /dev/sr0 and /etc/lsb-release.
    Python is there because Rhythmbox uses python, so it needs access to the python libs. /dev/sr0 is my CD-ROM drive. It may be different on your system. Not sure why you don't have an lsb-release.

    Similarely, exactly how does one figure out which directories among many of the /proc/* and /sys/*, /usr/* are to be considered and the required permissions to be given? The job is non-trivial for me and I certainly can not do it in five minutes.
    Generally it does no harm to allow *read* access to /proc.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  8. #8
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: Are apparmor profiles available for rhythmbox or Totem?

    My question is; why exactly would one need an apparmor profile for Rhythmbox and Totem? It's not like a music or a video file could compromise anything in your system; after all, it's just a media file! Not an executable one! The only thing I can thing of to sandbox (besides browsers and system services) is LibeOffice, because certain document files (ones that were invented by a company starting with "M" who uses a technology called ] ActiveX) that might affect LO.
    Last edited by 0011235813; May 1st, 2012 at 08:11 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  9. #9
    Join Date
    Mar 2011
    Beans
    701

    Re: Are apparmor profiles available for rhythmbox or Totem?

    My question is; why exactly would one need an apparmor profile for Rhythmbox and Totem? It's not like a music or a video file could compromise anything in your system
    Of course it could.

    I can think of three scenarios.

    1) Malicious video file used to exploit the program. (Images can do this, but it's rare because of how they're stored, still entirely possible.)

    2) Malicious file tries to get it to download a codec.

    3) MITM attack (or malicious compromised server) tries to drop malicious package that would otherwise be marked for rhythmbox.

    Not sure how viable #2 is on Linux. #3 Requires a method to hijack the session, someone on your network, and some flaw in the delivery system (which has happened before.)

    I don't think any of these are very likely (I can actually think of a fourth (other program is initially exploited, loads up rhythmbox for local exploit.) ) But it doesn't hurt anything to set up a profile.

  10. #10
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: Are apparmor profiles available for rhythmbox or Totem?

    Quote Originally Posted by Hungry Man View Post
    Of course it could.

    I can think of three scenarios.

    1) Malicious video file used to exploit the program. (Images can do this, but it's rare because of how they're stored, still entirely possible.)

    2) Malicious file tries to get it to download a codec.

    3) MITM attack (or malicious compromised server) tries to drop malicious package that would otherwise be marked for rhythmbox.

    Not sure how viable #2 is on Linux. #3 Requires a method to hijack the session, someone on your network, and some flaw in the delivery system (which has happened before.)

    I don't think any of these are very likely (I can actually think of a fourth (other program is initially exploited, loads up rhythmbox for local exploit.) ) But it doesn't hurt anything to set up a profile.
    In any case, the Rhythmbox profile didn't work I got a message error stating there was a missing last line. Still, I'm curious as to how a media file could affect security? That is, besides any of the stuff made by Microsoft, as I know Windows Media Player does use exploitable ActiveX for some of its "features". Which I'm not sure would affect Totem or LO, they don't have AX right? A media file is just a file container with a video stream and an audio stream from what I know, and maybe some files that are used to make Chapters in DVDs etc.

    EDIT:
    I just found this profile for totem:
    Code:
    #include <tunables/global>  /usr/bin/totem flags=(complain) {   #include <abstractions/base>     /dev/shm/ r,   owner /dev/shm/pulse-shm-1579451937 r,   owner /dev/shm/pulse-shm-2903800023 r,   owner /dev/shm/pulse-shm-2933723921 rw,   owner /dev/shm/pulse-shm-4283548248 r,   /etc/fonts/** r,   /etc/gtk-2.0/gdk-pixbuf.loaders r,   /etc/gtk-2.0/gtkrc r,   /etc/pango/pango.modules r,   /etc/pulse/client.conf r,   owner /home/*/.ICEauthority r,   owner /home/*/.config/gtk-2.0/gtkfilechooser.ini r,   owner /home/*/.config/gtk-2.0/gtkfilechooser.ini.6XUP7U w,   owner /home/*/.config/totem/state.ini r,   owner /home/*/.config/user-dirs.dirs r,  }
    What do you think of it?
    Last edited by 0011235813; May 2nd, 2012 at 04:13 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •