Share your AppArmor Profiles

[rookcifer]

Here are a few of my AppArmor profiles. All of these work on 9.10, and all work without throwing any errors after several months of use.

Amarok 2.2.1 profile. (Note: I use OSS and not ALSA/Phonon)

Code:

#include <tunables/global>                            

/usr/bin/amarok {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base> 
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/mysql>          
  #include <abstractions/nameservice>    
  #include <abstractions/private-files>  
  #include <abstractions/private-files-strict>
  #include <abstractions/samba>               
  #include <abstractions/user-tmp>            


  /dev/oss/oss_hdaudio0/* w,
  /dev/zero mrw,            
  /etc/default/apport r,    
  /etc/fstab r,             
  /etc/kde4rc r,            
  /etc/mysql/* r,
  /etc/mysql/** r,
  owner /home/** rwkl,
  owner /home/*/ r,
  owner /proc/*/status r,
  owner /proc/*/task/ r,
  /proc/filesystems r,  
  /sys/devices/system/cpu/ r,
  /usr/bin/amarok r,
  /usr/lib{,32,64}/** mr,
  /usr/local/lib/lib*so* mr,
  /usr/share/fonts/ r,
  /usr/share/kde4/apps/amarok/ r,
  /usr/share/kde4/apps/amarok/** r,
  /usr/share/kde4/apps/desktoptheme/** r,
  /usr/share/kde4/config/* r,
  /usr/share/kde4/services/* r,
  /usr/share/kubuntu-default-settings/kde4-profile/default/share/config/* r,
  /usr/share/locale-langpack/ r,
  /usr/share/locale/ r,
  /usr/share/xine/**/ r,

}

My Kopete profile:

Code:

#include <tunables/global>                           

/usr/bin/kopete {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/kde>  
  #include <abstractions/nameservice>
  #include <abstractions/private-files>
  #include <abstractions/private-files-strict>

  /etc/default/apport r,
  /etc/kde4rc r,
  owner @{HOME}/*/** rwlk,
  /proc/filesystems r,
  /proc/meminfo r,
  /proc/stat r,
  /proc/sys/crypto/* r,
  /usr/lib{,32,64}/** mr,
  /usr/share/emoticons/ r,
  /usr/share/enchant/* r,
  /usr/share/kde4/apps/kabc/** r,
  /usr/share/kde4/apps/khtml/** r,
  /usr/share/kde4/apps/kopete** r,
  /usr/share/kde4/config/** r,
  /usr/share/kubuntu-default-settings/kde4-profile/default/share/config/* r,
  /usr/share/myspell/dicts/ r,
  /usr/share/myspell/dicts/* r,

}

My Kvirc profile:

Code:

#include <tunables/global>

/usr/bin/kvirc {
  #include <abstractions/fonts>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/private-files>
  #include <abstractions/private-files-strict>


  audit deny @{HOME}/Documents/ rwk,
  audit deny @{HOME}/Downloads/ rwk,

  /etc/default/apport r,
  /etc/kde4rc r,
  owner /home/*/** rwk,
  /proc/stat r,
  /usr/bin/kfmclient rix,
  /usr/share/kde4/config/* r,
  /usr/share/kubuntu-default-settings/kde4-profile/default/share/config/* r,
  /usr/share/kvirc/** r,

}

My Transmission profile:

Code:

#include <tunables/global>                                 

/usr/bin/transmission {
  #include <abstractions/X>
  #include <abstractions/base>
  #include <abstractions/dbus>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/private-files>
  #include <abstractions/private-files-strict>


  /etc/kde4rc r,
  owner /home/*/ r,
  owner /home/*/** rwk,
  owner /proc/*/cmdline r,
  owner /proc/*/fd/ r,
  /proc/*/net/route r,
  /proc/filesystems r,
  /usr/lib{,32,64}/** mr,
  /usr/local/lib/lib*so* mr,
  /usr/share/fonts/ r,

}

[q.dinar]

empathy profile:

Code:

#include <tunables/global>

/usr/bin/empathy {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/base>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/X>
  #include <abstractions/dbus>

/proc/filesystems r,
@{HOME}/.gstreamer-*/** r,
/usr/lib/libvisual-*/** m,
/usr/share/empathy/** r,
@{HOME}/.gstreamer-*/registry.i486.bin.* w,
@{HOME}/.config/Empathy/** rw,
/usr/share/telepathy/** r,
@{HOME}/.gstreamer-*/registry.i486.bin w,
@{HOME}/.cache/telepathy/ w,
@{HOME}/.cache/telepathy/** rw,
/usr/share/enchant/** r,
/usr/share/myspell/** r,
/usr/share/xml/** r,
@{HOME}/.local/share/Empathy/ w,
@{HOME}/.local/share/Empathy/** rw,
@{HOME}/.config/enchant/ rw,
@{HOME}/.config/enchant/** rw,
@{PROC}/[0-9]*/fd/ r,
/usr/lib/firefox-3.5.*/firefox.sh Uxr,
}

2009-12-27 11:23 utc+3 : don't bother about "...firefox.sh Uxr," , it has not profile and runs other binary file which has profile and that runs confined.

[q.dinar]

for ejabberd profiles for 2 files, they both run when ejabberd is started:

Code:

#include <tunables/global>
/usr/sbin/ejabberd {
#include <abstractions/base>
/usr/sbin/ejabberd r,
/etc/default/ejabberd r,
/usr/lib/erlang/bin/erl ix,
/bin/sed ix,
/usr/lib/erlang/** ix,
/proc/filesystems r,
/sys/devices/system/cpu/ r,
/bin/dash ix,
/var/log/ejabberd/** wr,
/var/lib/ejabberd/** wr,
/sys/devices/system/cpu/** r,
#include <abstractions/nameservice>
/etc/ejabberd/** r,
/var/lib/ejabberd/ r,
/usr/lib/ejabberd/** mr,
/var/www/muclogs/** wr,
}

edit /var/www/muclogs/** as you need

Code:

#include <tunables/global>
/usr/sbin/ejabberdctl {
#include <abstractions/base>
/usr/sbin/ejabberdctl r,
/etc/default/ejabberd r,
/bin/date ix,
/usr/lib/erlang/bin/erl ix,
/bin/sed ix,
/usr/lib/erlang/** ix,
/proc/filesystems r,
/sys/devices/system/cpu/ r,
/bin/dash ix,
#include <abstractions/nameservice>
/sys/devices/system/cpu/** r,
@{HOME}/erl_crash.dump wr,
/var/lib/ejabberd/** wr,
@{HOME}/.erlang.cookie wr,
}

other things may appear except @{HOME}/.erlang.cookie wr, if you run ejabberdctl from terminal, i have not used it much.
/etc/init.d/ejabberd :

Code:

#include <tunables/global>
/etc/init.d/ejabberd {
#include <abstractions/base>
/etc/init.d/ejabberd r,
/etc/default/ejabberd r,
/bin/su ix,
capability dac_override,
capability dac_read_search,
/usr/bin/expr ix,
/bin/sleep ix,
/var/run/utmp rk,
#include <abstractions/nameservice>
/etc/login.defs r,
/etc/pam.d/* r,
/lib/security/** mr,
/etc/shells r,
/proc/filesystems r,
capability setgid,
/etc/shadow r,
/etc/security/** r,
capability setuid,
/etc/environment r,
/etc/default/locale r,
/bin/dash ix,
/usr/sbin/ejabberdctl Px,
/usr/sbin/ejabberd Px,
}

[bodhi.zazen]

Thank you for posting your profiles.

My 2c would be that you take the time to keep your profile organized =)

Not that I am perfect at this either , but it makes it difficult to read and debug if the profile is not is some semblance of order.

In general :

1. Includes first.
2. capabilities second.
3. System files next, alphabetical order (/etc/foo before @{PROC} before /tmp before /var
4. @{HOME} last , again in alphabetical order.

One very general consideration, IMO one of the main uses of apparmor is to limit access to files in $HOME. System files are already "protected" by permissions, but $HOME is wide open.

I typically limit access to things such as ~/.ssh ~/.bashrc and only allow downloads to certain locations, such as ~/Downloads In fact, I usually review

/etc/apparmor.d/abstractions/private-files

Then of course
#include <abstractions/private-files>

=)

The other consideration is to not only limit access to only what is needed, but also to quiet down the logs.

Ideally apparmor would only log Abnormal activity. If say firefox is filling the log with errors because you denied access to /proc/ , while it may work, it is harder to then detect aberrant behavior =)

My uptime is only 5 days now, but no errors from apparmor in my log with "normal activity" so that is nice also.

To do this I

tail -F /var/log/messages

then run say firefox, do normal activities, and try to quiet down the logs as much as possible.

[q.dinar]

Code:

#include <tunables/global>

/usr/bin/psi {
  #include <abstractions/base>

/usr/bin/psi r,
/etc/fonts/fonts.conf r,
/var/cache/fontconfig/*-x86.cache-2 r,
/usr/share/fonts/ r,
/tmp/.X11-unix/X* w,

/etc/fonts/conf.d/ r,
@{HOME}/.Xauthority r,

#birinci taraz

/etc/fonts/conf.avail/*.conf r,

/var/lib/defoma/fontconfig.d/fonts.conf r,
#@{HOME}/.config/Trolltech.conf rw,
/tmp/.ICE-unix/* w,
#@{HOME}/.psi/ w,

@{HOME}/.config/Trolltech.conf rwk,
@{HOME}/.ICEauthority r,
/etc/ssl/certs/ca-certificates.crt r,
#@{HOME}/.psi/*/ w,
/usr/share/icons/** r,

#@{HOME}/.psi/*/ wr,
#@{HOME}/.psi/*/*/ wr,
/usr/share/fonts/** r,

#@{HOME}/.psi/*/*/*/ rw,
/etc/nsswitch.conf r,
#/etc/passwd r,
#@{HOME}/.psi/caps.xml rw,
/usr/share/X11/XKeysymDB r,
#@{HOME}/.psi/profiles/*/*.xml rw,
#@{HOME}/.psi/*.xml rw,
#@{HOME}/.psi/psirc a,

#@{HOME}/.psi/psirc rwk,

/etc/resolv.conf r,
/etc/host.conf r,
/etc/hosts r,
network dgram,

/usr/bin/lsb_release ix,
/etc/debian_version r,

#/usr/share/psi/certs/ r,
network stream,

#/usr/share/psi/certs/* r,

#/usr/bin/sox ix,

/usr/bin/sox mrix,

/usr/share/psi/** r,

/usr/bin/python2.5 ix,

#/usr/share/alsa/alsa.conf r,

/usr/share/alsa/** r,
#/dev/snd/controlC0 r,

/etc/pulse/** r,
/dev/shm/ r,
#/dev/shm/pulse-shm-* a,
/tmp/pulse-*/native w,
/dev/snd/controlC0 rw,

/dev/shm/pulse-shm-* wr,

@{HOME}/.psi/** rw,
@{HOME}/.psi/ rw,
/usr/share/psi/ r,

@{HOME}/.psi/psirc rwk,

#ubuntu 9.10
/etc/fonts/conf.d/** r,
/var/run/gdm/** r,
/etc/passwd r,
/tmp/orbit-*/** wr,
/proc/filesystems r,
/usr/share/themes/** r,
/usr/lib/pango/** mr,
/usr/lib/gtk-2.0/** mr,
/usr/local/share/icons/ r,
/usr/share/icons/ r,
/usr/share/pixmaps/ r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/mime/** r,
#include <abstractions/dbus>
/usr/share/gvfs/remote-volume-monitors/** r,
/usr/share/pyshared/** r,
/usr/local/lib/** r,
/etc/python*/** r,
/usr/bin/lsb_release r,
/etc/lsb-release r,
/bin/dash ix,
/usr/bin/aplay ix,
@{HOME}/.pulse-cookie rwk,
}

[rookcifer]

q.dinar,

As bodhi said, your profiles are a mess. The best way to generate a profile is to use

Code:

sudo aa-genprof <app>

and then allow genprof to automatically generate the basic profile template. This will keep everything in order. From there you can use aa-logprof (which is broken in 9.10) or just use tail -f.

One thing you should do is install auditd. This will make it *much* easier to read AppArmor logs, as they will all be stored in /var/log/audit and not in /var/log/messages. One of the AppArmor developers said that he recommends it be done this way.

[q.dinar]

i have posted my profiles as they were at me. they are not complete mess , not random , requests for files are in order that they appear during start of application, and then during stop and use. i would sort that requests by type and alphabet if there were to many lines, but there is not too many , but i agree it is harder to you because not you made it , and easier for me because i remember it because i made it. and i had not need much to change my profiles, and if i want to check whether rule for a file is already there to edit it i can just press Ctrl+F and find that. and i agree that it is easier to find that if they are sorted. but topic is "share your apparmor profiles", there were not such restriction to post only well formatted profiles. i can do not post such profiles at all, i myself do not enough need for myself that they are well-formatted yet.

[jgoguen]

While it's true that there's no requirement to only post well-formatted profiles, it would be courteous to do so anyway. For only your use, of course put your profiles however you want, you need to be able to easily work with them. But here, where you're sharing profiles, people are much more likely to read, use and even help improve your profiles if they can easily read it. And sometimes, formatting things well can help reveal things you can do to make your profile easier to read even for yourself, or reveal things you were doing that may not have been the most efficient or even unnecessary. It's also a lot easier to work with the same profile you're posting.

Yes, you're free to post your profiles formatted as you wish, but for exactly the same reason others are allowed to suggest different ways of formatting, so please try not to get too upset with it. The reason for standards are so people can easily work together and new people can easily see what's going on without lots of (re-)training. To you, it makes perfect sense, but to most other people it doesn't, and it's other people you should to consider when sharing profiles or asking for help. You don't have to, it's just nice if you do.

[running_rabbit07]

Has anyone created a strong profile for Mozilla Prism and/or ggl-gtk(Google Widgets) and/or VirtualBox, yet? I use it for Facebook only. Now that I am on a role with getting AppArmor strengthened, I don't want to use programs without a profile.

Thanks

[q.dinar]

http://ubuntuforums.org/showpost.php...7&postcount=59 - there is profile for virtualbox in ubuntu 9.04 , probably you need to add several rules to it if use in 9.10.