Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33

Thread: Need help || Apparmor Profiles

  1. #21
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Need help || Apparmor Profiles

    Added both the lines
    [CODE]
    #
    Code:
    # Last Modified: Sat Jul 30 23:26:18 2011
    #include <tunables/global>
    
    /home/tux/.firefox/firefox {
      #include <abstractions/base>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/kde>
      #include <abstractions/nameservice>
    
      /bin/dash ix,
      /bin/uname rix,
      /etc/fstab r,
      @{PROC}/ r,
      @{HOME}/ r,
      @{HOME}/.config/** rw,
      @{HOME}/.kde/** r,
      @{HOME}/.mozilla/firefox/** rwk,
      @{HOME}/Downloads/** rw,
      /home/tux/.firefox/** mrwixkl,
      @{HOME}/.mozilla/** rwk,
      @{HOME}/.mozilla/plugins/** rwk,
      
      
    
      @{PROC}/** r,
    
      /usr/bin/basename rix,
      /usr/bin/dirname rix,
      /usr/bin/expr rix,
      /usr/share/** r,
    
      /usr/lib/mozilla/plugins/** rmixk,
    
    # Flash
      owner @{HOME}/.adobe/ rw,
      owner @{HOME}/.adobe/** rw,
      owner @{HOME}/.macromedia/ rw,
      owner @{HOME}/.macromedia/** rw,
    
    # Allow flash to use video acceleration
      /dev/nvidiactl rw, 
      /dev/nvidia0 rw,
    
    
    }
    Now while trying play a video at youtube log says

    Code:
    Aug  2 07:47:07 tux kernel: [ 1188.398593] type=1503 audit(1312251427.386:1190):  operation="ptrace" pid=2312 parent=1 profile="/home/tux/.firefox/firefox" tracer=2312 tracee=1468

    I actually tried adding

    Code:
    @{HOME}/.mozilla/plugins/** rw
    but didnt include "k". I read k means lock. I will definitely learn about in details. Then I got the /PROC.

    I am getting there .

    But I dont know what to do about ptrace. Just guessing, need to add executable permission to @{PROC}/ r ??.

    I dont wanna experiment too much with this profile or I will mess it up. Once this gets solved I will start with something easy. Please suggest something other than Privoxy. I don't wanna write a profile for app which I don't use. But if you ask I will start with privoxy virtually.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  2. #22
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Take a look at the default apparmor profile included with Ubuntu (it is in apparmor-profiles), the firefox profiles I linked you on my web site, and tools such as aa-logprof
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #23
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    Take a look at the default apparmor profile included with Ubuntu (it is in apparmor-profiles), the firefox profiles I linked you on my web site, and tools such as aa-logprof
    Consulted the default apparmor profile, your profiles, even logprof is offering nothing related to FF.

    I just configured FF in complain mode but flash player wont load (in complain mode too).

    It was working fine before.

    I am using this addon https://addons.mozilla.org/en-US/fir...don/flash-aid/

    Lastly I added the line /dev/zero m, & there was no real errors in the logs. Then decided to put FF in complain mode.

    Everything is going haywire.
    Last edited by linuxyogi; August 5th, 2011 at 01:32 AM.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  4. #24
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    If it does not work in complain mode, then it is a problem with flash and not apparmor.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #25
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    If it does not work in complain mode, then it is a problem with flash and not apparmor.
    Done !!!

    Deleted the aa profile for run.mozilla

    Deleted the FF profile. (Not the aa profile)

    Then added "m" to

    owner /home/*/.mozilla/plugins/libflashplayer.so rm,

    Now flash works without any issues.

    Thanks.

    Please suggest an easy app other than Privoxy.

    Pidgin, Skype, Deluge, Google Earth ...etc
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  6. #26
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by linuxyogi View Post
    Done !!!
    Glad you got it working.


    Please suggest an easy app other than Privoxy.

    Pidgin, Skype, Deluge, Google Earth ...etc
    Take your pick. Pidgin should de very straight forward as should deluge.

    Not sure about Skype or Google Earth.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #27
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    Glad you got it working.




    Take your pick. Pidgin should de very straight forward as should deluge.

    Not sure about Skype or Google Earth.
    ATM working on Deluge.

    What is the reason behind only the profile going into enforce mode & not the process.

    It happened with FF & now its the same with Deluge.

    I did
    Code:
    sudo aa-genprof deluge
    . Then changed it to complain mode but log

    shows nothing related to Deluge. Also, aa-logprof too offers nothing.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  8. #28
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    See man aa-genprof, this is how it works, it puts the profile into complain mode, then you exercise the program, then you tell genprof to write a profile.

    See the blog I posted about an apparmor profile for privoxy
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #29
    Join Date
    Apr 2011
    Beans
    23

    Re: Need help || Apparmor Profiles

    Yes, Firefox really is a tough one to start out with. I started with the default/sleeping Firefox profile that came in my Mint(Ubuntu 10.10). and mixxed in some BHODI magic. Thanks for all your hard work around here, dude. The Fire Fox AA profile you have for Ubuntu 10.10 gave me crucial insight into my correcting and fixing process.

    I don't think I would have been able to do it straight from whassitcalled - - - is it genprof helps to make the profile? Yeah, no I have to have examples of the right way to do it because my way - well uneducated is ignorant.

    Learning alot! Yall keep doing this out loud, hear?

    Deluge is a BT client?
    Like Transmission?
    That's my ultimate goal in using AppArmor : to make all the network facing organisms play nice together, and keep their hands to themselves.

    Still kind of a question in my mind, since I am not the smartest or most experienced :
    If I limit a program to only access/only have certain permissions, does that mean that someone using it only has those permissions/boundaries? What if it is run as root? Or if a program calls up my fenced-in program? Surely the only case where AppArmor won't apply is if the prog is run as root? Or even then?

    hmm . . .

    Hey good luck yall, and good lookin out.

    mini

  10. #30
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Need help || Apparmor Profiles

    @ Bodhi Zazen

    Hi, I have created profiles for Dropbox, PIdgin, Google Earth.

    ATM using them in enforce mode. Before sharing my Dropbox profile here I opened tyhe profile with LIbreoffice to find and replace /home/ with @{HOME}/ & replace my username with *.

    But now,

    Code:
    $ sudo apparmor_parser -r usr.bin.dropbox 
    AppArmor parser error for usr.bin.dropbox in usr.bin.dropbox at line 1: Found unexpected character: '�'
    Cant find any missing comma at end of any line. Here's the profile



    Code:
    # Last Modified: Sat Aug 20 11:34:47 2011
    #include <tunables/global>
    
    /usr/bin/dropbox {
      #include <abstractions/base>
      #include <abstractions/nameservice>
      #include <abstractions/ubuntu-konsole>
    
    
      capability sys_ptrace,
    
    
      deny /etc/passwd r,
    
      /bin/dash rix,
      /bin/readlink ix,
      /bin/which rix,
      /etc/python2.6/sitecustomize.py r,
      owner @{HOME}/*/ r,
      owner @{HOME}/*/.config/autostart/dropbox.desktop w,
      owner @{HOME}/*/.dropbox-dist/ r,
      owner @{HOME}/*/.dropbox-dist/icons/hicolor/16x16/status/ r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/_ncrypt.so mr,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/__init__.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/cipher.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/dh.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/digest.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/rsa.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/ssl.pyc r,
      owner @{HOME}/*/.dropbox-dist/ncrypt-0.6.4-py2.5-linux-x86_64.egg/ncrypt/x509.pyc r,
      owner @{HOME}/*/.dropbox-dist/netifaces-0.5-py2.5-linux-x86_64.egg/netifaces.so mr,
      owner @{HOME}/*/.dropbox/ r,
      @{HOME}/*/.dropbox/** rix,
      owner @{HOME}/*/.dropbox/config.db rwk,
      owner @{HOME}/*/.dropbox/config.db-journal rw,
      owner @{HOME}/*/.dropbox/dropbox.pid rwk,
      owner @{HOME}/*/.dropbox/filecache.db wk,
      owner @{HOME}/*/.dropbox/filecache.db-journal rw,
      owner @{HOME}/*/.dropbox/host.db w,
      owner @{HOME}/*/.dropbox/l/** rw,
      owner @{HOME}/*/.dropbox/sigstore.db rwk,
      owner @{HOME}/*/.dropbox/unlink.db rw,
      owner @{HOME}/*/.fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-le64.cache-3 r,
      owner @{HOME}/*/.icons/ r,
      owner @{HOME}/*/.local/share/icons/hicolor/16x16/apps/ r,
      owner @{HOME}/*/.local/share/icons/hicolor/32x32/apps/ r,
      owner @{HOME}/*/.local/share/icons/hicolor/48x48/apps/ r,
      owner @{HOME}/*/Dropbox/.dropbox w,
      owner @{HOME}/*/Dropbox/.~216883113597249541HI w,
      owner @{HOME}/*/Dropbox/.~3945515783863310787HI w,
      owner @{HOME}/*/Dropbox/.~5397912888794637208HI w,
      owner @{HOME}/*/Dropbox/.~7317713414570696711HI w,
      owner @{HOME}/*/Dropbox/wallpapers/Mt.Kailash.jpg r,
      owner @{HOME}/*/Dropbox/wallpapers/hazel-0a.jpg r,
      owner @{HOME}/*/Dropbox/wallpapers/kar106a.jpg r,
      owner @{HOME}/*/Dropbox/wallpapers/mt-kailash.jpg r,
      owner @{HOME}/*/Dropbox/wallpapers/sonal-chauhan-7a.jpg r,
      owner "@{HOME}/*/Dropbox/wallpapers/sonam kapoor Hot.jpg" r,
      @{HOME}/*/.dropbox-dist/* rix,
      @{HOME}/*/.dropbox-dist/dropboxd rix,
      /proc/*/cmdline r,
      owner /proc/*/mounts r,
      /sbin/ldconfig rix,
      /sbin/ldconfig.real rix,
      /usr/bin/dirname ix,
      /usr/bin/dropbox rix,
      /usr/bin/gconftool-2 rix,
      /usr/bin/gnome-open rix,
      /usr/bin/nautilus rix,
      /usr/bin/objdump rix,
      /usr/bin/python2.6 ix,
      /usr/lib{,32,64}/** mr,
      /usr/local/lib/python2.6/dist-packages/ r,
      /usr/share/applications/dropbox.desktop r,
      /usr/share/applications/nautilus.desktop r,
      /usr/share/pyshared/PIL.pth r,
      /usr/share/pyshared/apport_python_hook.py r,
      /usr/share/pyshared/cairo/__init__.py r,
      /usr/share/pyshared/gtk-2.0/gio/__init__.py r,
      /usr/share/pyshared/gtk-2.0/glib/__init__.py r,
      /usr/share/pyshared/gtk-2.0/glib/option.py r,
      /usr/share/pyshared/gtk-2.0/gobject/__init__.py r,
      /usr/share/pyshared/gtk-2.0/gobject/constants.py r,
      /usr/share/pyshared/gtk-2.0/gobject/propertyhelper.py r,
      /usr/share/pyshared/gtk-2.0/gtk/__init__.py r,
      /usr/share/pyshared/gtk-2.0/gtk/_lazyutils.py r,
      /usr/share/pyshared/gtk-2.0/gtk/deprecation.py r,
      /usr/share/pyshared/pygst.pth r,
      /usr/share/pyshared/pygtk.py r,
      /usr/share/pyshared/zope.interface-3.5.3-nspkg.pth r,
      /usr/share/themes/Ambiance/gtk-2.0/gtkrc r,
      /usr/share/themes/Default/gtk-2.0-key/gtkrc r,
    
    }
    ^ WHich line has the error ? Dunno which one is line 1.

    Dont wanna modify the other profiles before finding out what went wrong while editing this one.
    Last edited by linuxyogi; August 21st, 2011 at 11:53 AM.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •