AppArmor Support Thread

[MountainX]

Well, if your time is limited, I would first ask, why fix the problem then ? Are these denials preventing you from using firefox ?

Second, each denial is likely an edit to the firefox profile. You will need to post the exact denials, uneditied, or learn how to configure apparmor yourself. In other words, I can not tell you how to fix the problem as you edited the denials and did not post the raw data.

Yes, the main problem that I'm encountering is that I cannot save my downloads to the locations I wish to use.

Under the commented section "# Default profile allows downloads to ~/Downloads and uploads from ~/Public" can I just list the directories I wish to be able to use?

For example, I see this entry:

Code:

owner @{HOME}/{Desktop,Downloads}/** rw,

Can I simply add below that one the following new line?

Code:

/shared_location/downloads/** rw,

Is "owner" necessary? Why does it use two asterisks as wildcards?

I will be happy to post all the DENIED messages that I'd like to address, but if we can solve my download locations issue, that would be a great start and I would really appreciate it!

EDIT: thanks for this great thread! And for you aa-profiles repo!!!

[bodhi.zazen]

That line

Code:

/shared_location/downloads/** rw,

should allow you to download to the location in question, yes.

[MountainX]

That line

Code:

/shared_location/downloads/** rw,

should allow you to download to the location in question, yes.

Thank you. And what about my two questions:
What does "owner" do? Is that just a parameter for @{HOME} to get the path?
Why does it use two asterisks as wildcards? What would one asterisk do?

[MountainX]

That line

Code:

/shared_location/downloads/** rw,

should allow you to download to the location in question, yes.

I changed that and restarted firefox and I still can't save to that location. Do I have to restart the OS?

Log entry:
[30144.764313] type=1400 audit(1287094667.522:60): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox-4.0b8pre/firefox{,*[^s][^h]}" name="/shared_location/downloads/Software/Linux/UbuntuReleases/ubuntu-10.10-dvd-amd64.iso" pid=4326 comm="firefox-4.0-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

[bodhi.zazen]

I changed that and restarted firefox and I still can't save to that location. Do I have to restart the OS?

Log entry:
[30144.764313] type=1400 audit(1287094667.522:60): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox-4.0b8pre/firefox{,*[^s][^h]}" name="/shared_location/downloads/Software/Linux/UbuntuReleases/ubuntu-10.10-dvd-amd64.iso" pid=4326 comm="firefox-4.0-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

After editing the firefox profile you need to restart apparmor.

Code:

sudo service apparmor restart

[MountainX]

After editing the firefox profile you need to restart apparmor.

Code:

sudo service apparmor restart

Thank you! Everything I need is working now and I learned a few things too, thanks to your kind assistance!

[bodhi.zazen]

Thank you! Everything I need is working now and I learned a few things too, thanks to your kind assistance!

You are most welcome =)

[WeAreLinux]

Hi

I have 2 quick questions about this program. Didn't think this warranted it's own thread.

I want to restrict media files I have on my external HD from being able to do anything dangerous on my system except what is necessary to run properly with it's parent program (.pdf files open with Evince, video/audio open with VLC, etc.). The reason being to protect my system if I open something dangerous without knowing. Can I achieve this with AppArmor & is using AppArmor the ideal way or is there an easier method to achieve the above?

I've read the "Introduction to AppArmor sticky, but I'm still quite confused. It doesn't help that I only been using Ubuntu about 2 months now (basic computing).

Thank You

[bodhi.zazen]

Hi

I have 2 quick questions about this program. Didn't think this warranted it's own thread.

I want to restrict media files I have on my external HD from being able to do anything dangerous on my system except what is necessary to run properly with it's parent program (.pdf files open with Evince, video/audio open with VLC, etc.). The reason being to protect my system if I open something dangerous without knowing. Can I achieve this with AppArmor & is using AppArmor the ideal way or is there an easier method to achieve the above?

I've read the "Introduction to AppArmor sticky, but I'm still quite confused. It doesn't help that I only been using Ubuntu about 2 months now (basic computing).

Thank You

Apparmor takes a few hours to learn.

The basic syntax is that a profile is written for an application.

Within the configuration file you use

/full/path/to/file_or/directory permissions,

It would be difficult or impossible to use apparmor for what you are thinking as you would need to write a profile for each and every (or most) binaries on your system.

For what you want I would think selinux.

Better, read the security sticky.

I think if you mount your removable device as noexec and nodev that would be sufficient.

[WeAreLinux]

I think if you mount your removable device as noexec and nodev that would be sufficient.

I would do that by modifying the fstab file, correct?

Would creating a non-admin user account & editing user permissions give me that same protection (deny execute permission)?