Page 5 of 19 FirstFirst ... 3456715 ... LastLast
Results 41 to 50 of 185

Thread: AppArmor Support Thread

  1. #41
    Join Date
    Dec 2008
    Beans
    57

    Re: AppArmor Support Thread

    deleted
    Last edited by loudog23; May 3rd, 2009 at 03:49 AM.

  2. #42
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by loudog23 View Post
    as a first timer, i tried creating a profile for pidgin to get some pratice with apparmor. When in enforce mode, Pidgin wont even load :\
    If you've got the profile you had quoted loaded, that's because AppArmor thinks it should deny everything. Try using this profile as a base, and tweak it to your needs: http://bodhizazen.net/aa-profiles/jg...usr.bin.pidgin

    Quote Originally Posted by loudog23 View Post
    I followed the instruction, i saw the messages log entry for pidgin as i took him for a spin, then when i press the S key, the create user appear.... What user are we talking about here? i did not find any help for this :/
    I'm not very familiar with genprof, and I can't figure out why it's asking for a username. Hopefully someone else has some insights. I would completely remove whatever profile is currently there, reload AppArmor (sudo /etc/init.d/apparmor reload) and try sudo aa-genprof /usr/bin/pidgin again. Failing that, or if you just want something to look at for comparison, I would make use of the profile I linked to.

    Quote Originally Posted by loudog23 View Post
    does apparmor replace chrooting in a better ways? Can both live together?
    Yes and I think so. A chroot jail can be broken out of. AppArmor restrictions aren't so easy to break. As for the two playing nicely together, I don't see why not. It would require some extra thought as to the absolute paths of programs required before and after calling chroot(), and I don't know for sure if AppArmor would apply to absolute paths relative to the real root directory or relative to the chroot() but that wouldn't be too hard to figure out.

    Quote Originally Posted by loudog23 View Post
    Im planning on running apache2 and proftpd. Any tips to apparmor them? or any profile to share?

    EDIT: i just saw that a a bit more complex to apparmor apache because of the subprocess. I will need to get further into that. and see if apparmor is really worth it for me.
    Whether AppArmor is worth it for you depends on what you're trying to achieve. The answer, especially if you're accepting arbitrary data from an arbitrary source (which you are with both programs you've mentioned) is typically "quite likely" for network applications. Apache would certainly be an interesting beast to configure, but even with subprocesses it wouldn't be that much worse than any other single-process application. Just remember to put your profiles (because you'll quite likely be writing multiple profiles for Apache and its children) into complain mode and check /var/log/messages for AppArmor deny entries. Keep in mind that multiple profiles doesn't mean multiple files - a single file can contain all the profiles you want. This profile is an example of how to handle multiple profiles in one file. If you were trying to restrict mod_perl, mod_php, mod_python, and other Apache modules it would probably get a little weird. To make things a little easier (or harder?) for that, you could find mod_change_hat (which isn't in the Ubuntu repos) and use that. It will allow you to have a sub-profile for each script and a default sub-profile for scripts that don't match an existing sub-profile.

  3. #43
    Join Date
    Dec 2008
    Beans
    57

    Re: AppArmor Support Thread

    ty for your reply,
    Quick technical question.
    I have a private ftp (proftpd), If i can make a profile to succefully connect locally (ip 127.0.1.1), can i assume web request to be allowed too?
    I don't have access to another web connection, therefore i can't try it from external source.

  4. #44
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    If your profile allows you to connect from localhost, you can safely assume that your AppArmor profile won't prevent other incoming connections. AppArmor can't restrict IP addresses, it can only allow or deny TCP and/or UDP connections for IPv4 and/or IPv6. Doesn't mean your firewall won't be restricting anything though, so be sure to check that, and also check port forwarding on your router (if applicable).

  5. #45

    Re: AppArmor Support Thread

    i am not going to allow some files. but apparmor writes messages to syslog not stopping, continuously, near 3 messages per second in syslog and messgages. how to stop it? apparmor must have such ability, because this is its main target, goal - to block up programs, it is normal, so it should not write so many to log files.

  6. #46
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    AppArmor writes one message per access attempt. So if you write a profile for /usr/bin/myprogram that does not allow access to /etc/shadow and /usr/bin/myprogram makes 10 attempts per second to access /etc/shadow, you will get approximately 10 messages per second in your log saying that access was denied.

  7. #47
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
    Code:
    sudo aa-genprof firefox
    and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:

    Code:
    sudo aa-logprof
    but it finds no log messages. However, there is a "null-complain-profile" that is still listed in complain mode. ps -A shows this as being firefox. So, what's the deal with these null-profiles and how does one integrate them with an existing firefox profile?

    Also, firefox is asking for dac_overide capabilities. It should not need this!

    I saw that there were some bugs filed about AppArmor (in Jaunty) not parsing error logs properly. Some people on launchpad said that installing autid.d helped them. It doesn't work for me -- I'm still getting this strange behavior.

    Or maybe I am just not doing it right?

  8. #48
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    I'll be profiling the latest Firefox later today. I can't imagine why it's asking for dac_override, but then again I still haven't figured out why it wants to read ~/.rsynclist (a file I created myself for one of my scripts) or why it's looking for a lot of things in /proc/ that aren't related to it...

    I'll be starting from my current profile, which is posted here. I'll be removing a lot of stuff and trying to re-integrate the file-roller profile back into Firefox, so I'll be sure to post the result here once I'm done.

  9. #49
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    If it helps , my profile is here

    http://bodhizazen.net/aa-profiles/bo....10.firefox.sh

    All I changed was the version from "10" to "!!"

    Have not looked at logs ..
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #50
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    If it helps , my profile is here

    http://bodhizazen.net/aa-profiles/bo....10.firefox.sh

    All I changed was the version from "10" to "!!"

    Have not looked at logs ..
    That's what I ended up doing. After trying to unsuccessfully aa-genprof firefox, I just went and changed 10 to 11 inside the profile and all seems to be working. I posted the profile in the profiles thread.

Page 5 of 19 FirstFirst ... 3456715 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •