Page 6 of 19 FirstFirst ... 4567816 ... LastLast
Results 51 to 60 of 185

Thread: AppArmor Support Thread

  1. #51
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Did I set it up correctly?

    Please comment and advice, thanks.

  2. #52
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by samiux View Post
    Did I set it up correctly?

    Please comment and advice, thanks.
    It is a fine start, keep going

    As you become more familiar with the syntax I think you will find it is easy to use.

    As this happens you will likely find you rely less on aa-logprof .

    I highly suggest you back up a working profile before you edit it (outside of /etc/apparmor.d/).

    In terms of paths / directories it depends on what you are serving with apache. Apache may need access to things such as ssl, php, perl, python, cgi, home directories (~/www), svn, etc, etc, etc.

    This is one "problem" with apparmor, every users will need to derive his or her own profile and you need to first understand what is normal behavior for apache before you can confine it.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #53
    Join Date
    May 2008
    Beans
    18

    Re: AppArmor Support Thread

    There is no way to make a profile for all programs in a certain directory, is there?

    E.g. I would like to block internet traffic for all programs, except for those which have a profile that allows it?

    Or limit the read/write rights for all programs which I run from directory ~/downloaded-files?


    /jeli
    Last edited by Jens_Li; July 11th, 2009 at 02:45 PM.

  4. #54
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Not easily. You could make a set of common profile elements in one file, but you would still require one profile per program. You could do it all in two files, like so:

    /etc/apparmor.d/home.bin.common:
    Code:
    network inet stream,
    network inet dgram,
    network inet6 stream,
    network inet6 dgram,
    <other common allow lines>
    The first 4 lines will allow network access. You apply this file in various profiles like below:

    /etc/apparmor.d/home.bin.all
    Code:
    #include <tunables/global>
    /home/jgoguen/bin/prog1 {
         #include <home.bin.common>
    }
    
    /home/jgoguen/bin/prog2 {
         #include <home.bin.common>
    }
    
    /usr/local/bin/prog3 {
         #include <home.bin.common>
    }
    Change the file names and paths appropriately.

  5. #55

    Re: AppArmor Support Thread

    hello
    rookcifer:
    Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
    Code:
    sudo aa-genprof firefox
    and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:
    Code:
    sudo aa-logprof
    but it finds no log messages.
    i could not make profile automatically and i have not asked about that, i make them "manually" checking log files after every change of profile, reloading it, restarting program, trying different things with program.

    once i made profile for konqueror it asked for "w" permission in my home directory when i opened kde.org - default home bookmark of konqueror. i did not allow it. then after some time i tried to test it in test user, but it has not asked for that "w" permssion in home dir. any more.

    how konqueror sees home directory content while "@{HOME}/ r, " is not in the profile nor it allowed other way?

  6. #56
    Join Date
    Jul 2007
    Location
    The Internet
    Beans
    Hidden!
    Distro
    Ubuntu

    Question Re: AppArmor Support Thread

    Question: I'm working on an apparmor profile for apache2. It's currently in complain mode, and I get the following complaint (among others):

    Sep 9 00:23:19 elcamino kernel: [118235.056951] type=1504 audit(1252470199.886:18401): operation="clone" task=22233 pid=22233 profile="null-complain-profile"

    How do I set the profile to allow this "clone" operation (I assume this is when it forks..?)?

  7. #57

    Re: AppArmor Support Thread

    transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
    why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.

  8. #58
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
    why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.
    I have noticed some quirks like this too. Sometimes when you deny something, it will still ask even though there is a clearly a "deny" line already in the profile.

    Then there is the infamous error:

    "Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401."

    I get this quite often. Sometimes it happens so often I have to reboot. There was a bug filed a long time ago, but nothing has been done about it yet. This is not surprising as AppArmor does not seem to be under development anymore. I suppose TOMOYO might be the way to go in the future.

  9. #59
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    The other problem is that apparmor has actually been in development and as such it is very different between each version of Ubuntu.

    Documentation of these changes is lagging and your best option is probably reading the man pages.

    There are basically two approaches to apparmor. One is to generate a profile, run it in complain mode for some time ( a week ?) , generate logs, then assume such activity is "normal" and allow it all. Then change the profile to enforce and now you should only be logging abnormal activity.

    The other approach is to limit access as much as possible. With this second approach you will get a ton of activity in your logs.

    Personally I do a blend of the two. Allow full access to $HOME and restrict to the few files or directories such as ~/.ssh or ~/.Private.

    Same with etc. Allow applications to at least read the "normal" config files they need, many of these things are in the abstractions. Restrict access to things such as passwd, shadow, and such.

    You may also wish to restrict access to /sys and /proc and /etc/init.d/apparmor (restrict the ability of a profile to turn apparmor off).

    I also restrict access to things in /sbin such as iptables.

    It is much easier to allow all and generate a black list then deny all and allow a white list. Further you can copy-paste your black list between profiles.

    Last, in 9.10 there are more and more default profiles. I use the defaults as much as possible.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #60

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen
    Personally I do a blend of the two. Allow full access to $HOME and restrict ...
    what is full access? @{HOME}/ and @{HOME}/**?
    i said about that i denied even directory listing of home and etc. (programs can directly request subdirectory listing or file in subdirectory not looking directory listings of outer directories, of course...)
    i do not know in apparmor how to allow all in area and then deny several things in it. i only know allow marks like r, w, k, l, ix, mrix, rix, rw - they all allow some paths over the all paths denied by default .

Page 6 of 19 FirstFirst ... 4567816 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •