Page 1 of 12 12311 ... LastLast
Results 1 to 10 of 112

Thread: Share your AppArmor Profiles

  1. #1
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Share your AppArmor Profiles

    In order to promote awareness and learning of AppArmor I thought it migh help if we shared our profiles. Hopefully they can be reviewed by experts and help others learn the syntax of an AppArmor Profile.

    Here is my Firefox Profile

    Firefox version 3.0.4
    Ubuntu 9.04 Alpha

    # Last Modified: Thu Dec 11 21:08:14 2008
    #include <tunables/global>

    /usr/lib/firefox-3.0.4/firefox.sh {
    #include <abstractions/base>
    #include <abstractions/bash>
    #include <abstractions/consoles>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>

    network dgram,
    network stream,

    /bin/dash rix,
    /bin/grep rix,
    /bin/ps rix,
    /usr/bin/basename rix,
    /usr/lib/firefox-3.0.4/firefox mrix,
    /usr/lib/gamin/gam_server mrix,

    /dev/shm/ r,
    owner /dev/shm/pulse-* rw,
    /etc/ r,
    /etc/firefox-3.0/pref/ r,
    /etc/firefox-3.0/pref/* r,
    /etc/gre.d/ r,
    /etc/gre.d/1.9.0.4.system.conf r,
    /etc/mime.types r,
    /etc/pulse/client.conf r,
    /etc/sound/events/gtk-events-2.soundlist r,
    /etc/xulrunner-1.9/system-greprefs.js r,
    owner /home/** rw,
    owner /home/*/.adobe/ rw,
    owner /home/*/.adobe/** rw,
    owner /home/*/.config/gtk-2.0/** rwk,
    owner /home/*/.macromedia/ w,
    owner /home/*/.macromedia/** rw,
    owner /home/*/.mozilla/** rwk,
    owner /home/*/.pulse-cookie rwk,
    owner /home/*/.pulse/ w,
    owner /home/*/{Desktop,Documents,Downloads}/ rw,
    owner /home/*/{Desktop,Documents,Downloads}/** rw,

    owner /proc/*/maps r,
    /proc/*/mounts/* r,
    owner /proc/*/stat r,
    /proc/version r,
    /usr/local/share/** r,
    /usr/share/** r,
    /var/lib/dbus/machine-id r,

    }
    Enjoy (and try not to abuse my poor quality profile too much).
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #2
    Join Date
    Aug 2007
    Location
    Kottawa, Sri Lanka
    Beans
    7,387
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Share your AppArmor Profiles

    I made a Firefox profile myself, but it never was completed because I wanted to lock it down where-ever access was not necessary, which is really difficult due to specific use-cases of certain users, etc.

    Anyway, here's the profile(I know, it hasn't been worked on for a long time):-
    Code:
    # Last Modified: Thu Jun 19 08:47:03 2008
    #include <tunables/global>
    /usr/lib/firefox-3.0/firefox.sh {
      #include <abstractions/base> 
      #include <abstractions/gnome>
      #include <abstractions/fonts>
      network inet,
      network inet6,
      
      /bin/dash rix,
      /etc/gai.conf r,
      /etc/passwd r,
      /etc/nsswitch.conf r,
      /usr/lib/libgconf2-4/gconfd-2 ix,
      /etc/gre.d/* r,
      /etc/gre.d/ r,
      /etc/firefox-3.0/** rw,
      /etc/firefox-3.0/* rw,
      /usr/lib/firefox-3.0/firefox.sh mr,
      /usr/lib/firefox-3.0/** rwix,
      /usr/share/ubufox/** r,
      /usr/share/applications/** r,
      /usr/share/icons/** r,
      #/tmp/** rw,
      #/tmp/ rw,
      /usr/share/myspell/dicts/* r,
      /usr/share/myspell/dicts/ r,
      /usr/share/mime/** r,
      /etc/hosts r,
      /etc/resolv.conf r,
    
    #These are needed if you need to hear any sounds at all.
      /dev/snd/** rw,
      /usr/share/alsa/alsa.conf r,
    
    #To use Gnash, these permissions have to be given.
      /usr/lib/gnash/ m,
      @{HOME}/.gstreamer-0.10/registry.* rw,
      /usr/share/gnash/* r,
      /usr/bin/gtk-gnash mixr,
    
    #The permissions required for Flash 10.
      @{HOME}/.macromedia/** rw,
      @{HOME}/.adobe/** r,
      /usr/lib/locale/en_US.utf8/* r,
      
    #Note:- The rule allows Fx to read other processes, this has to be done since Flash absolutely requires this otherwise the browser would crash.  
      @{PROC}/*/maps r,
    
    #The permissions it has within home in order to function as required.
      @{HOME}/Downloads/ rw,
      @{HOME}/Downloads/** rw,
      @{HOME}/.mozilla/firefox/97peui19.default/*.sqlite* rwk,
      @{HOME}/.mozilla/firefox/97peui19.default/** rw,
      @{HOME}/.mozilla/firefox/97peui19.default/ rw,
      @{HOME}/.mozilla/firefox/* rw,
      @{HOME}/.mozilla/firefox/97peui19.default/.parentlock k,
      @{HOME}/.mozilla/extensions/** rw,
      @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
    
    #Sun Java 6 requires these permissions.
      /usr/lib/jvm/java-6-sun*/jre/** mrix,
      /etc/java-6-sun/* r,
      /etc/java-6-sun/** r,
      @{HOME}/.java/ wr,
      @{HOME}/.java/** wr,
      @{HOME}/.java/deployment/** k,
    
    }
    Also, this thread may be of interest.

    Edit:- If you really want a profile that allows the program to work properly in addition to providing good security, then you must do it yourself, and have a good understanding of the inner workings of the program involved. An automatically generated profile is not terrible, but it does tend to allow access to unnecessary resources or files which could be exploited by malware or hackers.
    Last edited by PmDematagoda; December 12th, 2008 at 08:35 AM.
    Think carefully before executing commands containing "rm", especially "sudo rm -rf ", if you require more information concerning this matter, read this.
    I am an experimenter, give me the most stable OS and I can make it unstable in a few hours.

    C == seriously fast == FTW!

  3. #3
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    I put together a profile for Pidgin and XChat. The Pidgin profile allows downloading to only a specific folder, and allows uploading from any folder under $HOME, and external applications can't be executed. The XChat profile doesn't allow downloading or uploading at all, and no external applications.

    Code:
    #include <tunables/global>
    /usr/bin/pidgin {
        #include <abstractions/base>
    
        capability sys_ptrace,
    
        network inet stream,
        network inet dgram,
        network inet6 stream,
        network inet6 dgram,
    
        owner @{HOME}/** r,
        owner @{HOME}/.aspell* rk,
        owner @{HOME}/.config/enchant/* rk,
        owner @{HOME}/.fonts.conf r,
        owner @{HOME}/.gtk-bookmarks r,
        owner @{HOME}/.ICEauthority r,
        owner @{HOME}/.local/share/mime/* r,
        owner @{HOME}/.Xauthority r,
    
        owner @{PROC}/*/fd/ r,
        owner @{PROC}/*/maps r,
        owner @{PROC}/*/mounts r,
    
        /dev/shm/ r,
    
        /etc/ r,
        /etc/fonts/** r,
        /etc/ssl/certs/ r,
        /etc/gai.conf r,
        /etc/host.conf r,
        /etc/hosts r,
        /etc/nsswitch.conf r,
        /etc/passwd r,
        /etc/pulse/client.conf r,
        /etc/resolvconf/run/resolv.conf r,
    
        /usr/bin/pidgin r,
    
        /usr/lib/ r,
        /usr/lib/gtk-*/**.so rm,
        /usr/lib/libvisual-*/**.so rm,
        /usr/lib/pango/**.so rm,
        /usr/lib/pidgin/*.so rm,
        /usr/lib/purple*/*.so rm,
    
        /usr/local/share/icons/ r,
        /usr/share/fonts/ r,
        /usr/share/fonts/** r,
        /usr/share/gvfs/remote-volume-monitors/ r,
        /usr/share/gvfs/remote-volume-monitors/* r,
        /usr/share/icons/ r,
        /usr/share/icons/** r,
        /usr/share/locale-langpack/** r,
        /usr/share/mime/* r,
        /usr/share/myspell/dicts/ r,
        /usr/share/myspell/dicts/** r,
        /usr/share/pixmaps/ r,
        /usr/share/pixmaps/** r,
        /usr/share/sounds/purple/* r,
        /usr/share/tcltk/** r,
        /usr/share/themes/** r,
        /usr/share/enchant/enchant.ordering r,
    
        /var/cache/fontconfig/** r,
        /var/lib/aspell/** r,
        /var/lib/defoma/** r,
    
        owner /tmp/orbit-*/ w,
        /tmp/.ICE-unix/* w,
        /tmp/.X11-unix/* w,
        owner /tmp/pulse-*/* w,
    
        /var/run/dbus/system_bus_socket w,
    
        owner @{HOME}/.config/gtk-*/** rw,
        owner @{HOME}/.gnome2/nautilus-sendto/** rw,
        owner @{HOME}/.purple/ rw,
        owner @{HOME}/.purple/** rwk,
        owner @{HOME}/.recently-used* rw,
        owner @{HOME}/Downloads/ rw,
        owner @{HOME}/Downloads/** rw,
    
        /dev/shm/* rw,
        /dev/tty rw,
    
        /tmp/ rw,
        /tmp/orbit-*/* w,
    
        /var/tmp/ rw,
    
        @{HOME}/.gstreamer*/* ra,
    
        /usr/bin/gconftool-2 rix,
        /usr/bin/gnome-default-applications-properties ix,
        /usr/bin/gnome-network-preferences ix,
        /usr/bin/launchpad-integration ix,
    }
    I worry that it's a little too permissive, especially around /dev/shm/ and some of the config directories under $HOME.

    Code:
    #include <tunables/global>
    /usr/bin/xchat {
        #include <abstractions/base>
    
        network inet stream,
        network inet dgram,
        network inet6 stream,
        network inet6 dgram,
    
        @{HOME}/ r,
        @{HOME}/.config/** r,
        @{HOME}/.icons/ r,
        @{HOME}/.local/share/icons/ r,
        @{HOME}/.aspell* r,
        @{HOME}/.config/enchant/* rk,
        @{HOME}/.fonts.conf r,
        @{HOME}/.local/share/mime/* r,
        @{HOME}/.Xauthority r,
    
        @{PROC}/*/mounts r,
    
        /etc/fonts/** r,
        /etc/host.conf r,
        /etc/hosts r,
        /etc/nsswitch.conf r,
        /etc/passwd r,
        /etc/resolvconf/run/resolv.conf r,
    
        /usr/bin/xchat r,
    
        /usr/lib/gtk-*/**.so rm,
        /usr/lib/pango/**.so rm,
        /usr/lib/xchat/plugins/*.so rm,
    
        /usr/local/share/icons/ r,
    
        /usr/share/fonts/ r,
        /usr/share/fonts/** r,
        /usr/share/gvfs/remote-volume-monitors/ r,
        /usr/share/icons/ r,
        /usr/share/icons/** r,
        /usr/share/locale-langpack/** r,
        /usr/share/mime/* r,
        /usr/share/myspell/dicts/ r,
        /usr/share/myspell/dicts/** r,
        /usr/share/pixmaps/ r,
        /usr/share/themes/** r,
        /usr/share/enchant/enchant.ordering r,
    
        /var/cache/fontconfig/** r,
        /var/lib/aspell/** r,
        /var/lib/defoma/** r,
    
        /tmp/.X11-unix/* w,
    
        /var/run/dbus/system_bus_socket w,
    
        @{HOME}/.xchat2/** rwk,
    
        /usr/bin/launchpad-integration ix,
    }
    Joel Goguen

  4. #4
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    I don't suppose there would be a way to write different AppArmor profiles for different Firefox profiles, would there? I would love to limit how much access Firefox has to my system, but I have one profile for anonymous browsing and another for non-anonymous browsing, and obviously have different threat models for both.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    Quote Originally Posted by teddks View Post
    I don't suppose there would be a way to write different AppArmor profiles for different Firefox profiles, would there? I would love to limit how much access Firefox has to my system, but I have one profile for anonymous browsing and another for non-anonymous browsing, and obviously have different threat models for both.
    Yes it is easy, a bit of a hack really.

    Make a hard link

    Code:
    sudo ln /usr/bin/firefox-restricted /usr/lib/firefox-3.0.5/firefox.sh
    Now make an apparmor profile for firefox-restricted
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    Yes it is easy, a bit of a hack really.

    Make a hard link

    Code:
    sudo ln /usr/bin/firefox-restricted /usr/lib/firefox-3.0.5/firefox.sh
    Now make an apparmor profile for firefox-restricted
    Ah, alright. Thanks. Will linking to the /usr/bin/firefox link work, as well? I'd like to avoid doing this every version bump...

  7. #7
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by jgoguen View Post
    I put together a profile for Pidgin and XChat. The Pidgin profile allows downloading to only a specific folder, and allows uploading from any folder under $HOME, and external applications can't be executed. The XChat profile doesn't allow downloading or uploading at all, and no external applications.

    Code:
    #include <tunables/global>
    /usr/bin/pidgin {
        #include <abstractions/base>
    
        capability sys_ptrace,
    
        network inet stream,
        network inet dgram,
        network inet6 stream,
        network inet6 dgram,
    
        owner @{HOME}/** r,
        owner @{HOME}/.aspell* rk,
        owner @{HOME}/.config/enchant/* rk,
        owner @{HOME}/.fonts.conf r,
        owner @{HOME}/.gtk-bookmarks r,
        owner @{HOME}/.ICEauthority r,
        owner @{HOME}/.local/share/mime/* r,
        owner @{HOME}/.Xauthority r,
    
        owner @{PROC}/*/fd/ r,
        owner @{PROC}/*/maps r,
        owner @{PROC}/*/mounts r,
    
        /dev/shm/ r,
    
        /etc/ r,
        /etc/fonts/** r,
        /etc/ssl/certs/ r,
        /etc/gai.conf r,
        /etc/host.conf r,
        /etc/hosts r,
        /etc/nsswitch.conf r,
        /etc/passwd r,
        /etc/pulse/client.conf r,
        /etc/resolvconf/run/resolv.conf r,
    
        /usr/bin/pidgin r,
    
        /usr/lib/ r,
        /usr/lib/gtk-*/**.so rm,
        /usr/lib/libvisual-*/**.so rm,
        /usr/lib/pango/**.so rm,
        /usr/lib/pidgin/*.so rm,
        /usr/lib/purple*/*.so rm,
    
        /usr/local/share/icons/ r,
        /usr/share/fonts/ r,
        /usr/share/fonts/** r,
        /usr/share/gvfs/remote-volume-monitors/ r,
        /usr/share/gvfs/remote-volume-monitors/* r,
        /usr/share/icons/ r,
        /usr/share/icons/** r,
        /usr/share/locale-langpack/** r,
        /usr/share/mime/* r,
        /usr/share/myspell/dicts/ r,
        /usr/share/myspell/dicts/** r,
        /usr/share/pixmaps/ r,
        /usr/share/pixmaps/** r,
        /usr/share/sounds/purple/* r,
        /usr/share/tcltk/** r,
        /usr/share/themes/** r,
        /usr/share/enchant/enchant.ordering r,
    
        /var/cache/fontconfig/** r,
        /var/lib/aspell/** r,
        /var/lib/defoma/** r,
    
        owner /tmp/orbit-*/ w,
        /tmp/.ICE-unix/* w,
        /tmp/.X11-unix/* w,
        owner /tmp/pulse-*/* w,
    
        /var/run/dbus/system_bus_socket w,
    
        owner @{HOME}/.config/gtk-*/** rw,
        owner @{HOME}/.gnome2/nautilus-sendto/** rw,
        owner @{HOME}/.purple/ rw,
        owner @{HOME}/.purple/** rwk,
        owner @{HOME}/.recently-used* rw,
        owner @{HOME}/Downloads/ rw,
        owner @{HOME}/Downloads/** rw,
    
        /dev/shm/* rw,
        /dev/tty rw,
    
        /tmp/ rw,
        /tmp/orbit-*/* w,
    
        /var/tmp/ rw,
    
        @{HOME}/.gstreamer*/* ra,
    
        /usr/bin/gconftool-2 rix,
        /usr/bin/gnome-default-applications-properties ix,
        /usr/bin/gnome-network-preferences ix,
        /usr/bin/launchpad-integration ix,
    }
    I worry that it's a little too permissive, especially around /dev/shm/ and some of the config directories under $HOME.
    I added this to allow opening URL:

    Code:
    /usr/bin/gnome-open Ux,
    Is that too insecure?

  8. #8
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    First, IMO, nothing is "too insecure" per say, but I would try running with irx rather then Ux

    Second, I am not 100 % about the link, it was just a suggestion. I know it works with bash but I have not tried it with firefox.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #9
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    First, IMO, nothing is "too insecure" per say, but I would try running with irx rather then Ux

    Second, I am not 100 % about the link, it was just a suggestion. I know it works with bash but I have not tried it with firefox.
    Doesn't work with rix. I suppose I could write a profile for gnome-open, but pidgin's profile is just not good enough. I would need to give pidgin permissions for xdg-open, /etc/orbitrc, and dash, among other things.

    As for the link: It seems that making a hard link to a symbolic link just causes it to resolve the symbolic link. Would making a script that called firefox with profile arguments work?

  10. #10
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Using ix would require gnome-open to be restricted by the same profile as Firefox. So without giving Firefox access to everything gnome-open needs as well, using ix won't work. Same goes for any other profile.
    Joel Goguen

Page 1 of 12 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •