[SOLVED] Trying to build an apparmor profile, and not succeeding

**PmDematagoda** · June 19th, 2008

I'm trying to build an Apparmor profile, and I am a newbie at this(you are warned

), while apparmor_parser accepts the profile it doesn't seem to implement it properly since I'm getting all kinds of rejects and denials in audit for stuff I know I've allowed, here is the profile(it's incomplete):-

Code:

#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/gnome>
  #allow access to all networking network

  /bin/dash ix,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/gnash/* rux,
  /usr/lib/firefox-3.0/** rw,
  /home/un/Downloads/** rw,
  /home/un/.mozilla/** rwk,
  /usr/share/icons/** r,
  /tmp/** rw,
  /usr/lib/xulrunner-1.9/** rw,
}

Thanks in advance

.

**PmDematagoda** · June 19th, 2008

Ok, I managed to learn something and now the list of denials are decreasing and I think I could handle the stress of fine-tuning the profile

.

One thing that helped me was the really strict cups profile

.

Anyone wanting my new(still incomplete) profile:-

Code:

#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh flags=(complain) {
  #include <abstractions/base> 
  #include <abstractions/gnome>
  #include <abstractions/fonts>
  network inet,
  
  /bin/dash ix,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/gnash/* rix,
  /usr/lib/firefox-3.0/** rwix,
  /home/un/Downloads/** rwix,
  /home/un/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
  /home/un/.mozilla/firefox/97peui19.default/** rw,
  /home/un/.mozilla/firefox/97peui19.default/ rw,
  /usr/share/icons/** rix,
  /tmp/** rw,
  /usr/share/mime/** r,
  /usr/lib/xulrunner-1.9/ rix,
  /etc/hosts r,
  /etc/resolv.conf r,
  /usr/share/ubufox/** r,
}

**PmDematagoda** · June 19th, 2008

Well, I managed to conjure a profile that allowed me to start and run Firefox while being enforced:-

Code:

#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh {
  #include <abstractions/base> 
  #include <abstractions/gnome>
  #include <abstractions/fonts>
  network inet,
  
  /bin/dash rix,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/lib/libgconf2-4/gconfd-2 Ux,
  /etc/gre.d/ r,
  /etc/gre.d/* r,
  /etc/firefox-3.0/** rw,
  /etc/firefox-3.0/* rw,
  /home/un/.mozilla/extensions/** rw,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/gnash/* rix,
  /usr/lib/firefox-3.0/** rwix,
  /home/un/Downloads/ rwix,
  /home/un/Downloads/** rwix,
  /home/un/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
  /home/un/.mozilla/firefox/97peui19.default/** rw,
  /home/un/.mozilla/firefox/97peui19.default/ rw,
  /usr/share/icons/** r,
  /usr/share/applications/** r,
  /home/un/.config/gtk-2.0/gtkfilechooser.ini* rw,
  /tmp/** rw,
  /home/un/.mozilla/firefox/* rw,
  /usr/share/mime/** r,
  /usr/lib/xulrunner-1.9/ rix,
  /etc/hosts r,
  /etc/resolv.conf r,
  /home/un/.mozilla/firefox/97peui19.default/.parentlock k,
  /usr/share/ubufox/** r,
}

One thing I deliberately put in there was that Firefox is unable to read my entire home, just the download folder and the .mozilla one.

Anyone got any suggestions as to where I can improve this profile?

**PmDematagoda** · June 20th, 2008

I cleaned the profile up and extended the functionality a bit, but unfortunately I've hit a bit of a wall, here is the profile:-

Code:

#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh {
  #include <abstractions/base> 
  #include <abstractions/gnome>
  #include <abstractions/fonts>
  network inet,
  network inet6,
  
  /bin/dash rix,
  /etc/gai.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/lib/libgconf2-4/gconfd-2 Ux,
  /etc/gre.d/* r,
  /etc/gre.d/ r,
  /etc/firefox-3.0/** rw,
  /etc/firefox-3.0/* rw,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/firefox-3.0/** rwix,
  /usr/share/ubufox/** r,
  /usr/share/applications/** r,
  /usr/share/icons/** r,
  /tmp/** rw,
  /tmp/ rw,
  /usr/share/myspell/dicts/ r,
  /usr/share/mime/** r,
  /usr/lib/xulrunner-1.9/ rix,
  /etc/hosts r,
  /etc/resolv.conf r,

