 |
ubuntu.com - launchpad.net - ubuntu help
|
|
|||||||
|
Security Discussions Discuss security flaws/updates/notices in the various Ubuntu releases. |
|
|
Thread Tools | Display Modes |
December 12th, 2008
|
#1 | |
|
Ubuntu Guru
 
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release
 |
Share your AppArmor Profiles
In order to promote awareness and learning of AppArmor I thought it migh help if we shared our profiles. Hopefully they can be reviewed by experts and help others learn the syntax of an AppArmor Profile.
Here is my Firefox Profile Firefox version 3.0.4 Ubuntu 9.04 Alpha Quote:
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999  |
|
|
|
|
December 12th, 2008
|
#2 |
|
The Free Multi-Distro Tux
 
Join Date: Aug 2007
Location: Kottawa, Sri Lanka
Beans: 7,299
Ubuntu 8.04 Hardy Heron
 |
Re: Share your AppArmor Profiles
I made a Firefox profile myself, but it never was completed because I wanted to lock it down where-ever access was not necessary, which is really difficult due to specific use-cases of certain users, etc.
Anyway, here's the profile(I know, it hasn't been worked on for a long time):- Code:
# Last Modified: Thu Jun 19 08:47:03 2008
#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh {
#include <abstractions/base>
#include <abstractions/gnome>
#include <abstractions/fonts>
network inet,
network inet6,
/bin/dash rix,
/etc/gai.conf r,
/etc/passwd r,
/etc/nsswitch.conf r,
/usr/lib/libgconf2-4/gconfd-2 ix,
/etc/gre.d/* r,
/etc/gre.d/ r,
/etc/firefox-3.0/** rw,
/etc/firefox-3.0/* rw,
/usr/lib/firefox-3.0/firefox.sh mr,
/usr/lib/firefox-3.0/** rwix,
/usr/share/ubufox/** r,
/usr/share/applications/** r,
/usr/share/icons/** r,
#/tmp/** rw,
#/tmp/ rw,
/usr/share/myspell/dicts/* r,
/usr/share/myspell/dicts/ r,
/usr/share/mime/** r,
/etc/hosts r,
/etc/resolv.conf r,
#These are needed if you need to hear any sounds at all.
/dev/snd/** rw,
/usr/share/alsa/alsa.conf r,
#To use Gnash, these permissions have to be given.
/usr/lib/gnash/ m,
@{HOME}/.gstreamer-0.10/registry.* rw,
/usr/share/gnash/* r,
/usr/bin/gtk-gnash mixr,
#The permissions required for Flash 10.
@{HOME}/.macromedia/** rw,
@{HOME}/.adobe/** r,
/usr/lib/locale/en_US.utf8/* r,
#Note:- The rule allows Fx to read other processes, this has to be done since Flash absolutely requires this otherwise the browser would crash.
@{PROC}/*/maps r,
#The permissions it has within home in order to function as required.
@{HOME}/Downloads/ rw,
@{HOME}/Downloads/** rw,
@{HOME}/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
@{HOME}/.mozilla/firefox/97peui19.default/** rw,
@{HOME}/.mozilla/firefox/97peui19.default/ rw,
@{HOME}/.mozilla/firefox/* rw,
@{HOME}/.mozilla/firefox/97peui19.default/.parentlock k,
@{HOME}/.mozilla/extensions/** rw,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
#Sun Java 6 requires these permissions.
/usr/lib/jvm/java-6-sun*/jre/** mrix,
/etc/java-6-sun/* r,
/etc/java-6-sun/** r,
@{HOME}/.java/ wr,
@{HOME}/.java/** wr,
@{HOME}/.java/deployment/** k,
}
Edit:- If you really want a profile that allows the program to work properly in addition to providing good security, then you must do it yourself, and have a good understanding of the inner workings of the program involved. An automatically generated profile is not terrible, but it does tend to allow access to unnecessary resources or files which could be exploited by malware or hackers.
__________________
Think carefully before executing commands containing "rm", especially "sudo rm -rf ", if you require more information concerning this matter, read this. I am an experimenter, give me the most stable OS and I can make it unstable in a few hours. C == seriously fast == FTW!
Last edited by PmDematagoda; December 12th, 2008 at 03:35 AM.. |
|
|
|
|
December 12th, 2008
|
#3 |
|
Way Too Much Ubuntu
 
Join Date: Feb 2005
Location: ${HOME}
My beans are hidden!
Ubuntu 9.10 Karmic Koala
|
Re: Share your AppArmor Profiles
I put together a profile for Pidgin and XChat. The Pidgin profile allows downloading to only a specific folder, and allows uploading from any folder under $HOME, and external applications can't be executed. The XChat profile doesn't allow downloading or uploading at all, and no external applications.
Code:
#include <tunables/global>
/usr/bin/pidgin {
#include <abstractions/base>
capability sys_ptrace,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
owner @{HOME}/** r,
owner @{HOME}/.aspell* rk,
owner @{HOME}/.config/enchant/* rk,
owner @{HOME}/.fonts.conf r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.local/share/mime/* r,
owner @{HOME}/.Xauthority r,
owner @{PROC}/*/fd/ r,
owner @{PROC}/*/maps r,
owner @{PROC}/*/mounts r,
/dev/shm/ r,
/etc/ r,
/etc/fonts/** r,
/etc/ssl/certs/ r,
/etc/gai.conf r,
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pulse/client.conf r,
/etc/resolvconf/run/resolv.conf r,
/usr/bin/pidgin r,
/usr/lib/ r,
/usr/lib/gtk-*/**.so rm,
/usr/lib/libvisual-*/**.so rm,
/usr/lib/pango/**.so rm,
/usr/lib/pidgin/*.so rm,
/usr/lib/purple*/*.so rm,
/usr/local/share/icons/ r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/locale-langpack/** r,
/usr/share/mime/* r,
/usr/share/myspell/dicts/ r,
/usr/share/myspell/dicts/** r,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/usr/share/sounds/purple/* r,
/usr/share/tcltk/** r,
/usr/share/themes/** r,
/usr/share/enchant/enchant.ordering r,
/var/cache/fontconfig/** r,
/var/lib/aspell/** r,
/var/lib/defoma/** r,
owner /tmp/orbit-*/ w,
/tmp/.ICE-unix/* w,
/tmp/.X11-unix/* w,
owner /tmp/pulse-*/* w,
/var/run/dbus/system_bus_socket w,
owner @{HOME}/.config/gtk-*/** rw,
owner @{HOME}/.gnome2/nautilus-sendto/** rw,
owner @{HOME}/.purple/ rw,
owner @{HOME}/.purple/** rwk,
owner @{HOME}/.recently-used* rw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
/dev/shm/* rw,
/dev/tty rw,
/tmp/ rw,
/tmp/orbit-*/* w,
/var/tmp/ rw,
@{HOME}/.gstreamer*/* ra,
/usr/bin/gconftool-2 rix,
/usr/bin/gnome-default-applications-properties ix,
/usr/bin/gnome-network-preferences ix,
/usr/bin/launchpad-integration ix,
}
Code:
#include <tunables/global>
/usr/bin/xchat {
#include <abstractions/base>
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
@{HOME}/ r,
@{HOME}/.config/** r,
@{HOME}/.icons/ r,
@{HOME}/.local/share/icons/ r,
@{HOME}/.aspell* r,
@{HOME}/.config/enchant/* rk,
@{HOME}/.fonts.conf r,
@{HOME}/.local/share/mime/* r,
@{HOME}/.Xauthority r,
@{PROC}/*/mounts r,
/etc/fonts/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolvconf/run/resolv.conf r,
/usr/bin/xchat r,
/usr/lib/gtk-*/**.so rm,
/usr/lib/pango/**.so rm,
/usr/lib/xchat/plugins/*.so rm,
/usr/local/share/icons/ r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/locale-langpack/** r,
/usr/share/mime/* r,
/usr/share/myspell/dicts/ r,
/usr/share/myspell/dicts/** r,
/usr/share/pixmaps/ r,
/usr/share/themes/** r,
/usr/share/enchant/enchant.ordering r,
/var/cache/fontconfig/** r,
/var/lib/aspell/** r,
/var/lib/defoma/** r,
/tmp/.X11-unix/* w,
/var/run/dbus/system_bus_socket w,
@{HOME}/.xchat2/** rwk,
/usr/bin/launchpad-integration ix,
}
__________________
Joel Goguen Real-time help: #ubuntu-beginners on irc.ubuntu.com | How To IRC The Tao of Ubuntu Security | IPTables how-to AppArmor | AppArmor Support | AppArmor Profiles |
|
|
|
|
December 28th, 2008
|
#4 |
|
A Carafe of Ubuntu
 
Join Date: Oct 2008
Location: Washington, D.C., USA
Beans: 116
Ubuntu 9.04 Jaunty Jackalope
 |
Re: Share your AppArmor Profiles
I don't suppose there would be a way to write different AppArmor profiles for different Firefox profiles, would there? I would love to limit how much access Firefox has to my system, but I have one profile for anonymous browsing and another for non-anonymous browsing, and obviously have different threat models for both.
__________________
FSF Associate Member #7164 -- Support freedom: Join the FSF Today! |
|
|
|
|
December 28th, 2008
|
#5 | |
|
Ubuntu Guru
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release
|
Re: Share your AppArmor Profiles
Quote:
Make a hard link Code:
sudo ln /usr/bin/firefox-restricted /usr/lib/firefox-3.0.5/firefox.sh
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999 |
|
|
|
|
|
December 28th, 2008
|
#6 | |
|
A Carafe of Ubuntu
Join Date: Oct 2008
Location: Washington, D.C., USA
Beans: 116
Ubuntu 9.04 Jaunty Jackalope
|
Re: Share your AppArmor Profiles
Quote:
__________________
FSF Associate Member #7164 -- Support freedom: Join the FSF Today! |
|
|
|
|
|
December 28th, 2008
|
#7 | |
|
A Carafe of Ubuntu
Join Date: Oct 2008
Location: Washington, D.C., USA
Beans: 116
Ubuntu 9.04 Jaunty Jackalope
|
Re: Share your AppArmor Profiles
Quote:
Code:
/usr/bin/gnome-open Ux,
__________________
FSF Associate Member #7164 -- Support freedom: Join the FSF Today! |
|
|
|
|
|
December 28th, 2008
|
#8 |
|
Ubuntu Guru
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release
|
Re: Share your AppArmor Profiles
First, IMO, nothing is "too insecure" per say, but I would try running with irx rather then Ux
Second, I am not 100 % about the link, it was just a suggestion. I know it works with bash but I have not tried it with firefox.
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999 |
|
|
|
|
December 29th, 2008
|
#9 | |
|
A Carafe of Ubuntu
Join Date: Oct 2008
Location: Washington, D.C., USA
Beans: 116
Ubuntu 9.04 Jaunty Jackalope
|
Re: Share your AppArmor Profiles
Quote:
As for the link: It seems that making a hard link to a symbolic link just causes it to resolve the symbolic link. Would making a script that called firefox with profile arguments work?
__________________
FSF Associate Member #7164 -- Support freedom: Join the FSF Today! |
|
|
|
|
|
December 29th, 2008
|
#10 |
|
Way Too Much Ubuntu
Join Date: Feb 2005
Location: ${HOME}
My beans are hidden!
Ubuntu 9.10 Karmic Koala
|
Re: Share your AppArmor Profiles
Using ix would require gnome-open to be restricted by the same profile as Firefox. So without giving Firefox access to everything gnome-open needs as well, using ix won't work. Same goes for any other profile.
__________________
Joel Goguen Real-time help: #ubuntu-beginners on irc.ubuntu.com | How To IRC The Tao of Ubuntu Security | IPTables how-to AppArmor | AppArmor Support | AppArmor Profiles |
|
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -4. The time now is 06:17 PM.