[all variants] AppArmor Support Thread

[jgoguen]

Quote:

Originally Posted by q.dinar Code: Feb 16 10:53:31 linux2009 kernel: [ 382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453 Feb 16 10:53:43 linux2009 kernel: [ 395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat" Feb 16 10:53:43 linux2009 kernel: [ 395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile" Feb 16 10:53:43 linux2009 kernel: [ 395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile" Feb 16 10:53:43 linux2009 kernel: [ 395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile" Feb 16 10:53:43 linux2009 kernel: [ 395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile" Feb 16 10:53:43 linux2009 kernel: [ 395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile" also xchat has asked for killall5.

I think I found this one. /bin/pidof is a symbolic link to /sbin/killall5. So programs that find /bin/pidof and follow the link rather than just calling 'pidof' will find themselves calling /sbin/killall5. My first instinct now is that this is harmless and it's the program trying to find a PID. Hopefully not its own, C has getpid() for that...

Quote:

Originally Posted by q.dinar what is null-complain-profile ?

Check out this post over at Novell's forums and see if that applies to you. null-complain-profile is used in learning mode, it complains about absolutely everything.

[q.dinar]

there is other message in log.

how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.

[jgoguen]

Quote:

Originally Posted by q.dinar but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.

OK, I see where you're going with this. Yes, that does seem to be the case, and I'm not sure why, or even if that's the correct behaviour...sounds like a good candidate for a bug to me. You can report bugs here.

[bodhi.zazen]

Quote:

Originally Posted by q.dinar i am quite sad. . you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !

While I agree apparmor requires active monitoring, I would also suggest you file this as a bug report in Launchpad.

[jgoguen]

Quote:

Originally Posted by q.dinar how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.

Very carefully I'm only half-joking, and I'm not completely sure where to start. Probably /usr/sbin/gdm and /usr/X11R6/bin/X, and be prepared to do a lot of work tracing why it's not working and what it's asking for. You may want to put the profiles into complain mode so you don't completely lose graphics:

Code:

sudo aa-complain /path/to/profile

Then when you're satisfied and/or ready to test your profile in enforcing mode:

Code:

sudo aa-enforce /path/to/profile

Remember of course that this doesn't give you the ability to have separate profiles for nvidia, nv, radeon, etc., the profile is for X in general.

To get an idea of the programs you'd need to have profiles for (or give execute permissions with 'ix') open a terminal and use this command:

Code:

ps fax

That prints out a process tree. Look for the set starting with '/usr/sbin/gdm'.

[bodhi.zazen]

Locking down X or GDM with apparmor will probably be impractical, to say the least.

The things, IMO, you should look at are network facing applications or deamons (firefox, ssh, etc) and not something big like X.

If you need to lock down X or a shell (like bash) take a look at jdong's jailbash.

http://www.friedcpu.net/?p=70

Just make jailbash the default, log in shell

Or something like selinux.

[duanedesign]

I just recently installed apparmor and I am fine tuning my profiles. I have got just one more message, related to Firefox, popping up in my log that I want to address.

Mar 20 20:01:08 my-computer kernel: [ 0000.000000] type=0000 audit(000000.000:0000): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/duanedesign/.icons/" pid=5664 profile="/usr/lib/firefox-3.0.7/firefox.sh"

I have in my Firefox profile:

@{HOME}/.icons/** r,

adding the line above did fix five or six log messages like these:

~/.icons/hydroxygen/16x16/categories
~/.icons/hydroxygen/16x16/devices
~/.icons/hydroxygen/16x16/emblems
ECT...

So I get the feeling it is working on some level.

I understand the colon's significance in showing (owner permissions:extended ownership tests: other permissions). Does this provide a clue to help me solve this.

I thank you in advance for any help you can give me.

UPDATE: funny I worked on this for over an hour and five minutes after i break down and ask for help I come up with a solution

I added the following to my firefox profile:

@{HOME}/.icons/ r,

I started Firefox, and no message in my log. I guess I still have a question do I need both
@{HOME}/.icons/ r,
@{HOME}/.icons/** r,
or is there a better way to get apparmor to allow firefox to access all my icons.

[jgoguen]

Short answer - yes, you do need both, but only if the application actually needs to read the directory That tends to be true if it doesn't know for sure what the path to the file is, which may be the case here.

The issue is that using ** will match everything in the directory and its subdirectories - but not the directory itself. So using

Code:

@{HOME}/.icons/** r,

will provide read access for all files and directories under /home/<username>/.icons/, but does not provide any access for /home/<username>/.icons/ at all. That's taken care of by the other rule you discovered you need:

Code:

@{HOME}/.icons/ r,

This is the rule that gives access to read the directory itself.

Similarly, but going further than needed to answer your question, if you only used

Code:

@{HOME}/.icons/* r,

you still would have no read access for /home/<username>/.icons/, but you would have read access for all files directly inside it, plus all subdirectories directly underneath it - but not the contents of those subdirectories. As an example, you could see that /home/<username>/.icons/16x16/ exists, and you could also see that /home/<username>/.icons/16x16/unknown.png exists, but you would not be able to read that file.

Hope that helps and doesn't raise more questions than it answers - but feel free to ask away if you have any more questions or if I wasn't clear enough

[bodhi.zazen]

That was going to be my advice

Nice to see people learning apparmor.

FYI: I have posted some apparmor profiles for your reference here :

http://bodhizazen.net/aa-profiles/

I am looking for people willing to post their profiles, so if anyone is willing please send me a PM.

[jgoguen]

Quote:

Originally Posted by bodhi.zazen That was going to be my advice

I just learn from my betters