#To use Gnash, these permissions have to be given.
  /usr/lib/gnash/ ix,
  @{HOME}/.gstreamer-0.10/registry.* rw,
  /usr/share/gnash/* r,
  /usr/bin/gtk-gnash mixr,

#The permissions required for Flash 10.
  @{HOME}/.macromedia/** rw,
  @{HOME}/.adobe/** r,
  /usr/lib/locale/en_US.utf8/* r,
  /dev/snd/** rw,
#Note:- The rule allows Fx to read other processes, this has to be done since Flash absolutely requires this otherwise the browser would crash.  
  @{PROC}/** r,

#The permissions it has within home in order to function as required.
  @{HOME}/Downloads/ rw,
  @{HOME}/Downloads/** rw,
  @{HOME}/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
  @{HOME}/.mozilla/firefox/97peui19.default/** rw,
  @{HOME}/.mozilla/firefox/97peui19.default/ rw,
  @{HOME}/.mozilla/firefox/* rw,
  @{HOME}/.mozilla/firefox/97peui19.default/.parentlock k,
  @{HOME}/.mozilla/extensions/** rw,
  @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
}

#The below profile is required when viewing flash files.
/usr/bin/gtk-gnash {
#include<abstractions/gnome>
}

The problem is the red line, I know it isn't a serious thing, but I was wondering if it is possible to set it up in such a way that the path would be the current process of Firefox since that is what the path is.

**chrisccoulson** · June 23rd, 2008

Very interesting, and thank you for sharing this. I've been using Apparmor to sandbox Firefox for quite a while now, so I'll share my profile with you too, in the hope that you might find it semi-useful. If you have any questions, feel free to ask.

Code:

# Last Modified: Fri Jun 20 22:03:44 2008
#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh {
  #include <abstractions/apport>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/fonts-custom>
  #include <abstractions/freedesktop.org-custom>
  #include <abstractions/gnome-custom>
  #include <abstractions/nameservice>
  #include <abstractions/python>
  #include <abstractions/user-download-custom>
  #include <abstractions/user-read>
  #include <abstractions/user-tmp>

  capability sys_ptrace,

  /bin/dash ix,
  /bin/grep ixr,
  /bin/ps ixr,
  /bin/sed ixr,
  /bin/uname Ux,
  /bin/which Ux,
  /dev/shm/ r,
  /dev/shm/pulse-shm-* rw,
  /etc/X11/cursors/* r,
  /etc/firefox-3.0/** r,
  /etc/fstab r,
  /etc/gnome/defaults.list r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,
  /etc/java-6-openjdk/** r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/mplayer/input.conf r,
  /etc/mplayer/mplayer.conf r,
  /etc/mplayerplug-in.conf r,
  /etc/pulse/* r,
  /etc/sound/events/gtk-events-2.soundlist r,
  @{PROC}/ r,
  @{PROC}/*/cmdline r,
  @{PROC}/*/environ r,
  @{PROC}/*/fd/ r,
  @{PROC}/*/maps r,
  @{PROC}/*/mounts r,
  @{PROC}/*/stat r,
  @{PROC}/*/status r,
  @{PROC}/meminfo r,
  @{PROC}/net/* r,
  @{PROC}/sys/kernel/pid_max r,
  @{PROC}/tty/drivers r,
  @{PROC}/uptime r,
  @{PROC}/version r,
  /sys/devices/system/cpu/ r,
  /usr/bin/deluge Px,
  /usr/bin/env ixr,
  /usr/bin/eog Ux,
  /usr/bin/evince Ux,
  /usr/bin/evolution Px,
  /usr/bin/file-roller Ux,
  /usr/bin/gconftool-2 ixr,
  /usr/bin/gpg ixr,
  /usr/bin/lsb_release ixr,
  /usr/bin/mplayer ixr,
  /usr/bin/python2.5 ix,
  /usr/bin/screem Ux,
  /usr/bin/seahorse-tool ixr,
  /usr/bin/setarch ixr,
  /usr/lib/firefox-3.0/firefox ixr,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/jvm/java-6-openjdk/jre/bin/pluginappletviewer ixr,
  /usr/lib/jvm/java-6-openjdk/jre/lib/amd64/gcjwebplugin.so mr,
  /usr/lib/mozilla/plugins/mplayerplug-in-dvx.so mr,
  /usr/lib/mozilla/plugins/mplayerplug-in-qt.so mr,
  /usr/lib/mozilla/plugins/mplayerplug-in-rm.so mr,
  /usr/lib/mozilla/plugins/mplayerplug-in-wmp.so mr,
  /usr/lib/mozilla/plugins/mplayerplug-in.so mr,
  /usr/lib/nspluginwrapper/i386/linux/npviewer ixr,
  /usr/lib/nspluginwrapper/i386/linux/npviewer.bin ixr,
  /usr/lib32/Adobe/Reader8/bin/acroread Ux,
  /usr/lib32/gtk-2.0/2.10.0/engines/* mr,
  /usr/lib32/pango/1.6.0/modules/* mr,
  /usr/share/locale-langpack/** r,
  /usr/share/ubufox/* r,
  /usr/share/ubufox/**/ r,
  /var/lib/flashplugin-nonfree/npwrapper.libflashplayer.so mr,
  @{HOME}/.ICEauthority r,
  @{HOME}/.Xauthority r,
  @{HOME}/.adobe/ w,
  @{HOME}/.adobe/Flash_Player/ w,
  @{HOME}/.adobe/Flash_Player/** rw,
  @{HOME}/.config/user-dirs.dirs r,
  @{HOME}/.cups/* r,
  @{HOME}/.gcjwebplugin/ w,
  @{HOME}/.gcjwebplugin/** rw,
  @{HOME}/.gnupg r,
  @{HOME}/.gnupg/*.gpg r,
  @{HOME}/.gstreamer-0.10/registry.*.xml r,
  @{HOME}/.gtkrc-2.0-gnome-color-chooser r,
  @{HOME}/.local/share/applications/ r,
  @{HOME}/.local/share/applications/* r,
  @{HOME}/.macromedia/ w,
  @{HOME}/.macromedia/Flash_Player/ w,
  @{HOME}/.macromedia/Flash_Player/** rw,
  @{HOME}/.mailcap r,
  @{HOME}/.mcop/random-seed rw,
  @{HOME}/.mcoprc r,
  @{HOME}/.mime.types r,
  @{HOME}/.mozilla/ w,
  @{HOME}/.mozilla/default/ rw,
  @{HOME}/.mozilla/default/** rw,
  @{HOME}/.mozilla/extensions/ rw,
  @{HOME}/.mozilla/extensions/** rw,
  @{HOME}/.mozilla/firefox/ rw,
  @{HOME}/.mozilla/firefox/** krw,
  @{HOME}/.mozilla/plugins/ rw,
  @{HOME}/.mozilla/plugins/** rw,
  @{HOME}/.mplayer/ w,
  @{HOME}/.mplayer/config rw,
  @{HOME}/.pulse-cookie krw,
  @{HOME}/.thumbnails/** r,
  @{HOME}/dwhelper/ w,
  @{HOME}/dwhelper/* w,
}

For completeness, I have quite a few custom abstractions too.

abstractions/apport:

Code:

# vim:syntax=apparmor

  /var/crash/* rw,

abstractions/fonts-custom:

Code:

# vim:syntax=apparmor

  #include <abstractions/fonts>

  @{HOME}/.fonts.conf			r,

abstractions/freedesktop.org-custom:

Code:

# vim:syntax=apparmor

  #include <abstractions/freedesktop.org>


  @{HOME}/.icons/                 r,
  @{HOME}/.icons/**		  r,
  @{HOME}/.recently-used.xbel*    rw,
  @{HOME}/.local/share/icons/ 	  r,
  @{HOME}/.local/share/icons/**   r,
  /opt/share/icons/ 		  r,
  /opt/share/icons/**		  r,
  /opt/share/pixmaps/ 		  r,
  /opt/share/pixmaps/**		  r,

abstractions/gnome-custom:

Code:

# vim:syntax=apparmor

#include <abstractions/fonts-custom>
#include <abstractions/freedesktop.org-custom>
#include <abstractions/gnome>

  @{HOME}/.themes/		  r,
  @{HOME}/.themes/**		  r,
  @{HOME}/.config/gtk-2.0/gtkfilechooser.ini rw,
  @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
  @{HOME}/.fonts/fonts.cache-* rwl, 
  @{HOME}/.gtkrc-2.0-gnome-color-chooser r,

abstractions/user-download-custom:

Code:

# vim:syntax=apparmor

  @{HOME}/Desktop/		rw,
  @{HOME}/Desktop/**   		krwl,
  @{HOME}/Download/		rw,
  @{HOME}/Download/**		krwl,

abstractions/user-read:

Code:

# vim:syntax=apparmor

  @{HOME}/[a-zA-Z0-9]*/ r,
  @{HOME}/[a-zA-Z0-9]*/** r,
  / r,
  /bin/ r,
  /bin/** r,
  @{HOMEDIRS}/ r,
  @{HOME}/ r,
  /lib/ r,
  /lib/** r,
  /lib32/ r,
  /lib32/** r,
  /media/ r,
  /media/** r,
  /misc/ r,
  /misc/** r,
  /mnt/ r,
  /mnt/** r,
  /opt/ r,
  /opt/** r,
  /sbin/ r,
  /sbin/** r,
  /usr/ r,
  /usr/** r,

This profile has evolved quite a lot through Gutsy using FF2 and now on Hardy using FF3. Basically, I let FF read most directories in their entirety except for /boot, /dev, /etc, /initrd, /proc, /srv, /sys, /var and any hidden directories in my home folder. This ensures FF has no access to most personal information whilst ensuring that the open/save dialogs still behave in a relatively sane manner, and FF is still largely useful and functional. I only allow FF to write to my desktop, a dedicated download folder or any temporary locations (/tmp, @{HOME}/tmp, /var/tmp).

If you've got other apps you want to profile, feel free to ask - as I may already have done it.

**PmDematagoda** · June 28th, 2008

Thanks for that information chrisccoulson, sorry for the late reply

. But doesn't your profile look a bit over the top(no offense meant), but the fact is that you are providing(seemingly) unnecessary permissions for Firefox by allowing it to read quite a lot of files it really does not need. Ah, and by the way, all those proc permissions aren't required from my experience since Flash only requires /proc/pid/maps

. Also I created two more profiles for Transmission, Pidgin and Skype(with a Novell profile for a pretty woeful base).

Firefox:-

Code:

# Last Modified: Thu Jun 19 08:47:03 2008
#include <tunables/global>
/usr/lib/firefox-3.0/firefox.sh {
  #include <abstractions/base> 
  #include <abstractions/gnome>
  #include <abstractions/fonts>
  network inet,
  network inet6,
  
  /bin/dash rix,
  /etc/gai.conf r,
  /etc/passwd r,
  /etc/nsswitch.conf r,
  /usr/lib/libgconf2-4/gconfd-2 ix,
  /etc/gre.d/* r,
  /etc/gre.d/ r,
  /etc/firefox-3.0/** rw,
  /etc/firefox-3.0/* rw,
  /usr/lib/firefox-3.0/firefox.sh mr,
  /usr/lib/firefox-3.0/** rwix,
  /usr/share/ubufox/** r,
  /usr/share/applications/** r,
  /usr/share/icons/** r,
  #/tmp/** rw,
  #/tmp/ rw,
  /usr/share/myspell/dicts/* r,
  /usr/share/myspell/dicts/ r,
  /usr/share/mime/** r,
  /etc/hosts r,
  /etc/resolv.conf r,

#These are needed if you need to hear any sounds at all.
  /dev/snd/** rw,
  /usr/share/alsa/alsa.conf r,

#To use Gnash, these permissions have to be given.
  /usr/lib/gnash/ m,
  @{HOME}/.gstreamer-0.10/registry.* rw,
  /usr/share/gnash/* r,
  /usr/bin/gtk-gnash mixr,

#The permissions required for Flash 10.
  @{HOME}/.macromedia/** rw,
  @{HOME}/.adobe/** r,
  /usr/lib/locale/en_US.utf8/* r,
  
#Note:- The rule allows Fx to read other processes, this has to be done since Flash absolutely requires this otherwise the browser would crash.  
  @{PROC}/*/maps r,

#The permissions it has within home in order to function as required.
  @{HOME}/Downloads/ rw,
  @{HOME}/Downloads/** rw,
  @{HOME}/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
  @{HOME}/.mozilla/firefox/97peui19.default/** rw,
  @{HOME}/.mozilla/firefox/97peui19.default/ rw,
  @{HOME}/.mozilla/firefox/* rw,
  @{HOME}/.mozilla/firefox/97peui19.default/.parentlock k,
  @{HOME}/.mozilla/extensions/** rw,
  @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,

#Sun Java 6 requires these permissions.
  /usr/lib/jvm/java-6-sun*/jre/** mrix,
  /etc/java-6-sun/* r,
  /etc/java-6-sun/** r,
  @{HOME}/.java/ wr,
  @{HOME}/.java/** wr,
  @{HOME}/.java/deployment/** k,

}

#The below profile is required when viewing flash files through Gnash.
/usr/bin/gtk-gnash {
#include<abstractions/gnome>
}

Transmission:-

Code:

# Last Modified: Fri Jun 20 09:55:31 2008
#include <tunables/global>
/usr/bin/transmission {
  #include <abstractions/base>
  #include <abstractions/gnome>
network inet,
  /usr/bin/transmission mr,
  "@{HOME}/Downloads/**" rw,
  @{HOME}/.transmission/** rw,
  @{HOME}/.transmission/gtk/lock k,
  @{HOME}/.transmission/ rw,
  /etc/hosts r,
  /etc/resolv.conf r,
}

Pidgin:-

Code:

# Last Modified: Fri Jun 20 09:42:54 2008
#include <tunables/global>
/usr/bin/pidgin {
  #include <abstractions/base>
  #include <abstractions/gnome>
network inet,
  /usr/lib/purple-2/* mr,
  /usr/bin/pidgin mr,
  /etc/hosts r,
  /etc/resolv.conf r,
  @{HOME}/.purple/* wr,
  @{HOME}/.purple/** wr,
  /usr/bin/gconftool-2 ix,
  /usr/bin/gnome-open ix, 
 /usr/lib/pidgin/* mr,
  @{HOME}/pidgindownloads/** rw,
 @{HOME}/pidgindownloads/ rw,
 @{HOME}/ r,
 /usr/share/sounds/purple/* r,
 /home/pramod/.purple/ wr,
 /usr/lib/libgconf2-4/gconfd-2 Ux,
 #/dev/shm/** rw,
 /var/run/dbus/system_bus_socket rw,
}

Skype(which was based on a rather lax Novell profile):-

Code:

# Last Modified: Fri Jun 20 07:34:08 2008
# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
#include <tunables/global>
/usr/bin/skype {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>

  /usr/lib/kde4/lib/kde4/plugins/imageformats/* mr,
  /home/*/.Skype/ rw,
  /home/*/.Skype/** krw,
  @{HOME}/.Xauthority r,
  /home/*/.config/Trolltech.conf kr,
  /home/*/.fontconfig/* r,
  /tmp/.ICE-unix/* w,
  /tmp/.X11-unix/X0 w,
  /usr/bin/skype mr,
  /usr/lib/qt4/plugins/iconengines/ r,
  /usr/lib/qt4/plugins/imageformats/ r,
  /usr/lib/qt4/plugins/imageformats/*.so mr,
  /usr/lib/qt4/plugins/inputmethods/ r,
  /usr/share/X11/locale/** r,
  /usr/share/icons/** r,
  /usr/share/skype/sounds/*.wav kr,
  /var/cache/libx11/compose/* r,
  /dev/snd/** rm,
}