AppArmor Support Thread

[q.dinar]

hello.
i am now trying to setup worker mpm apache with apparmor. i have renamed apparmor profile for apache to
usr.lib.apache2.mpm-worker.apache2
.
now on
sudo /etc/init.d/apache2 reload
there are:
in apache error log:
[Mon Dec 21 23:21:36 2009] [notice] SIGUSR1 received. Doing graceful restart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Mon Dec 21 23:21:36 2009] [notice] Apache/2.2.12 (Ubuntu) configured -- resuming normal operations
[Mon Dec 21 23:21:36 2009] [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 21 23:21:36 2009] [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
>2009-12-24 8:57 utc+3 : there were dublicated profiles ...<

in syslog:
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.280778] type=1503 audit(1261426896.545:356): operation="change_hat" info="unconfined" error=-1 pid=5670
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.280828] type=1503 audit(1261426896.545:357): operation="change_hat" info="unconfined" error=-1 pid=5670
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.287792] type=1503 audit(1261426896.549:358): operation="change_hat" info="unconfined" error=-1 pid=5698
Dec 21 23:21:36 dinar-desktop kernel: [ 4228.287844] type=1503 audit(1261426896.549:359): operation="change_hat" info="unconfined" error=-1 pid=5698

23:55 utc+3: may be there is bug: http://forge.novell.com/pipermail/ap...ry/000233.html .

2009-12-22 9:40 utc+3 : somehow it works now after some changes of apache profile and "/etc/init.d/apache2 stop" and "/etc/init.d/apache2 start"s and "a2dismod apparmor" and "a2enmod apparmor". 19:15 utc+3 : and after restart of OS.

[q.dinar]

empathy says "Failed to execute child process "firefox" (No such file or directory)" when i try to open a url in chat room. there is in empathy profile:
/usr/lib/firefox-3.5.*/firefox.sh Pxr,
and no log, so i do not know what is denied.


why there is in firefox profile (that is in ubuntu 9.10):
/usr/bin/evince PUxr,
? what is PUxr? is it correct?

[q.dinar]

hello. i have installed php so that apache uses it through(?) fcgid. now i test apparmor. i test in default vhost, it is in /var/www/ , i applied a "hat" to it - with AAHatName directive in directory tag in virtualhost tag in apache's "default" site configuration file, but i see that hat works only for html files. php is not blocked up, it can read any files. i have made "usr.bin.php5-cgi" profile but it does not work, may be name of it is not correct - i am trying to block up wrong binary program?
how to create profile for php ?
may be i will try apparmor's tool for creating profile...

[jgoguen]

hello . i have installed extra profiles, they are installed in /usr-share/doc/apparmor..... , i have copied some of them to /etc/apparmor.d/ .
when i runned netstat program these messages appeared:
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374180] type=1503 audit(1261374846.637:173): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/1/fd/"
Dec 21 08:54:06 dinar-desktop kernel: [ 2393.374225] type=1503 audit(1261374846.637:174): operation="open" pid=3033 parent=2363 profile="/bin/netstat" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/2/fd/"
...
though there is
@{PROC}/[0-9]*/fd r,
in /etc/apparmor.d/bin.netstat

Dec 21 08:36:49 dinar-desktop kernel: [ 1356.514076] type=1503 audit(1261373809.777:172): operation="open" pid=2710 parent=2709 profile="/etc/cron.daily/logrotate" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/logrotate.d/"
though there was
/etc/logrotate.d r,
in /etc/apparmor.d/etc.cron.daily.logrotate .
i have now added
/etc/logrotate.d/ r,
to it and will look what will happen during logrotate runned by cron.

i used netstat this way:
sudo netstat -tunp
and now i have added to its profile:
@{PROC}/[0-9]*/fd/ r,
and it says other messages now, so "trailing slash" is important here. and i hope that adding last slash also fixed that error of logrotate.

This is the difference with that final slash As you've noticed, adding it is necessary to allow reading not only the directory itself but also what is in that directory. I suspect that with the final slash added (assuming you've reloaded the profile) you won't see this particular error from these profiles. Also assuming of course that UNIX permissions also allow what you're trying to do

hello. why tcpdump needs "usb"? and is "usb" "universal serial bus"?
it asked at my computer:
Dec 21 14:53:16 dinar-desktop kernel: [ 4185.081498] type=1503 audit(1261396396.345:195): operation="open" pid=2963 parent=2185 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/dev/bus/usb/"
also there is in its apparmor profile:
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
now i have added
/dev/bus/usb/ r,
but i think i will comment it out.

now it has asked also for /dev/usbmon1 , /dev/usbmon2, /dev/usbmon3 .

may be that is for usb adsl modem ? but mine is not that.

As you've noticed in previous posts, sometimes access is requested that isn't actually required. As before, my general advice is to grant access you know is needed if the program isn't working properly. If the program works properly with the access you've given it, apply the principle of "if it's not broken, don't fix it" I believe you're right though, I think the USB-related access requests are for USB modems. Since you don't have one, you can safely ignore these messages

and i have question about installing programs like skype and google earth. if i open their deb file with archive manager (file-roller...?) and check files in control.tar.gz and data.tar.gz ? as i remember and know there is none installer script in skype package and only one binary file. if there is installer script in control.tar.gz, i should check what they do looking at their code content, i think.

That is completely up to you. If you want to open the package up and check the installer script, go right ahead. But, if you're going to do that because you don't trust it, I would question the use of Skype, which is a closed program that you can't inspect in any way, more than I would question the installer script

i runned some programs as root by mistake(?) sometimes even not blocked up with apparmor. now i have deleted /root/ from tunables/home and suggest to you. now i have runned firefox 3.5 with apparmor profile ant /root/ deleted as root, it could not run, i have checked profile, i see it cannot do much, but do you know what it can do so if runs as root.
unfortunately once i have runned open office as root by mistake in previous installation. now only firefox blocked. now i am going to open files clicking right button first and suggest that to you when working with gksudo nautilus.

I'm not quite sure what you're asking (or saying?) here. Could you explain it more and I'll see if I can help?

another thing about tcpdump:
sudo tcpdump -qn > /var/log/tcpdump.log
says:
bash: /var/log/tcpdump.log: Permission denied
and nothing is written by apparmor in log files.

That's because you're being denied by UNIX permissions. Here's what happens with that command:

• The shell attempts to create the file /var/log/tcpdump.log
• The shell attempts to open the file /var/log/tcpdump.log for writing, deleting the existing contents (if any)
• The shell executes tcpdump, setting its stdout file stream to the stream opened in the last step

In your case, step 1 fails so nothing else happens. You should either redirect output to a file somewhere you can write, or use "sudo tcpdump -qn | sudo tee /var/log/tcpdump.log" to get the same result as what I believe you intend based on the command you tried.

by the way, why syslog and messages and kern.log contents are partially dublicated? how to make every of log lines written only in one log file?

That would require a lot of playing around with the syslog configuration files.

empathy says "Failed to execute child process "firefox" (No such file or directory)" when i try to open a url in chat room. there is in empathy profile:
/usr/lib/firefox-3.5.*/firefox.sh Pxr,
and no log, so i do not know what is denied.

What is denied is executing firefox. The profile allows executing firefox.sh, but Empathy is trying to execute firefox. If you change the profile accordingly, reload the profile, and restart Empathy it should work fine.

why there is in firefox profile (that is in ubuntu 9.10):
/usr/bin/evince PUxr,
? what is PUxr? is it correct?

Evince is allowed since that's what is used to read PDF files. PUxr is indeed correct, it's a new sequence for Karmic. "PUx" means "execute this program with an AppArmor profile if one exists, or execute it unconfined if no profile exists".

hello. i have installed php so that apache uses it through(?) fcgid. now i test apparmor. i test in default vhost, it is in /var/www/ , i applied a "hat" to it - with AAHatName directive in directory tag in virtualhost tag in apache's "default" site configuration file, but i see that hat works only for html files. php is not blocked up, it can read any files. i have made "usr.bin.php5-cgi" profile but it does not work, may be name of it is not correct - i am trying to block up wrong binary program?
how to create profile for php ?
may be i will try apparmor's tool for creating profile...

I think we will need to see the full profiles for all relevant programs to be able to best help here. If you would rather not post profiles, please describe what applications in this scenario are confined, which are executed with and without profiles, and what executable path you specify in the profiles.

[q.dinar]

hello. i have written both firefox and firefox sh in empathy profile, it does not work, it even did not ask for firefox through apparmor, there were only ...sh.
>14:47 utc+3 : now i have written ..sh Ux, and it works<

i think if closed source binary is blocked up by apparmor it is quite safe, only thing to check is install scripts, because they are not blocked up by apparmor, but good that they are open-source. can they be closed source (in normal deb file)?

i asked about running gksudo nautilus and double-clicking in it files like ...html, ...doc and running so big programs as root.

thank you.

i am going to publish my old and new profiles.

after restart again apache complained as was before yesterday:
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.691871] type=1503 audit(1261552013.953:459): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/etc/ld.so.cache"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.692017] type=1503 audit(1261552013.953:460): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/lib/libgcc_s.so.1"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.713426] type=1503 audit(1261552013.977:461): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::rw" denied_mask="::rw" fsuid=33 ouid=0 name="/dev/tty"
this is many times. apache profile reload has helped, will look what will happen after restart.
>14:47 utc+3 : i think this is solved now, there were 2 apache profiles, one with incorrect file name thinking it will not affect anything on because there is no such file but i should edit file name in content of profile file.<

11:44 utc+3 : when HANDLING_UNTRUSTED_INPUT is used and when DEFAULT_URI is used and when main profile is used? 2009-12-24 8:54 utc+3 : http://www.mpipks-dresden.mpg.de/~mu...l/bx5dh07.html , http://manpages.ubuntu.com/manpages/...pparmor.8.html , http://www.novell.com/documentation/...a/bx5dh07.html .

11:46 utc+3: i think i know why php is not blocked: because
/ rw,
/** mrwlkix,
is in main profile and in HANDLING_UNTRUSTED_INPUT and in DEFAULT_URI. 13:34 utc+3: now i think it is not because this.

[q.dinar]

many

Code:

Dec 23 10:06:53 dinar-desktop kernel: [ 2359.691871] type=1503 audit(1261552013.953:459): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/etc/ld.so.cache"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.692017] type=1503 audit(1261552013.953:460): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::r" denied_mask="::r" fsuid=33 ouid=0 name="/lib/libgcc_s.so.1"
Dec 23 10:06:53 dinar-desktop kernel: [ 2359.713426] type=1503 audit(1261552013.977:461): operation="open" pid=5816 parent=5668 profile="/usr/lib/apache2/mpm-worker/apache2//HANDLING_UNTRUSTED_INPUT" requested_mask="::rw" denied_mask="::rw" fsuid=33 ouid=0 name="/dev/tty"

again after restart.>14:47 utc+3 : i think this is solved now, there were 2 apache profiles, one with incorrect file name thinking it will not affect anything on because there is no such file but i should edit file name in content of profile file.<


another strange thing:

Code:

sudo  apparmor_parser -R /etc/apparmor.d/usr.lib.apache2.mpm-worker.apache2
Ignoring: '/etc/apparmor.d/apache2.d/123php~'
apparmor_parser: Unable to remove "123php".  Profile doesn't exist

though that file exist, and there is also phpsysinfo hat profile file, no error message about it, only about 123php. i made 123php to apply to default virtualost.

some thing may be related to that with apache at start: on system boot up(?) time there are many lines about profile load in syslog but none among them about apache.

[jgoguen]

hello. i have written both firefox and firefox sh in empathy profile, it does not work, it even did not ask for firefox through apparmor, there were only ...sh.
14:47 utc+3 : now i have written ..sh Ux, and it works

If it works with Ux, what that means is that either the Empathy or the Firefox profile was defined incorrectly (possibly both) and now Firefox runs unconfined when started from Empathy. I don't know what I was thinking suggesting to have firefox in the profile when it's just a symlink pointing to a firefox.sh Try making your Empathy rule "/usr/lib/firefox-*/firefox.sh Px" (or use the shiny new PUx to avoid issues) and make sure your Firefox profile is defined for the current Firefox install. Currently, in Karmic at least, that's /usr/lib/firefox-3.5.6/firefox.sh.

i think if closed source binary is blocked up by apparmor it is quite safe, only thing to check is install scripts, because they are not blocked up by apparmor, but good that they are open-source. can they be closed source (in normal deb file)?

I believe the install scripts must be scripts, but they aren't required. I've never tried having anything other than a shell script for a package install.

[jgoguen]

Code:

sudo  apparmor_parser -R /etc/apparmor.d/usr.lib.apache2.mpm-worker.apache2
Ignoring: '/etc/apparmor.d/apache2.d/123php~'
apparmor_parser: Unable to remove "123php".  Profile doesn't exist

though that file exist, and there is also phpsysinfo hat profile file, no error message about it, only about 123php. i made 123php to apply to default virtualost.

The message about the profile not existing doesn't mean there's no file with that name, it means there's no profile loaded with that name. The tilde (~) at the end of the name typically indicates a backup file, so check to see that there is only one file that defines the profile. If you have both 123php and 123php~ and they both define the same profile, delete 123php~ and try again.

[q.dinar]

...
If it works with Ux, what that means is that either the Empathy or the Firefox profile was defined incorrectly (possibly both) and now Firefox runs unconfined when started from Empathy. I don't know what I was thinking suggesting to have firefox in the profile when it's just a symlink pointing to a firefox.sh Try making your Empathy rule "/usr/lib/firefox-*/firefox.sh Px" (or use the shiny new PUx to avoid issues) and make sure your Firefox profile is defined for the current Firefox install. Currently, in Karmic at least, that's /usr/lib/firefox-3.5.6/firefox.sh.

no, here at ubuntu 9.10 i have profile for firefox:

Code:

/usr/lib/firefox-3.5.*/firefox {

now firefox runs confined when opened from empathy, because firefox.sh runs it with Px. it did not work just because i set ...sh Px but there were not any profile for ...sh .

[rookcifer]

q.dinar,

On a related note, it would be better if you installed auditd for logging. This is recommended for AppArmor (as some of the devs themselves told me).