AppArmor Support Thread

[jgoguen]

What's the difference these?

Code:

deny /abc r,
deny owner /abc r,

I looked around and found this but I don't understand what it means.

Does it mean the owner is exempt from the rule?

Basically the opposite actually. The "owner" keyword means the rule only applies to the file (or directory/socket/device) owner. If you have /abc owned by user1, then the rule denies read access to only user1. Other users may be denied access via other means (like UNIX permissions or ACLs) but the AppArmor rule is what blocks user1.

Why one would want to use "deny owner" I'm not too sure, but I'm sure if I put some thought into it I'd end up rewriting half my profiles to use it

[bodhi.zazen]

The only reason I can think to deny the owner would be if you wished to deny access to a specific file or directory or resource , but allow other users access (within the profile).

This would be rare and I can not think of a specific example at this time.

I would think the vast majority of the time it would be the case when you would simply wish to deny access to everyone.

[q.dinar]

hello.
it seems there is one disadvantage of syslog, it seems that it do not log all messages but write "n messages suppressed". does it? does auditd log all?

add after a minute: is it possible to configure syslog [temporarily] to not write "suppressed" but log all?

[q.dinar]

installation of driver for samsung ml-1640 printer:

Code:

# min qdb yazam
#include <tunables/global>

/home/dinar/cdroot/autorun {
  #include <abstractions/base>
/home/dinar/cdroot/autorun r,
/usr/bin/dirname ix,
/bin/dash ix,
/home/dinar/cdroot/** r,
/usr/bin/basename ix,
/bin/sed ix,
/bin/grep ix,
/usr/bin/tr ix,
/bin/cat ix,
/proc/filesystems r,
/etc/issue r,
/bin/uname ix,
/bin/ls ix,
/usr/bin/mawk ix,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
/proc/bus/usb/ r,
/proc/bus/usb/** r,
/bin/mount ix,
/home/dinar/cdroot/Linux/i386/qt4apps/install/guiinstall ix,
/home/dinar/cdroot/Linux/i386/install/guiinstall ix,
/usr/lib/ r,
/bin/zcat ixr,
/bin/tar ix,
/sbin/ldconfig ixr,
/etc/fstab r,
/etc/mtab r,
/proc/*/mounts r,
/dev/tty rw,
/dev/pts/* rw,
/bin/gzip ix,
/sbin/ldconfig.real ix,
/home/dinar/cdroot/Linux/i386/lib/*.so* mr,
/usr/bin/id ix,
/bin/sleep ix,
/etc/ld.so.cache~ wr,
/usr/lib/libtiff.so.3 w,
/usr/lib/libtiff.so.3.6.1 w,
/etc/ld.so.conf r,
/var/cache/ldconfig/aux-cache r,
/lib/ r,
/usr/lib/libstdc++.so.5 w,
/usr/lib/libstdc++.so.5.0.5 w,
/etc/ld.so.conf.d/ r,
/etc/ld.so.cache w,
/etc/ld.so.conf.d/** r,
/var/cache/ldconfig/aux-cache~ wr,
capability dac_override,
capability dac_read_search,
/root/.qt/ wr,
/root/.qt/* wr,
/usr/share/X11/XKeysymDB r,
/usr/bin/gs ix,
/etc/fonts/ r,
/etc/fonts/** r,
/var/cache/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/tmp/libgksu-*/.Xauthority r,
/root/.config/Trolltech.conf wrk,
/var/lib/dbus/machine-id r,
/usr/bin/dbus-launch ix,
/var/lib/defoma/fontconfig.d/** r,
/tmp/orbit-root/linc-*-*-* wrk,
/usr/share/themes/** r,
/usr/lib/pango/1.6.0/modules/*.so mr,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/lib/gtk-2.0/2.10.0/immodules/*.so m,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/** r,
/usr/lib/ghostscript/8.70/X11.so m,
/home/dinar/cdroot/Linux/i386/qt4apps/install/*.so* m,
/usr/local/share/icons/ r,
/usr/local/share/icons/** r,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/root/.local/share/mime/* r,
/tmp/smfp_users_to_add wr,
/home/dinar/cdroot/Linux/install.sh ix,
/home/dinar/cdroot/Linux/i386/qt4apps/at_opt/bin/shhv ix,
/home/dinar/cdroot/Linux/i386/** ix,
/bin/mkdir ix,
/usr/share/mime/* r,
/usr/lib/gtk-2.0/2.10.0/loaders/*.so m,
/tmp/mfp_Samsung_install/ wr,
/tmp/mfp_Samsung_install/** wr,
/bin/touch ix,
/opt/Samsung/ wr,
/opt/Samsung/** wr,
/usr/bin/find ix,
/bin/ln ix,
/bin/chown ix,
/bin/chmod ix,
/etc/sane.d/dll.conf rw,
/usr/bin/head ix,
/usr/sbin/lpadmin ix,
/usr/bin/lpoptions ix,
/usr/bin/expr ix,
#/root/Desktop/SamsungConfigurator.desktop wr,
/bin/cp ix,
/sbin/udevadm ix,
/lib/init/upstart-job ix,
/bin/rm ix,
/usr/share/ppd/samsung wr,
/usr/share/ppd/samsung/** wr,
/etc/init.d/cups ixr,
/etc/services r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/bus/** r,
/sys/class/ r,
/sys/class/** r,
/etc/timezone r,
/sbin/usplash_write ix,
/bin/readlink ix,
/sbin/start-stop-daemon ix,
/var/run/cups/cupsd.pid r,
/proc/*/stat r,
/usr/sbin/cupsd ix,
/etc/cups/* r,
/etc/lsb-base-logging.sh r,
/usr/lib/cups/backend/mfp ix,
/etc/papersize r,
/usr/share/cups/** r,
/etc/cups/** r,
/etc/cups/ r,
/var/spool/cups/ r,
/sys/devices/ r,
/etc/resolv.conf r,
/etc/host.conf r,
/etc/hosts r,

/tmp/* wr,
/var/run/cups/** rw,
/var/spool/cups/** rw,
/var/cache/cups/** rw,
/var/log/cups/** rw,
capability fsetid,
#network inet stream,
#network inet6 stream,
/etc/cups/lpoptions wr,
/etc/cups/smfp.convs wr,
/etc/cups/smfp.types rw,
/dev/.initramfs/usplash_fifo wr,
capability chown,
capability sys_ptrace,
/sys/devices/LNXSYSTM:00/** w,
/sys/devices/pci0000:00/** w,
/sys/devices/platform/** w,
/sys/devices/** wr,
/etc/cups/ppd/*.ppd wr,


#/root/.gnome-desktop/ wr,
#/root/.gnome-desktop/** wr,
#/usr/sbin/Desktop/ wr,
#/usr/sbin/.gnome-desktop/ rw,
#/usr/sbin/Desktop/SamsungConfigurator.desktop wr,
#/usr/sbin/.gnome-desktop/SamsungConfigurator.desktop rw,
#/bin/Desktop/ wr,
#/bin/.gnome-desktop/ wr,
#/bin/Desktop/SamsungConfigurator.desktop wr,
#/bin/.gnome-desktop/SamsungConfigurator.desktop wr,
#/dev/Desktop/ wr,
#/dev/.gnome-desktop/ wr,
#/usr/games/Desktop/ wr,
#/usr/games/.gnome-desktop/ wr,
#/dev/Desktop/SamsungConfigurator.desktop wr,
#/dev/.gnome-desktop/SamsungConfigurator.desktop wr,
#/usr/games/Desktop/SamsungConfigurator.desktop wr,
#/usr/games/.gnome-desktop/SamsungConfigurator.desktop wr,
#/var/{mail,www,backups}/{Desktop,.gnome-desktop}/ wr,
#/var/{mail,www,backups}/{Desktop,.gnome-desktop}/SamsungConfigurator.desktop wr,
#/Desktop/ wr,
#/.gnome-desktop/ wr,
#/Desktop/SamsungConfigurator.desktop wr,
#/.gnome-desktop/SamsungConfigurator.desktop wr,
/home/{MYSISTER,dinar}/Desktop/ wr,
/home/{MYSISTER,dinar}/.gnome-desktop/ wr,
/home/{MYSISTER,dinar}/Desktop/SamsungConfigurator.desktop wr,
/home/{MYSISTER,dinar}/.gnome-desktop/SamsungConfigurator.desktop wr,
#/var/cache/bind/Desktop/ w,
#/var/cache/bind/.gnome-desktop/ w,
#/var/cache/bind/Desktop/SamsungConfigurator.desktop w,
#/var/cache/bind/.gnome-desktop/SamsungConfigurator.desktop w,

/opt/smfp-common/ wr,
/opt/smfp-common/** wr,
/usr/lib/libmfp.so.1.0.1 w,
/usr/lib/cups/filter/rastertosamsungspl w,
/usr/lib/cups/filter/rastertosamsungsplc w,
/usr/lib/cups/filter/pscm w,
/usr/lib/cups/filter/libscmssf.so w,
/usr/lib/cups/filter/rastertosamsungpcl w,
/usr/lib/cups/filter/pscms w,
/usr/lib/cups/filter/libscmssc.so w,
/usr/lib/cups/filter/smfpautoconf w,
/usr/lib/cups/filter/rastertosamsunginkjet w,
/usr/lib/cups/backend/mfp w,
/usr/sbin/smfpd w,
/usr/lib/libmfp.so* w,
/usr/lib/sane/libsane-smfp.so* w,
/etc/modprobe.conf w,
/etc/mfpcommon.modules.conf w,
/usr/bin/lpr wr,
/var/tmp/ipp_*.log wr,
/etc/cups/printers.conf* wr,
/etc/cups/classes.conf* wr,
/usr/bin/lpr.orig wr,
/var/tmp/PrinterOptions.log wr,
"/root/.config/Unknown Organization.conf" wrk,



/usr/ r,
/bin/rmdir ix,
/etc/udev/rules.d/*_smfpautoconf_samsung.rules wr,
/usr/lib/libcups.so w,
/usr/bin/file ix,
/usr/share/cups/model/ wr,
/usr/share/cups/model/** wr,
/opt/Samsung/mfp/bin/printeradd ix,
/etc/magic r,
/usr/share/file/* r,
/etc/default/cups r,
/bin/mv ix,
/bin/which ixr,
/etc/modprobe.conf r,
/opt/Samsung/** m,
/usr/lib/cups/** ix,
/usr/bin/dpkg ix,
capability setgid,
capability setuid,
/etc/dpkg/** r,
/usr/bin/dpkg-query ix,
/var/lib/dpkg/** r,
/usr/local/share/ppd/ r,
/usr/share/ppd/ r,
/usr/local/share/ppd/** r,
/usr/share/ppd/** r,
/usr/lib/gutenprint/** m,
/usr/share/gutenprint/** r,
/proc/sys/dev/parport/parport0/autoprobe r,
/opt/Samsung/mfp/bin/printertest ix,
/dev/usb/lp* rw,
/opt/Samsung/mfp/bin/* ix,
/usr/bin/lpr.orig ix,
/bin/mktemp ix,
/proc/sys/kernel/osrelease r,
/usr/bin/pdftops ix,
/var/tmp/jobN*.tmp wr,
/usr/share/ghostscript/** r,
/bin/egrep ix,
/usr/bin/ps2pdf13 ixr,
/usr/bin/perl ix,
/var/lib/defoma/gs.d/dirs/fonts/ r,
/var/lib/defoma/gs.d/dirs/fonts/** r,
/var/tmp/backend.out wrk,
/usr/bin/ps2pdfwr rix,
/usr/bin/bc ix,


}

- not fully in time order as i usually write/make apparmor profile.

[jgoguen]

hello.
it seems there is one disadvantage of syslog, it seems that it do not log all messages but write "n messages suppressed". does it? does auditd log all?

add after a minute: is it possible to configure syslog [temporarily] to not write "suppressed" but log all?

That's no bug, that's a feature

When you see that "messages suppressed" message, what it means is that the message immediately before it was repeated, with no changes at all, n times. So if you see a message that says "denied incoming connection from 192.168.2.1" and then immediately after you see "28 messages suppressed", that means the first "denied connection" message actually happened 29 times in a row. Trust me, it's a feature, it helps keep the size of your log file down without actually taking away much important info. I think all you lose is how quickly those events happened and the actual times of each event. I don't know off the top of my head if you can disable that, or if auditd does it or not.

[q.dinar]

thank you, i thought that it suppresses even if messages are not exactly same. i have not said "bug".

[andrewthomas]

I added the following lines to the default apparmor profile for firefox to enable support for java :

/etc/passwd mr,
/etc/timezone r,
/etc/lsb-release r,
# java
/opt/java/64/** mr,
/opt/java/64/jre1.6.0_*/bin/java ixr,
/tmp/** mwr,
/etc/.java/** rwk,
/etc/.java/ rw,

It would probably work without the access to passwd, timezone and lsb-release but it was asking so I let it.

Is there any reason why I should deny any of the above access?

[bodhi.zazen]

I would not allow access to /etc/passwd unless denying access breaks something.

Neural on /etc/lsb-release On these more minor files, it s a balance between a quiet log file and access.

[jgoguen]

I added the following lines to the default apparmor profile for firefox to enable support for java :

/etc/passwd mr,
/etc/timezone r,
/etc/lsb-release r,
# java
/opt/java/64/** mr,
/opt/java/64/jre1.6.0_*/bin/java ixr,
/tmp/** mwr,
/etc/.java/** rwk,
/etc/.java/ rw,

It would probably work without the access to passwd, timezone and lsb-release but it was asking so I let it.

Is there any reason why I should deny any of the above access?

Those are all fine. /etc/passwd is commonly read to convert numeric UIDs into actual user names (or the other way around) and for other info like what shell the user wants, or their full name or things like that. /etc/timezone is timezone information, what your offset from GMT is, are you in daylight savings time, etc. /etc/lsb-release is a distro-agnostic way of determining the operating system, release version and codename. Here's what my /etc/lsb-release contains for Ubuntu 9.10 (Karmic):

Code:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.10
DISTRIB_CODENAME=karmic
DISTRIB_DESCRIPTION="Ubuntu 9.10"

So in short, I would allow those accesses myself. (EDIT: Obviously opinions differ, but that's OK. Just don't go allowing Java to read /etc/shadow )

The only thing I would add is that the paths under /opt won't work for people who installed Java from the Ubuntu repositories. The Java installs from the repos go under a subdirectory of /usr/lib/jvm/ (like my Java install at /usr/lib/jvm/java-6-openjdk/). All this means is that people using your profile additions with Java from the repositories will need to use different paths than what you have, but it's good for you to keep those lines since that's where your Java is installed

[andrewthomas]

I would not allow access to /etc/passwd unless denying access breaks something.

Neural on /etc/lsb-release On these more minor files, it s a balance between a quiet log file and access.

Thanks. I removed the access to /etc/passwd and it works fine. I can deal with two extra log lines