AppArmor Support Thread

[samiux]

Did I set it up correctly?

Please comment and advice, thanks.

[bodhi.zazen]

Did I set it up correctly?

Please comment and advice, thanks.

It is a fine start, keep going

As you become more familiar with the syntax I think you will find it is easy to use.

As this happens you will likely find you rely less on aa-logprof .

I highly suggest you back up a working profile before you edit it (outside of /etc/apparmor.d/).

In terms of paths / directories it depends on what you are serving with apache. Apache may need access to things such as ssl, php, perl, python, cgi, home directories (~/www), svn, etc, etc, etc.

This is one "problem" with apparmor, every users will need to derive his or her own profile and you need to first understand what is normal behavior for apache before you can confine it.

[Jens_Li]

There is no way to make a profile for all programs in a certain directory, is there?

E.g. I would like to block internet traffic for all programs, except for those which have a profile that allows it?

Or limit the read/write rights for all programs which I run from directory ~/downloaded-files?


/jeli

[jgoguen]

Not easily. You could make a set of common profile elements in one file, but you would still require one profile per program. You could do it all in two files, like so:

/etc/apparmor.d/home.bin.common:

Code:

network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
<other common allow lines>

The first 4 lines will allow network access. You apply this file in various profiles like below:

/etc/apparmor.d/home.bin.all

Code:

#include <tunables/global>
/home/jgoguen/bin/prog1 {
     #include <home.bin.common>
}

/home/jgoguen/bin/prog2 {
     #include <home.bin.common>
}

/usr/local/bin/prog3 {
     #include <home.bin.common>
}

Change the file names and paths appropriately.

[q.dinar]

hello
rookcifer:

Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do

Code:

sudo aa-genprof firefox

and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:

Code:

sudo aa-logprof

but it finds no log messages.

i could not make profile automatically and i have not asked about that, i make them "manually" checking log files after every change of profile, reloading it, restarting program, trying different things with program.

once i made profile for konqueror it asked for "w" permission in my home directory when i opened kde.org - default home bookmark of konqueror. i did not allow it. then after some time i tried to test it in test user, but it has not asked for that "w" permssion in home dir. any more.

how konqueror sees home directory content while "@{HOME}/ r, " is not in the profile nor it allowed other way?

[Sporkman]

Question: I'm working on an apparmor profile for apache2. It's currently in complain mode, and I get the following complaint (among others):

Sep 9 00:23:19 elcamino kernel: [118235.056951] type=1504 audit(1252470199.886:18401): operation="clone" task=22233 pid=22233 profile="null-complain-profile"

How do I set the profile to allow this "clone" operation (I assume this is when it forks..?)?

[q.dinar]

transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.

[rookcifer]

transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.

I have noticed some quirks like this too. Sometimes when you deny something, it will still ask even though there is a clearly a "deny" line already in the profile.

Then there is the infamous error:

"Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401."

I get this quite often. Sometimes it happens so often I have to reboot. There was a bug filed a long time ago, but nothing has been done about it yet. This is not surprising as AppArmor does not seem to be under development anymore. I suppose TOMOYO might be the way to go in the future.

[bodhi.zazen]

The other problem is that apparmor has actually been in development and as such it is very different between each version of Ubuntu.

Documentation of these changes is lagging and your best option is probably reading the man pages.

There are basically two approaches to apparmor. One is to generate a profile, run it in complain mode for some time ( a week ?) , generate logs, then assume such activity is "normal" and allow it all. Then change the profile to enforce and now you should only be logging abnormal activity.

The other approach is to limit access as much as possible. With this second approach you will get a ton of activity in your logs.

Personally I do a blend of the two. Allow full access to $HOME and restrict to the few files or directories such as ~/.ssh or ~/.Private.

Same with etc. Allow applications to at least read the "normal" config files they need, many of these things are in the abstractions. Restrict access to things such as passwd, shadow, and such.

You may also wish to restrict access to /sys and /proc and /etc/init.d/apparmor (restrict the ability of a profile to turn apparmor off).

I also restrict access to things in /sbin such as iptables.

It is much easier to allow all and generate a black list then deny all and allow a white list. Further you can copy-paste your black list between profiles.

Last, in 9.10 there are more and more default profiles. I use the defaults as much as possible.

[q.dinar]

Personally I do a blend of the two. Allow full access to $HOME and restrict ...

what is full access? @{HOME}/ and @{HOME}/**?
i said about that i denied even directory listing of home and etc. (programs can directly request subdirectory listing or file in subdirectory not looking directory listings of outer directories, of course...)
i do not know in apparmor how to allow all in area and then deny several things in it. i only know allow marks like r, w, k, l, ix, mrix, rix, rw - they all allow some paths over the all paths denied by default .