Did I set it up correctly?
Please comment and advice, thanks.
Did I set it up correctly?
Please comment and advice, thanks.
It is a fine start, keep going
As you become more familiar with the syntax I think you will find it is easy to use.
As this happens you will likely find you rely less on aa-logprof .
I highly suggest you back up a working profile before you edit it (outside of /etc/apparmor.d/).
In terms of paths / directories it depends on what you are serving with apache. Apache may need access to things such as ssl, php, perl, python, cgi, home directories (~/www), svn, etc, etc, etc.
This is one "problem" with apparmor, every users will need to derive his or her own profile and you need to first understand what is normal behavior for apache before you can confine it.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
There is no way to make a profile for all programs in a certain directory, is there?
E.g. I would like to block internet traffic for all programs, except for those which have a profile that allows it?
Or limit the read/write rights for all programs which I run from directory ~/downloaded-files?
/jeli
Last edited by Jens_Li; July 11th, 2009 at 02:45 PM.
Not easily. You could make a set of common profile elements in one file, but you would still require one profile per program. You could do it all in two files, like so:
/etc/apparmor.d/home.bin.common:
The first 4 lines will allow network access. You apply this file in various profiles like below:Code:network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, <other common allow lines>
/etc/apparmor.d/home.bin.all
Change the file names and paths appropriately.Code:#include <tunables/global> /home/jgoguen/bin/prog1 { #include <home.bin.common> } /home/jgoguen/bin/prog2 { #include <home.bin.common> } /usr/local/bin/prog3 { #include <home.bin.common> }
Joel Goguen
hello
rookcifer:
i could not make profile automatically and i have not asked about that, i make them "manually" checking log files after every change of profile, reloading it, restarting program, trying different things with program.Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:Code:sudo aa-genprof firefox
but it finds no log messages.Code:sudo aa-logprof
once i made profile for konqueror it asked for "w" permission in my home directory when i opened kde.org - default home bookmark of konqueror. i did not allow it. then after some time i tried to test it in test user, but it has not asked for that "w" permssion in home dir. any more.
how konqueror sees home directory content while "@{HOME}/ r, " is not in the profile nor it allowed other way?
Question: I'm working on an apparmor profile for apache2. It's currently in complain mode, and I get the following complaint (among others):
Sep 9 00:23:19 elcamino kernel: [118235.056951] type=1504 audit(1252470199.886:18401): operation="clone" task=22233 pid=22233 profile="null-complain-profile"
How do I set the profile to allow this "clone" operation (I assume this is when it forks..?)?
transmission requests for /etc/ r, and /mnt/sda1/user1/ r, /mnt/sda1/user1/ is home directory. i do not allow it. apparmor writes very many in syslog and messages. feature request, though i said that, say again: that should be able to turn off, something like /etc/ r nolog or other way, maybe in special nolog file.
why it asks for /etc/ ? why transmission needs it? i think it do not need it and it should "shut up" after several attempts. also home directory. both these looks like that transmission wants to spy what programs i have installed.
I have noticed some quirks like this too. Sometimes when you deny something, it will still ask even though there is a clearly a "deny" line already in the profile.
Then there is the infamous error:
"Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401."
I get this quite often. Sometimes it happens so often I have to reboot. There was a bug filed a long time ago, but nothing has been done about it yet. This is not surprising as AppArmor does not seem to be under development anymore. I suppose TOMOYO might be the way to go in the future.
The other problem is that apparmor has actually been in development and as such it is very different between each version of Ubuntu.
Documentation of these changes is lagging and your best option is probably reading the man pages.
There are basically two approaches to apparmor. One is to generate a profile, run it in complain mode for some time ( a week ?) , generate logs, then assume such activity is "normal" and allow it all. Then change the profile to enforce and now you should only be logging abnormal activity.
The other approach is to limit access as much as possible. With this second approach you will get a ton of activity in your logs.
Personally I do a blend of the two. Allow full access to $HOME and restrict to the few files or directories such as ~/.ssh or ~/.Private.
Same with etc. Allow applications to at least read the "normal" config files they need, many of these things are in the abstractions. Restrict access to things such as passwd, shadow, and such.
You may also wish to restrict access to /sys and /proc and /etc/init.d/apparmor (restrict the ability of a profile to turn apparmor off).
I also restrict access to things in /sbin such as iptables.
It is much easier to allow all and generate a black list then deny all and allow a white list. Further you can copy-paste your black list between profiles.
Last, in 9.10 there are more and more default profiles. I use the defaults as much as possible.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
what is full access? @{HOME}/ and @{HOME}/**?Originally Posted by bodhi.zazen
i said about that i denied even directory listing of home and etc. (programs can directly request subdirectory listing or file in subdirectory not looking directory listings of outer directories, of course...)
i do not know in apparmor how to allow all in area and then deny several things in it. i only know allow marks like r, w, k, l, ix, mrix, rix, rw - they all allow some paths over the all paths denied by default .
Bookmarks