Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: apparmor: how can I make a "deny network" rule work?

  1. December 1st, 2010 #1
    arrange
    arrange is offline Quad Shot of Ubuntu
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    apparmor: how can I make a "deny network" rule work?

    Hi all,

    I'm working on an AA profile. When I use a "deny" rule like this
    Code:
    deny /etc/hosts r,
    the application is denied read access to that file and this fact is not logged by AA.

    But when I use the rule with the "network inet" like this
    Code:
    deny network inet6 stream,
    the application is denied the access but it is logged.

    Why does the deny rule behave differently in these two sample cases? This is a problem for me as AA is spamming the logs with all these DENIED messages. Thanks for any tips...
    5127d464-4548-4993-a138-f546f2fd2a33
    Advanced reply Adv Reply  
  2. December 2nd, 2010 #2
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    If apparmor is NOT logging a denial it is a bug and should be reported on Launchpad.

    See also:

    https://wiki.ubuntu.com/DebuggingApparmor
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  3. December 2nd, 2010 #3
    arrange
    arrange is offline Quad Shot of Ubuntu
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    Thanks for replying, bodhi.zazen.

    Quote Originally Posted by bodhi.zazen View Post
    If apparmor is NOT logging a denial it is a bug and should be reported on Launchpad.

    See also:

    https://wiki.ubuntu.com/DebuggingApparmor
    I'm sorry, but I don't understand your point. For example this AA wiki page states that "deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule." As far as I understand, if I want a denial to be logged I should prepend it with the "audit" keyword like this
    Code:
    audit deny /etc/hosts r,
    Otherwise, according to AA docs, it should not be logged. Am I missing something here?
    5127d464-4548-4993-a138-f546f2fd2a33
    Advanced reply Adv Reply  
  4. December 2nd, 2010 #4
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by arrange View Post
    Thanks for replying, bodhi.zazen.



    I'm sorry, but I don't understand your point. For example this AA wiki page states that "deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule." As far as I understand, if I want a denial to be logged I should prepend it with the "audit" keyword like this
    Code:
    audit deny /etc/hosts r,
    Otherwise, according to AA docs, it should not be logged. Am I missing something here?
    Hard to tell from what you have posted.

    Apparmor should log a denial by default, you do not need the audit keyword to enable logging.

    See:

    http://webapp5.rrz.uni-hamburg.de/Su...les.audit.html

    When you use the rule "audit" in a profile, the denial is "tagged" with the work audit.

    You can then fine these denials (in all the noise) with grep.

    I suggest you follow the logs and watch what happens.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  5. December 2nd, 2010 #5
    arrange
    arrange is offline Quad Shot of Ubuntu
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    I followed your advice and created a profile for /usr/bin/head. Then I tested its behavior with deny vs audit deny rule. On my system (Ubuntu 10.10, AA 2.5.1-0ubuntu0.10.10.2) deny rules are not logged:
    Code:
    root@mm:/etc/apparmor.d# jobs
[1]+  Running                 tail -f /var/log/syslog &

# `head' is set to deny reading the /tmp/file.txt file
################################
root@mm:/etc/apparmor.d# cat usr.bin.head 
#include <tunables/global>

/usr/bin/head {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  deny /tmp/file.txt r,
}

root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
Setting /etc/apparmor.d/usr.bin.head to enforce mode.
Dec  2 21:11:52 mm kernel: [ 3303.662743] type=1400 audit(1291320712.890:236): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=6972 comm="apparmor_parser"

# `head' can't read the file, and the fact is NOT logged
###################################
root@mm:/etc/apparmor.d# head /tmp/file.txt 
head: cannot open `/tmp/file.txt' for reading: Permission denied

# now we change "deny" → "audit deny"
########################################
root@mm:/etc/apparmor.d# sed -i 's:deny:audit\ deny:' usr.bin.head 
root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
Setting /etc/apparmor.d/usr.bin.head to enforce mode.
Dec  2 21:12:49 mm kernel: [ 3359.804737] type=1400 audit(1291320769.034:237): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=7083 comm="apparmor_parser"

# `head' now can't read the file and it IS logged
###################################################
root@mm:/etc/apparmor.d# head /tmp/file.txt 
head: cannot open `/tmp/file.txt' for reading: Permission denied
Dec  2 21:12:56 mm kernel: [ 3367.241958] type=1400 audit(1291320776.470:238): apparmor="DENIED" operation="open" parent=3545 profile="/usr/bin/head" name="/tmp/file.txt" pid=7098 comm="head" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    Is it a bug? I hope not
    5127d464-4548-4993-a138-f546f2fd2a33
    Advanced reply Adv Reply  
  6. December 2nd, 2010 #6
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by arrange View Post
    I followed your advice and created a profile for /usr/bin/head. Then I tested its behavior with deny vs audit deny rule. On my system (Ubuntu 10.10, AA 2.5.1-0ubuntu0.10.10.2) deny rules are not logged:
    Code:
    root@mm:/etc/apparmor.d# jobs
[1]+  Running                 tail -f /var/log/syslog &

# `head' is set to deny reading the /tmp/file.txt file
################################
root@mm:/etc/apparmor.d# cat usr.bin.head 
#include <tunables/global>

/usr/bin/head {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  deny /tmp/file.txt r,
}

root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
Setting /etc/apparmor.d/usr.bin.head to enforce mode.
Dec  2 21:11:52 mm kernel: [ 3303.662743] type=1400 audit(1291320712.890:236): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=6972 comm="apparmor_parser"

# `head' can't read the file, and the fact is NOT logged
###################################
root@mm:/etc/apparmor.d# head /tmp/file.txt 
head: cannot open `/tmp/file.txt' for reading: Permission denied

# now we change "deny" → "audit deny"
########################################
root@mm:/etc/apparmor.d# sed -i 's:deny:audit\ deny:' usr.bin.head 
root@mm:/etc/apparmor.d# aa-enforce usr.bin.head 
Setting /etc/apparmor.d/usr.bin.head to enforce mode.
Dec  2 21:12:49 mm kernel: [ 3359.804737] type=1400 audit(1291320769.034:237): apparmor="STATUS" operation="profile_replace" name="/usr/bin/head" pid=7083 comm="apparmor_parser"

# `head' now can't read the file and it IS logged
###################################################
root@mm:/etc/apparmor.d# head /tmp/file.txt 
head: cannot open `/tmp/file.txt' for reading: Permission denied
Dec  2 21:12:56 mm kernel: [ 3367.241958] type=1400 audit(1291320776.470:238): apparmor="DENIED" operation="open" parent=3545 profile="/usr/bin/head" name="/tmp/file.txt" pid=7098 comm="head" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    Is it a bug? I hope not
    See post #2
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  7. December 2nd, 2010 #7
    arrange
    arrange is offline Quad Shot of Ubuntu
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    Do you happen to have a link which would confirm that, as you say, "Apparmor should log a denial by default, you do not need the audit keyword to enable logging."? I can't find any. The link you gave me (http://webapp5.rrz.uni-hamburg.de/Su...les.audit.html) does not talk about this.

    Thanks.
    5127d464-4548-4993-a138-f546f2fd2a33
    Advanced reply Adv Reply  
  8. December 3rd, 2010 #8
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    No "deny" in the evince profile:

    Code:
    bodhi@maverick:~$ grep audit /etc/apparmor.d/usr.bin.evince 
bodhi@maverick:~$
    But when I open evince and browse to / (root) - lots of logs

    Dec 2 21:27:21 maverick kernel: [ 693.304375] type=1400 audit(1291350441.726:15): apparmor="DENIED" operation="open" parent=1820 profile="/usr/bin/evince" name="/boot/initrd.img-2.6.35-23-generic" pid=1843 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Dec 2 21:27:21 maverick kernel: [ 693.313591] type=1400 audit(1291350441.734:16): apparmor="DENIED" operation="open" parent=1820 profile="/usr/bin/evince" name="/boot/vmlinuz-2.6.35-23-generic" pid=1843 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    IMO documentation on apparmor is not always what you might like.

    See this page :

    https://apparmor.wiki.kernel.org/ind...e_should_be.3F
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  9. December 3rd, 2010 #9
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by bodhi.zazen View Post
    No "deny" in the evince profile:

    Code:
    bodhi@maverick:~$ grep audit /etc/apparmor.d/usr.bin.evince 
bodhi@maverick:~$
    But when I open evince and browse to / (root) - lots of logs



    IMO documentation on apparmor is not always what you might like.

    See this page :

    https://apparmor.wiki.kernel.org/ind...e_should_be.3F
    From that page:

    deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule.

    audit rule - If the audit keyword is prefixed to any rule it forces that rule to output audit log messages for any event matching it.

    Audit mode - In audit mode AppArmor will output a log message for each event mediated by the AppArmor module whether it is allowed or rejected
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  10. December 3rd, 2010 #10
    arrange
    arrange is offline Quad Shot of Ubuntu
    Join Date
    Nov 2008
    Beans
    479
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: apparmor: how can I make a "deny network" rule work?

    I'm afraid we are talking about two different things...

    In your example
    Code:
    Dec 2 21:27:21 maverick kernel: [ 693.304375] type=1400 audit(1291350441.726:15): apparmor="DENIED" operation="open" parent=1820 profile="/usr/bin/evince" name="/boot/initrd.img-2.6.35-23-generic" pid=1843 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    AA denied access to /boot/initrd.img-2.6.35-23-generic because you explicitly did not allow the application to access that file in its AA profile. This is of course logged.

    But what I'm talking about is this: if I add this line to usr.bin.evince
    Code:
    deny /boot/initrd.img-2.6.35-23-generic r,
    and then attempt to open the initrd file using evince, the access will be denied AND it will not be logged. BTW the quote you gave ("deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule. ") IMO confirms this.

    My original question was: can this behavior be applied to the network rule as well?
    5127d464-4548-4993-a138-f546f2fd2a33
    Advanced reply Adv Reply  
Page 1 of 2 12 LastLast
« Previous Thread | Next Thread »

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct