Page 3 of 12 FirstFirst 12345 ... LastLast
Results 21 to 30 of 112

Thread: Share your AppArmor Profiles

  1. #21

    Re: Share your AppArmor Profiles

    i thought that passwords are stored in /etc/passwd. but it is not so.

    now i have been making profile for virtualbox and have searched how to allow "capability"s in log. have found there by searching "capability apparmor.d" in google: https://help.ubuntu.com/8.04/serverg.../apparmor.html .

    i cannot change r for user or group or others in apparmor.d as it does not matter, am i, is it so ?

    sometimes "requested mask" and "denied mask" in log are different, i write to rule which is for more permissions. i have now thought/guessed that "denied .." means which part of permission is needed.

    a and w permissions are said incompatible, if they are both i set w. and if there is w i set r also not waiting it appears in log.

    why in complain mode only few lines appear after every change of rule and program restart? why all complains do not appear in one run of program?

    sudo genprof ... tries to connect to rules repository, and asks many questions, i now choose "finish".
    Last edited by q.dinar; January 17th, 2009 at 11:46 AM.

  2. #22

    Re: Share your AppArmor Profiles

    in man aparmor.d is written:
    "There is no mediation based of port number or protocol beyond tcp, udp, and raw"
    so i cannot restrict access to/by certain ip?
    can i restrict access of a program but allow other programs as usually with iptables? as i know it is possible.

  3. #23
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Quote Originally Posted by q.dinar View Post
    i thought that passwords are stored in /etc/passwd. but it is not so.
    Right, passwords are stored in encrypted form in /etc/shadow. No reason to allow everyone access to read the passwords when all they need is the username

    Quote Originally Posted by q.dinar View Post
    i cannot change r for user or group or others in apparmor.d as it does not matter, am i, is it so ?
    I think you're right. You can't tell a program what permissions to ask for. But you can say "OK, you can have user read only but not group read or other read". A line like this grants read-only access for user only to home directories:
    Code:
    owner @{HOME}/ r,
    Quote Originally Posted by q.dinar View Post
    sometimes "requested mask" and "denied mask" in log are different, i write to rule which is for more permissions. i have now thought/guessed that "denied .." means which part of permission is needed.
    The "requested mask" is what the program wants. The "denied mask" is what the program isn't getting. If the request mask is "rmix" and the denied mask is "mx" then it means that the profile allows reading but not mmap() or execute. Note that I haven't covered what "i" means - it goes along with "x". Execute permissions are either "ix" (inherit this profile on execute), "Ux" or "ux" (execute with no profile - not recommended!) or "Px" or "px" (execute with the profile for the program). I'm starting to lean more towards using "ix" wherever possible, but your individual profiles will be larger. You'll also have more control over what each application actually has access to.
    Last edited by jgoguen; January 17th, 2009 at 08:20 PM.
    Joel Goguen

  4. #24
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Quote Originally Posted by q.dinar View Post
    in man aparmor.d is written:
    "There is no mediation based of port number or protocol beyond tcp, udp, and raw"
    so i cannot restrict access to/by certain ip?
    can i restrict access of a program but allow other programs as usually with iptables? as i know it is possible.
    No, you can't restrict IP addresses using AppArmor. There's no way to say "only 192.168.100.0/24 can connect". You would have to use iptables and say "reject from not 192.168.100.0/24 port 8082". I'm not sure what you mean by restricting an application with iptables though. You can restrict what network connections may be accepted with iptables, but there's no way to use iptables to say "FreeSWAN may accept connections on port 9021 but not Transmission", and you can't say "MyApp can accept GRE traffic but nothing else can" (EDIT: Not true, I learned this can be done, see my next post). You could use AppArmor to say that a program may only access a network using IPv4 UDP, but that's about it. Do you have a specific scenario? Maybe we could help you combine AppArmor and iptables to achieve what you want.
    Last edited by jgoguen; January 18th, 2009 at 08:19 PM.
    Joel Goguen

  5. #25

    Re: Share your AppArmor Profiles

    The "requested mask" is what the program wants.
    yes, i have been mistaken.

    I'm not sure what you mean by restricting an application with iptables though. ... but there's no way to use iptables to say "FreeSWAN may accept connections on port 9021 but not Transmission"
    yes that is other way than blocking application, that that i have seen was blocking by username with what the program runs, i do not know exactly :
    http://danieldegraaf.afraid.org/info/iptables/outfilter :
    Code:
    #!/usr/bin/env iptables-restore
    *filter
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :loga - [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp --dport 80 -j loga
    -A loga -j ULOG
    -A loga -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m owner --uid-owner www-data -j ULOG --ulog-prefix www
    -A OUTPUT -m owner --uid-owner www-data -j DROP
    -A OUTPUT -m owner --uid-owner root -j ACCEPT
    -A OUTPUT -m owner --uid-owner daniel -j ACCEPT
    -A OUTPUT -j ULOG --ulog-prefix egress
    COMMIT

  6. #26
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    What that does there is block any outbound connections not related to an existing session for the specified username. If you started Firefox as www-data, it would fail to connect to anything. I've just learned about the --cmd-owner option, which takes a name as a parameter. It matches if the packet was created by a process matching that command name. I don't know if it requires a full path (I would imagine so) or if it's enabled in Ubuntu (iptables has to be compiled under a kernel supporting this feature for it to work) but that might allow you to use iptables to restrict an application's network access with iptables. Which means I stand corrected, there is indeed a way to use iptables to say "FreeSWAN may accept connections on port 9021 but not Transmission"
    Joel Goguen

  7. #27

    Re: Share your AppArmor Profiles

    hello.
    how to make rules for wine and all programs that run with/by wine? would profile created with "sudo genprof wine" cover all {controlled usually by apparmor functions} of all [exe,com] programs that run with wine or just wine components started by that programs excepting their some none-wine direct operations?
    "Ux" or "ux" (execute with no profile - not recommended!) or "Px" or "px" (execute with the profile for the program)
    this is useful for me, thanks.

  8. #28
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    A profile for /usr/bin/wine would cover all programs started by WINE, even if they're installed under different WINE prefixes. So if you installed (for example) Starcraft, MS Office 2007, Internet Explorer 6 (IEs4Linux), and World of Warcraft, your AppArmor profile would need to cover all permissions required by all programs. It would also require maintenance when you install more programs - you would need to make sure the profile gave enough permissions for the installer programs to function, and the profile might require changes to accomodate programs you install later. genprof only generates an approximate profile, I used it only once and found it was easier for me to just create the profile from scratch each time, or modify an existing profile.
    Joel Goguen

  9. #29

    Re: Share your AppArmor Profiles

    i use genprof only to create almost empty file with near 50-100 bytes size. if do not use genprof i do not know for which file make profile and give according name. for example sudo genprof firefox uses file with name like Firefox.sh with "sh" extension file but near that file in its directory there are "firefox" and other executable files.

  10. #30
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    You have a good point there
    Joel Goguen

Page 3 of 12 FirstFirst 12345 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •