Page 5 of 12 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 112

Thread: Share your AppArmor Profiles

  1. #41
    Join Date
    Nov 2005
    Location
    Bordeaux, France
    Beans
    11,297
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Share your AppArmor Profiles

    AA profile for iroffer:

    Code:
    # AppArmor profile for iroffer v1.4.b03
    #
    # This AppArmor profile assumes the bot's configuration,
    # PID, state and log files are stored in ~/xdcc/, and the
    # files served for download are stored in ~/xdcc/files/.
    #
    #include <tunables/global>
    
    /usr/bin/iroffer {
      #include <abstractions/base>
      #include <abstractions/nameservice>
    
      owner /home/*/xdcc/*.config r,
      owner /home/*/xdcc/*.log* wl,
      owner /home/*/xdcc/*.pid w,
      owner /home/*/xdcc/*.{state,state.tmp,state\~} rwl,
      owner /home/*/xdcc/files/** rw,
      /usr/bin/iroffer r,
    
    }
    「明後日の夕方には帰ってるからね。」


  2. #42
    Join Date
    Aug 2007
    Location
    Chicago, IL, USA
    Beans
    1,429
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Share your AppArmor Profiles

    I discovered a Brainstorm page to improve the default profiles on AppArmor, I figured the people on this thread might be interested.

  3. #43

    Re: Share your AppArmor Profiles

    1st april icecast2 stopped to log anything. somehow only today i have noticed that and looked in syslog and indeed there apparmor reports about it.
    there is in apparmor config file for icecast2:
    /var/log/icecast2/error.log a,
    /var/log/icecast2/access.log a,
    i have just thought that this is wrong and changed them to "w" and reloaded this profile and tried to open stream url with player and closed it and have seen that icecast2 has logged it. without other complains logged by apparmor. then i think: why it did work before? why it did not need "w" permission? even several gzipped log files are created. (they are created by special daemon >10th of april, 2009: probably not daemon but cron job.<.)... hm! i have just wanted to check when i created icecast2 profiles and wanted to look in syslog archives and have found that old files are not there!
    and i have thought why it has started to log to log file when it has not been restarted?
    and i have thought why it should need "w" permission? and have edited it back to "a". and reloaded the profile again and it does not write and complains in syslog again.
    Last edited by q.dinar; April 10th, 2009 at 08:04 PM.

  4. #44
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    probably needs permissions or ra

    I would append (a) rather then write (w) a log file.

    If you are getting error messages, it helps to post them.

    If you need advice

    sudo aa-logprof
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #45

    Re: Share your AppArmor Profiles

    i have restarted apparmor and icecast2 and ices2 and checked with player and it works now.

    Quote Originally Posted by bodhi.zazen
    probably needs permissions or ra
    it asked for "w":
    Apr 4 01:20:54 linux2009 kernel: [146893.162337] type=1503 audit(1238793654.348:1392): operation="file_permission" requested_mask="w::" denied_mask="w::" fsuid=116 name="/var/log/icecast2/access.log" pid=5481 profile="/usr/bin/icecast2"

    and as i have just looked to copy this i have seen in syslog that even though it started to append to log file now, it still has complained one line:
    Apr 4 02:21:07 linux2009 kernel: [150506.656194] type=1503 audit(1238797267.844:1426): operation="file_permission" requested_mask="w::" denied_mask="w::" fsuid=116 name="/var/log/icecast2/access.log" pid=5529 profile="/usr/bin/icecast2"

    and many complain lines are written about ices2:
    Apr 4 02:21:14 linux2009 kernel: [150512.820144] type=1503 audit(1238797274.008:1437): operation="file_permission" requested_mask="w::" denied_mask="w::" fsuid=1000 name="/var/log/ices/ices.log" pid=5487 profile="/usr/bin/ices2"
    and
    Apr 4 02:21:14 linux2009 kernel: [150512.826378] type=1503 audit(1238797274.012:1438): operation="socket_create" family="inet" sock_type="dgram" protocol=0 pid=5487 profile="/usr/bin/ices2"
    lines.
    ices2 also has only "a" permission to its log file.

  6. #46
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    In general, if it is working, nothing more needs to be done.

    AA is noisy in the logs and, IMO , not everything logged needs to be fixed.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #47

    Re: Share your AppArmor Profiles

    i had forgotten AppArmor Support Thread.

  8. #48
    Join Date
    Aug 2007
    Beans
    35
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Share your AppArmor Profiles

    Code:
    # Last Modified: Thu Apr 30 13:10:28 2009
    #include <tunables/global>
    
    /usr/lib/firefox-3.0.10/firefox.sh flags=(complain) {
      #include <abstractions/base>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
      network dgram,
      network stream,
    
    
      /bin/dash rix,
      /usr/bin/basename rix,
      /usr/lib/firefox-3.0.10/firefox rix,
    
      owner /dev/shm/pulse-shm-* w,
      /etc/mime.types r,
      owner /home/*/ r,
      owner /home/*/.Xauthority r,
      owner /home/*/.adobe/Flash_Player/AssetCache/ r,
      owner /home/*/.adobe/Flash_Player/AssetCache/** rw,
      owner /home/*/.config/gtk-2.0/* rw,
      owner /home/*/.gtk-bookmarks r,
      owner /home/*/.macromedia/ r,
      owner /home/*/.macromedia/** r,
      owner /home/*/.mozilla/extensions/*/ r,
      owner /home/*/.mozilla/firefox/*.default/ r,
      owner /home/*/.mozilla/firefox/*.default/** rwk,
      owner /home/*/.mozilla/firefox/profiles.ini r,
      owner /home/*/.mozilla/plugins/libflashplayer.so mr,
      owner /home/*/.recently-used.xbel r,
      owner /home/*/Desktop/ r,
      owner /home/*/Desktop/** ra,
      /mnt/ r,
      /mnt/** r,
      /mnt/Backup/Others/Firefox/Ubuntu/** ra,
      /mnt/Incoming/Incoming/** ra,
      owner /proc/*/mounts r,
      /proc/cpuinfo r,
      /usr/share/** r,
    
    }
    Just doing a test drive
    Please make suggestions on how I can improve the profile (in the AA support thread).
    Last edited by rileinc; May 1st, 2009 at 01:37 AM.

  9. #49
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Share your AppArmor Profiles

    My profile for the newly released Firefox-3.0.11. You will notice that I do not use the macros. I have found that if I do, they tend to be ignored (not sure why). But overall, this profile works well (I use KDE but have Gnome libs installed). Firefox has quit complaining no matter what I do with the browser.

    Code:
    # Last Modified: Sun Jun 14 05:30:44 2009
    #include <tunables/global>
    
    /usr/lib/firefox-3.0.11/firefox.sh {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/consoles>
      #include <abstractions/dbus>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/kde>
      #include <abstractions/nameservice>
      #include <abstractions/nvidia>
      #include <abstractions/user-tmp>
    
      capability sys_ptrace,
    
    
      deny /etc/fstab r,
      deny /home/*/.bash* rw,
      deny /home/*/.gnupg/* rw,
      deny /home/*/.ssh/* rw,
    
      /bin/dash rix,
      /bin/grep rix,
      /bin/ls mrix,
      /bin/ps rix,
      /bin/sed rix,
      /bin/uname rix,
      /bin/which rix,
      /dev/ r,
      /dev/shm/ r,
      owner /dev/shm/* rw,
      /dev/zero mrw,
      /etc/ r,
      /etc/X11/cursors/* r,
      /etc/default/apport r,
      /etc/firefox-3.0/pref/ r,
      /etc/firefox-3.0/pref/** r,
      /etc/gre.d/ r,
      /etc/gre.d/** r,
      /etc/java-6-openjdk/** r,
      /etc/kde4/kdeglobals r,
      /etc/kde4rc r,
      /etc/lsb-release r,
      /etc/mailcap r,
      /etc/mime.types r,
      /etc/mplayer/* r,
      /etc/openoffice/soffice.sh r,
      /etc/pulse/client.conf r,
      /etc/sound/events/gtk-events-2.soundlist r,
      /etc/ssl/certs/java/cacerts r,
      /etc/xulrunner-1.9/* r,
      owner /home/*/ r,
      owner /home/*/.cache/ rwk,
      owner /home/*/.cache/gnome-mplayer/plugin/ rw,
      owner /home/*/.cache/gnome-mplayer/plugin/** rw,
      owner /home/*/.config/Trolltech.conf rk,
      owner /home/*/.config/gtk-2.0/ rw,
      owner /home/*/.config/qtcurve.gtk-icons rw,
      owner /home/*/.config/transmission/lock rwk,
      owner /home/*/.gnome2/ rw,
      owner /home/*/.gnome2/accels/ rw,
      owner /home/*/.gnome2_private/ rw,
      owner /home/*/.icedteaplugin/* rw,
      owner /home/*/.kde/share/apps/kpdf/ rw,
      owner /home/*/.kde/share/apps/okular/ rw,
      owner /home/*/.kde/share/apps/okular/** rw,
      owner /home/*/.kde/share/config/ w,
      owner /home/*/.kde/share/config/* rw,
      owner /home/*/.kde/share/config/kdeglobals k,
      owner /home/*/.kde/share/icons/KDE4CrystalDiamondIcons_1.1_Kubuntu/** rw,
      owner /home/*/.macromedia/Flash_Player/** rw,
      owner /home/*/.mozilla/firefox/** rwk,
      owner /home/*/.netx/ rw,
      owner /home/*/.pulse-cookie rwk,
      owner /home/*/.pulse/ rw,
      owner /home/*/.recently-used.xbel* rwk,
      /home/*/.selected_editor r,
      owner /home/*/Desktop/* rw,
      owner /home/*/Download/** rw,
      owner /home/*/Pictures/** rw,
      owner /home/.mozilla/{firefox*,plugins,extensions}/ rw,
      owner /home/.mozilla/{firefox*,plugins,extensions}/** mrwk,
      owner /home/*/** r,
      owner /home/*/.config/Trolltech.conf rwk,
      /proc/ r,
      /proc/*/cmdline r,
      owner /proc/*/fd/ r,
      owner /proc/*/mounts r,
      /proc/*/net/if_inet6 r,
      /proc/*/net/ipv6_route r,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/cpuinfo r,
      /proc/meminfo r,
      /proc/sys/kernel/pid_max r,
      /proc/tty/drivers r,
      /proc/uptime r,
      /proc/version r,
      /sys/devices/system/cpu/ r,
      /usr/bin/basename rix,
      /usr/bin/dcop rix,
      /usr/bin/dirname rix,
      /usr/bin/env rix,
      /usr/bin/gconftool-2 rix,
      /usr/bin/gnome-mplayer rix,
      /usr/bin/kde4-config rix,
      /usr/bin/mencoder rix,
      /usr/bin/mplayer rix,
      /usr/bin/okular rix,
      /usr/bin/ps2pdf rix,
      /usr/bin/setarch rix,
      /usr/bin/soffice r,
      /usr/bin/stat rix,
      /usr/bin/transmission rix,
      /usr/lib/firefox-3.0.11/firefox rix,
      /usr/lib/jvm/java-6-openjdk/jre/bin/java rix,
      /usr/lib/kde4/libexec/drkonqi rix,
      /usr/lib/nspluginwrapper/i386/linux/npviewer* rix,
      /usr/lib/openoffice/* r,
      /usr/lib/openoffice/** rix,
      /usr/lib/ure/bin/javaldx rix,
      /usr/lib{,32,64}/** mr,
      /usr/share/ghostscript/8.64/Resource/Init/gs_init.ps r,
      /usr/share/java/* r,
      /usr/share/javazi/ r,
      /usr/share/javazi/** r,
      /usr/share/kde4/* r,
      /usr/share/kde4/** r,  
      /usr/share/kubuntu-default-settings/kde4-profile/default/share/** r,
      /usr/share/libthai/* r,
      /usr/share/myspell/** r,
      /usr/share/zoneinfo/ r,
      /var/lib/flashplugin-installer/npwrapper.libflashplayer.so mr,
    
    }

  10. #50
    Join Date
    Mar 2008
    Location
    Las Vegas
    Beans
    1,148

    Re: Share your AppArmor Profiles

    Hello Everyone,
    I finally got tired/curious about the apparmor warnings at boot time so I've since discovered what this is all about and think it's pretty neat... although, I've yet to fully understand the profile files. I'll be working on one for opera so we'll see how that goes. So far if I enable it it won't even start! Guess that's pretty safe.

    To bodhi.zazen: Discovered your Intro and web page of profiles and appreciate the efforts.

    I've been running Ubuntu for a bit over a year now and maybe know enough to give back to the community. (bet I still have lots of reading though!)

    Barrie
    Debian Stable
    FluxBox
    Mark Your Thread Solved

Page 5 of 12 FirstFirst ... 34567 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •