Page 4 of 19 FirstFirst ... 2345614 ... LastLast
Results 31 to 40 of 185

Thread: AppArmor Support Thread

  1. #31

    Re: AppArmor Support Thread

    hello.

    i have looked at what is run by what with ps fax and with system monitor.
    though many programs are run by gdm, among them there is nautilus, they all are run in "x-session-manager" branch and nothing is run by Xorg. only two things: Xorg and x-session-manager are run by gdm directly. what will be if i restrict only Xorg? if videodriver is in Xorg it would work.
    how can i restart Xorg? quitting and logging in, i think.
    and firefox is not run by x-session-manager. i have just started gedit to check and see that it also does not run in gdm branch.

    what do you think about restricting installer of ".deb" files? to install deb files for ubuntu that are got from different sites relatively harmlessly, because deb file can (or always?) contain script and it runs as root. as i know there are many deb files of newer versions of programs that are in ubuntu's own repository and also of programs that are not in the repository and among them closed-source programs.
    for example process of installing of deb file should not browse files in /mnt/ subdirectories, i think.

  2. #32
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    i have looked at what is run by what with ps fax and with system monitor.
    though many programs are run by gdm, among them there is nautilus, they all are run in "x-session-manager" branch and nothing is run by Xorg. only two things: Xorg and x-session-manager are run by gdm directly. what will be if i restrict only Xorg? if videodriver is in Xorg it would work.
    I'm not entirely certain what you're asking about here. Are you asking what you will restrict if you use AppArmor on Xorg? You would restrict Xorg, anything loaded by Xorg, and anything run as a child of Xorg. Unless the child has its own profile and you specify Px (or px), or if you specify Ux (or ux). Although, as has been mentioned earlier, there are better places to start for securing your system. If you allow Xorg to listen for incoming connections, then Xorg would be a good (although large and complex) candidate for AppArmor, but if you leave it at the default setting and don't allow remote X connections (note: NOT the same as allowing X forwarding over SSH) then it's not as important IMO.

    Quote Originally Posted by q.dinar View Post
    how can i restart Xorg? quitting and logging in, i think.
    No, that won't restart Xorg, just your login session. You can press Ctrl+Alt+Backspace. That will immediately terminate Xorg (and any GUI programs you have running, and any of their children) and bring you back to the login screen. This was disabled in Jaunty, you can add this to /etc/X11/xorg.conf and restart to enable it again:
    Code:
    Section "ServerFlags"
        Option  "DontZap"   "False"
    EndSection
    Note that you should not have two ServerFlags sections, so just merge this with the existing one if you already have a ServerFlags section.

    Quote Originally Posted by q.dinar View Post
    and firefox is not run by x-session-manager. i have just started gedit to check and see that it also does not run in gdm branch.
    No, you're right, they (and IIRC everything else you start) is run as its own process. Restrictions on gdm (or kdm, or Xorg, or x-session-manager, or /usr/bin/bodhi-zazens-super-spyware-script-pretending-to-be-Xorg ) will not affect these.

    Quote Originally Posted by q.dinar View Post
    what do you think about restricting installer of ".deb" files? to install deb files for ubuntu that are got from different sites relatively harmlessly, because deb file can (or always?) contain script and it runs as root. as i know there are many deb files of newer versions of programs that are in ubuntu's own repository and also of programs that are not in the repository and among them closed-source programs.
    for example process of installing of deb file should not browse files in /mnt/ subdirectories, i think.
    Depends on what precisely you're trying to achieve. As you note, these are run as root, and they always have scripts. In fact they can have up to (IIRC) 4 scripts, possibly 6 - pre-install, post-install, pre-remove, and post-remove. There may also be install and remove, I don't recall. However, regardless, I would be much less concerned about what these scripts are doing in /mnt/ or /media/ (which you could deny access to and legitimately expect nothing to break) and much more concerned about what they're doing in /bin/, /sbin/, /usr/bin/, /usr/sbin/..., all of which you would need to allow read, write, and symlink access to. Think for a second. If I trick you into installing "my-malicious-package_1.0.0-0ubuntu1.deb" and I drop stuff in /mnt/ only, then big deal. Provided I don't change other things of course Now, let's say that I later also trick you into installing "my-malicious-package_1.0.1-0ubuntu1.deb" which does any (all?) of these clearly malicious things:

    • Replace /bin/ls with a modified version. Use your imagination to think of what I could do with that.
    • Replace /boot/vmlinuz-2.6.28-11-generic with a modified version. That's your kernel. I'm sure you can think of plenty of things I could do with that
    • Replace /usr/bin/firefox with a symlink to my malicious script that "does stuff" before starting the real Firefox


    The list of possibilities goes on of course. So is there value in restricting the dpkg installer? Yes, but not as much as you might think.

  3. #33

    Re: AppArmor Support Thread

    Quote Originally Posted by jgoguen
    You would restrict Xorg, anything loaded by Xorg, and anything run as a child of Xorg.
    is video driver code >2009-04-18:completely loaded only by Xorg?loaded completely by Xorg and only by Xorg?<

    Quote Originally Posted by jgoguen
    If you allow Xorg to listen for incoming connections, then Xorg would be a good (although large and complex) candidate for AppArmor, but if you leave it at the default setting and don't allow remote X connections (note: NOT the same as allowing X forwarding over SSH) then it's not as important IMO.
    can driver code make connections [by itself] over the internet if Xorg is configured to be not allowed to make remote X connections?

    i have not seen anything under Xorg branch in process list. what process can be shown there?
    Last edited by q.dinar; April 18th, 2009 at 07:29 AM.

  4. #34
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    is video driver code completely loaded only by Xorg?
    Yes, as far as I'm aware.

    Quote Originally Posted by q.dinar View Post
    can driver code make connections [by itself] over the internet if Xorg is configured to be not allowed to make remote X connections?
    Probably not, but I wouldn't rule out the possibility.

    Quote Originally Posted by q.dinar View Post
    i have not seen anything under Xorg branch in process list. what process can be shown there?
    You're probably looking for gdm or kdm if you want to see child processes. Keep in mind that everything started by gdm/kdm/xdm may not necessarily be shown as a child process! That's important to remember, since it's possible that you write a profile for gdm and suddenly see that other processes are bound by that same profile.

    As has already been said though, locking down X/GDM/KDM/XDM is going to be difficult, including quite likely a lot of time spent editing with no working GUI, and the benefits are unlikely to outweigh the troubles. I will happily help you out, but I want to make sure you have fair warning before you start Network applications, like Firefox, Evolution, Pidgin, Thunderbird, XChat, SSH, etc. are better targets for profiles. I hesitate to say SSH though, in that case you're probably better using jdong's jailbash instead. Yes, X can listen on a network, but if you haven't configured it to do so it won't accept incoming connections, so the benefit is limited.

    If you really want to, start with a base profile (things that make sense to you for X/GDM/KDM/XDM to need access to), put the profile in complain mode, and then load it and restart. That will let you keep your GUI and see everything it's asking for access to. Check what it legitimately needs, add that to the profile, restart again. Rinse and repeat until it's only complaining about things it doesn't actually need.

    You may also find that it's easier (for profile creation, readability, maintenance, and generally making sense of everything 6 months down the road) to create multiple smaller profiles (one for GDM, one for each program called by GDM, and so on) and using the 'Px' execute permissions rather than trying to fit everything into a single profile with lots of 'ix' execute permissions. That advice also applies to other smaller applications too. Rather than writing a profile for Firefox that includes everything needed for file-roller or ark to run, write profiles for file-roller and ark and give Firefox Px access to those programs.

  5. #35
    Join Date
    Aug 2007
    Beans
    35
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: AppArmor Support Thread

    Is this too permissive?

    While I was going through logprof, firefox wanted read access to the following:
    Code:
      deny owner "/home/*/.BOINC Manager" r,
      deny owner /home/*/.DCOPserver_Roadrunner64__0 r,
      deny owner /home/*/.aspell.en.prepl r,
      deny owner /home/*/.bash_logout r,
      deny owner /home/*/.esd_auth r,
      deny owner /home/*/.gksu.lock r,
      deny owner /home/*/.pulse-cookie r,
      deny owner /home/*/.sudo_as_admin_successful r,
      deny owner /home/*/.xsession-errors r,
      deny /proc/1/cmdline r,
      deny /proc/1/stat r,
      deny /proc/2/cmdline r,
      deny /proc/2/stat r,
      deny /proc/3/cmdline r,
      deny /proc/3/stat r,
      deny /proc/4/cmdline r,
      deny /proc/4/stat r,
      deny /sbin/killall5 x,
      deny /var/run/dbus/system_bus_socket w,
    Should I allow them? What do they do and why does firefox wants read access to them? I've denied them for the time being.
    Last edited by rileinc; April 18th, 2009 at 12:26 AM.

  6. #36
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Is firefox working ?

    If so, then you are done.

    If not, then you will have to allow more things
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #37
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    There's a lot of files Firefox tries to access that I just can't explain. Files like ~/.viminfo and ~/.rsyncignore (which is a custom file, so it's really weird that Firefox wants it!) make no sense to me for Firefox to have access to, but it seems to try anyway.

    As for your profile, basically what bodhi said - if Firefox is working, and you've achieved your goals in creating the profile, then the profile is fine

  8. #38
    Join Date
    Aug 2007
    Beans
    35
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: AppArmor Support Thread

    Quote Originally Posted by jgoguen View Post
    As for your profile, basically what bodhi said - if Firefox is working, and you've achieved your goals in creating the profile, then the profile is fine
    Ah I see. I asked because I don't want to permit things that I'm not suppose to allow.

    Quick question: when I remove a profile, do I have to specifically tell AppArmor that the profile is gone (e.g. apparmor_parser -R /etc/apparmor.d/profile), or can I just delete it from /etc/apparmor.d (then reload AA)?
    Last edited by rileinc; April 21st, 2009 at 03:03 AM.

  9. #39
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Delete the profile and re-load apparmor.

    You do not need to worry too much about allowing something, remember without apparmor firefox has full access to your system limited only by permissions.

    With apparmor firefox has less access limited by the aparmor kernel module and permissions.

    In general it should be obvious what to confine, but to be honest this is an area where I prefer selinux
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #40
    Join Date
    Dec 2008
    Beans
    57

    Re: AppArmor Support Thread

    Hello everyone,

    as a first timer, i tried creating a profile for pidgin to get some pratice with apparmor. When in enforce mode, Pidgin wont even load :\

    Im not sure i got everything right, but when i do:
    Code:
    lou@trooper:~$ sudo genprof pidgin
    Please start the application to be profiled in 
    another window and exercise its functionality now.
    
    Once completed, select the "Scan" button below in 
    order to scan the system logs for AppArmor events.  
    
    For each AppArmor event, you will be given the  
    opportunity to choose whether the access should be  
    allowed or denied.
    
    Profiling: /usr/bin/pidgin
    
    [(S)can system log for SubDomain events] / (F)inish
    Reading log entries from /var/log/messages.
    Updating AppArmor profiles in /etc/apparmor.d.
    
    Create New User?
    
    (Y)es / [(N)o]
    Username:
    I followed the instruction, i saw the messages log entry for pidgin as i took him for a spin, then when i press the S key, the create user appear.... What user are we talking about here? i did not find any help for this :/

    Apparmor had created and file for pidgin but it only shows:
    Code:
    # Last Modified: Sat May  2 13:33:45 2009
    #include <tunables/global>
    
    /usr/bin/pidgin flags=(complain) {
      #include <abstractions/base>
    
    }
    i installed the apparmor_profiles
    if i run apparmor_status, pidgin is loaded
    Code:
     sudo apparmor_status
    apparmor module is loaded.
    17 profiles are loaded.
    5 profiles are in enforce mode.
       /usr/share/gdm/guest-session/Xsession
       /usr/lib/cups/backend/cups-pdf
       /usr/bin/pidgin
       /usr/sbin/cupsd
       /usr/sbin/avahi-daemon
    12 profiles are in complain mode.
       /usr/sbin/identd
       /usr/sbin/ntpd
       /sbin/klogd
       /usr/sbin/dnsmasq
       /usr/sbin/nmbd
       /sbin/syslogd
       /usr/sbin/smbd
       /sbin/syslog-ng
       /usr/sbin/traceroute
       /usr/sbin/nscd
       /bin/ping
       /usr/sbin/mdnsd
    5 processes have profiles defined.
    1 processes are in enforce mode :
       /usr/sbin/cupsd (4792) 
    0 processes are in complain mode.
    4 processes are unconfined but have a profile defined.
       /sbin/klogd (4681) 
       /usr/sbin/avahi-daemon (4727) 
       /sbin/syslogd (4630) 
       /usr/sbin/avahi-daemon (4726) 
    lou@trooper:~$
    Thx for any input

    --------

    does apparmor replace chrooting in a better ways? Can both live together?

    Im planning on running apache2 and proftpd. Any tips to apparmor them? or any profile to share?

    EDIT: i just saw that a a bit more complex to apparmor apache because of the subprocess. I will need to get further into that. and see if apparmor is really worth it for me.



    thx again
    lou
    Last edited by loudog23; May 3rd, 2009 at 03:48 AM.

Page 4 of 19 FirstFirst ... 2345614 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •