Page 17 of 19 FirstFirst ... 71516171819 LastLast
Results 161 to 170 of 185

Thread: AppArmor Support Thread

  1. #161
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by MiniT View Post
    Tht means the firefox or transmission or samba critter may have a user account of sorts in a group of some kind - and defined limits therof.
    It's actually not important what the user account is until you look at rules that have the "owner" directive or use the "@{HOME}" expansion.

    Quote Originally Posted by MiniT View Post
    What I don't get is why I can Save Page As . . . and see - pretty much anything. Maybe even save to most sensitive areas - by default?
    AppArmor may (for various reasons) allow you to view areas even if you can't save there. In the default Firefox profile, at least as I have it, Firefox only has write access to ~/Downloads/, ~/.config/ibus/bus/ and ~/.gnome2/firefox*-bin-*. But, it has read access to the home directory and to ~/Public/. So under that profile, if you use Save As in Firefox, you could go into ~/Public/ and view what's there, but you would get an error if you actually tried to save there. Are you experiencing something different? Post your whole profile if you are, we can look at it and try to figure it out.

    Quote Originally Posted by MiniT View Post
    What if I start iwth a profile that basically says :
    audit deny / mrwkl # or anything else goshdarnit
    That probably won't work quite as well as you think and would lead to a much larger profile than is necessary What's in the default Firefox profile, which is "/ r", is a good starting point.

  2. #162
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Ah, as I thought originally.
    AppArmor is supposed to be a semi-standalone permissions enforcer, yes?
    A hand smackin', keep the kids in line, hard nosed old so and so.

    Good.

    So I'll figure out how to pin my profile for Firefox up here and you'll see DENYs for things that prob'ly shouldn't be allowed by default, but I had access to write to. Thus the DENY rules I wrote.

    Suspected issue with my messing in the code . .. we'll see.

    miniT

    maybe in new post I can add attachment?
    Last edited by MiniT; August 17th, 2011 at 09:52 PM. Reason: trying to add attachment to get feedback

  3. #163
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Well , two problems you have ...

    1. Yes, there is a learning curve with apparmor, there is one with selinux as well

    2. You are starting with a profile for firefox, try starting with a smaller, easier application and then working your way up to firefox.

    http://blog.bodhizazen.net/linux/app...ivoxy-profile/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #164
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    AppArmor is a method for implementing Mandatory Access Control (see http://en.wikipedia.org/wiki/Mandatory_access_control for an overview; SELinux is another implementation). Enjoy your first round of light reading

  5. #165
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Ah there we go. (That's a friendly color, I think I'll stay with it.)
    Attachment attached in the attachable position.
    So, do your worst.
    It seems to be working for what I want. And watch TV on internet.
    I can get to everything I need, the /var/log/messages is silent for FF!
    That is unless I try to open something forbidden or save to somewhere forbidden. [bong]USER SMACKDOWN! <-- also with the dialog box.

    You'll note the limits on folders within my user's home.
    I should only be able to write to Downloads and Desktop.
    That's how it works at present, with the DENYs in place.
    Oh, and despite the comment, OWNER found its way back in.
    Without it . . . something wasn't working?
    I forget, but this is a single user computer, so who cares right?


    Perhaps there's something I should have seen, but the DENYs were necessary to limit writing to directories in home, when she was set to Enforce.

    Profile cobbled together for Firefox 5/Linux Mint 10 (Gnome) "Julia"
    This OS is based on Ubuntu 10.10(just prettier + some tweaks).

    Thanks for helping dudes, you're both awesome.
    Oh you slipped in while i was typing and eating oatmeal. . .
    . . .
    did some reading and will do some more . . .
    So folder/file permissions are DAC - user adjustable, relatively insecure. And AppArmor is . . . not simple to describe, but works in relation to kernel to keep programs/processes in line.

    OK, it seems like I should have to Explicitly grant access to somewhere, or that by saying Read access is granted, that implies nothing else is OK.
    But should NOT have to Deny access to any of the other folders in Home unless I granted it in the first place . . . maybe in the Includes . .?

    Is it possible this is a Minty re-imagining of . . . sumthin'? Don't even want to think about that.
    I will sieve through the Mint resources I can find and see if they have any advice to offer on this - unless you tell me I am being thick and ITS RIGT THERE in front of my face. First time for everything.


    --------------
    I feel like I've visited this post before . . .
    Attached Files Attached Files
    Last edited by MiniT; August 17th, 2011 at 11:27 PM. Reason: not feeling like eating beans today

  6. #166
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Ok.
    Me: too many words B4, not enough content.

    M.A.C. reading led to more. See helpful (many overlaps) below:

    http://en.wikipedia.org/wiki/Mandatory_access_control
    Main Page - AppArmor
    AppArmor - Community Ubuntu Documentation
    AppArmor Detail - openSUSE
    SDB:AppArmor geeks - openSUSE
    [all variants] Introduction to AppArmor - Ubuntu Forums
    AppArmor - Ubuntu Wiki

    Also read Ubuntu Security wiki et al, props to Bodhi.zazen.

    Then scanned my usr.bin.firefox, its includes, their includes, variables, et cetera.

    Came full circle to a post/thread I already had in bookmarks . . .
    [SOLVED] How to test that Apparmor is working? - Ubuntu Forums
    The name is not what I was looking for. I knew AA was working, just not right. Got the link to BZ's FF profile there - but missed the rest!

    This is a problem in App Armor version 2.5.1, for Ubuntu 10.10.4.
    If you read that SOLVED:
    Yeah, but his profile apparently does not allow writing to a directory he is writing to. So something is wrong somewhere, and I doubt it's the profile.
    They did as I did and traced back to user-files. Therein is the problem.

    Also discovered potential for JAVA SCRIPTS to have rwk privileges in my HOME! From /etc/apparmor.d/abstractions/ubuntu-browsers.d/java :
    owner @{HOME}/ r,
    owner @{HOME}/** rwk,
    WHat-the . . . !
    Does that say what I think it does?!
    Please tell me javascripts are not allowed to read/write as they please in my only user's home directory. (no pets allowed!)

    I think these are two mistakes that need reporting.
    Is it Launchpad? Log in just like this forum?

    I suppose my profile for FF is good for now, except the JAVA issue.
    I will figure how to report if you can help me fix (if it needs fixing/reporting).

    Please set me straight if I need it!

    Respectfully,
    miniT

  7. #167
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by MiniT View Post
    Does that say what I think it does?!
    Please tell me javascripts are not allowed to read/write as they please in my only user's home directory. (no pets allowed!)
    No, JavaScript never has access to the file system. That profile snippet is for Java, which is a whole other nasty thing. But yes, that does mean "read $HOME and read/write anything under $HOME". Which I think we both agree is a Bad Thing (although needed for Java to work...) and is a reason why I tend to avoid Java where I can If you don't use Java applets, you could try removing that and see how far you get.

    Always remember, despite any naming similarities Java and JavaScript are not related. It tends to help to think less about "JavaScript" and more about "ECMAScript". JavaScript is a dialect of ECMAScript, and so is JScript, QtScript and ActionScript. Thinking of it as ECMAScript also helps to avoid any confusion with Java, which is completely unrelated and wholly separate from JavaScript.

  8. #168
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    I'll read up on Java (and ECMA scripts). Thank you.

    A load off of the mind!
    So, perhaps just striking the line that calls up the java file?
    Or edit it's permissions to a strict level with audit DENYs and watch what happens?

    Why does it need ALL of Home? That's greedy.

  9. #169
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    I'm not familiar with Java so I'm not sure what the plugin needs under $HOME to make it so greedy. This is part of why bodhi.zazan suggested you start with a smaller program and work up to Firefox

    I rarely allow Java applets at home, so I can safely remove the Java abstraction from the Firefox abstraction. However, that does imply a bit of extra work when I actually do need to run Java applets as I need to put that line back, reload AppArmor, restart Firefox and then undo it all again later. AppArmor is anything but "fire and forget", much to the annoyance of people looking for a simple no-maintenance solution

  10. #170
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Quote Originally Posted by jgoguen View Post
    AppArmor is anything but "fire and forget", much to the annoyance of people looking for a simple no-maintenance solution
    Yeah, moving target makes it more fun!

    EDIT: fixed this profile, see next post if you like
    Speaking of which:
    Simple Transmission profile, in complain mode.
    One line popped up in /var/log/messages, I couldn't figure out how to fix.

    When Trans. profile is complaining, magnet links work from Firefox, open in Trans. But I get a line similar to below, but allowed.
    When Trans. profile is enforced, magnet links don't ask to open with Transmission.
    No problem with torrent files, though. And I get this in messages:

    Code:
    Aug 21 10:46:52 mini1012 kernel: [ 2682.813007] type=1400 audit(1313938012.696:49): apparmor="DENIED" operation="file_mprotect" parent=1 profile="/usr/bin/transmission" name="/usr/bin/transmission" pid=2905 comm="transmission" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    I have to figure out what the IDs are referring to and allow right?
    Oops, there's my inexperience showing!

    A link to a similar problem solved would be a fine answer.
    Any help appreciated, dudes.

    EDIT: something to do with ps or pstree or ptrace commands? am searching . . .
    Found the following in my bookmarks LOL, but can become more independent of others' work when I know more about the above.
    Transmission profile in Share your AppArmor Profiles - thank you DanneStrat!

    MiniT

    ----------------------------------
    you guys
    Last edited by MiniT; August 22nd, 2011 at 03:40 AM. Reason: more and more and more specific

Page 17 of 19 FirstFirst ... 71516171819 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •