AppArmor Support Thread

[jgoguen]

To avoid cluttering up the Share your AppArmor Profiles thread, please post questions about AppArmor (why something is asking for certain permissions or capabilities, what is the difference between Px and ix and why do I never ever ever use Ux, how do I figure out where the real executable is...) in this thread.

[q.dinar]

http://ubuntuforums.org/showpost.php...6&postcount=40 :

hello.
xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program.
also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root.
wine asks for:
... operation="capable" name="dac_override" ... profile="/usr/bin/wine"
... operation="capable" name="dac_read_search" ... profile="/usr/bin/wine"
... operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=0 name="/root/.wine/" ... profile="/usr/bin/wine"

[jgoguen]

hello.
xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program.
also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root.
wine asks for:
... operation="capable" name="dac_override" ... profile="/usr/bin/wine"
... operation="capable" name="dac_read_search" ... profile="/usr/bin/wine"
... operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=0 name="/root/.wine/" ... profile="/usr/bin/wine"

.recently-used.xbel is a XML file containing information about the last files opened and what applications have opened those files. This is used in the Recent Documents (Places -> Recent Documents) list, as well as the recent documents list of applications. Some applications don't use this file, but I believe any that are written to take advantage of the GNOME environment do use it.

I'm not sure about the Wine capabilities. It sounds like something that Windows programs would try to override though. dac_override means to bypass read, write and execute permission checks. dac_read_search means to bypass file read permission checks and directory read and execute permission checks. Windows programs may not function properly without those.

[jgoguen]

A few more questions that have been asked:

Can I use AppArmor to restrict access based on IP address?

No. You can use AppArmor to prevent an application from accessing the network, and you can allow it access to only IPv4 or IPv6, and only TCP or UDP. If the program is run by a specific user, you could instead use iptables to handle this, using the parameters -m owner --uid-owner <userid>. The --uid-owner parameter accepts a user ID, and the iptables rule will match packets coming from a program run by that user. To find a user ID given a username, use this command (replace "username" with the username you want to find the ID for):

Code:

grep username /etc/passwd | cut -d":" -f3

There is no way to use iptables with Ubuntu to restrict access based on the program name, because the Ubuntu Linux kernel is not compiled with the options required to enable the --cmd-owner flag.

How do I decide what path to use for the profile?

You need the full path that actually gets run. I'll use Firefox here as an example, since it requires following some links:

• Start with the path to Firefox. Checking the menu shows that the command run is firefox.
• Find where the firefox command is: which firefox (output: /usr/bin/firefox)
• Check to see if this is a link: readlink /usr/bin/firefox (output: firefox-3.0)
• This means that the link points to firefox-3.0 relative to /usr/bin/firefox, and the full path now becomes /usr/bin/firefox-3.0
• Check if this is a link: readlink /usr/bin/firefox-3.0 (output: ../lib/firefox-3.0.5/firefox.sh[/b])
• This means that the link points to ../lib/firefox-3.0.5/firefox.sh relative to /usr/bin/firefox-3.0 and the full path now becomes /usr/lib/firefox-3.0.5/firefox.sh
• Check if this is a link: readlink /usr/lib/firefox-3.0.5/firefox.sh (output: <none>)
• No output means this is not a link. You've now found the full path to use for your profile

Just to take that last question one step further, how do I know what name to give the AppArmor profile?

Profile files take a name based off the full path used for the profile. Let's use Firefox as an example again, since we've already found its full path:

• First, take the full path name and remove the first slash. This means that /usr/lib/firefox-3.0.5/firefox.sh becomes usr/lib/firefox-3.0.5/firefox.sh
• Now, convert all remaining slashes to periods. The name now becomes usr.lib.firefox-3.0.5.firefox.sh
• This is the name for the AppArmor profile file. AppArmor profiles are placed in /etc/apparmor.d/

[q.dinar]

hello. i asked this: does apparmor work against codecs, flash player, videodriver?
now i know that i cannot make separate profile for flash when it is used with firefox. by the way does not flash package include a separate flash player for swf files?

now i ask these: how to name/create profile file for nvidia and ati videodriver.
can we make separate package for video codecs for they are used with different players. but i think there is another way: to make rules for them in separate file and include that in different profiles. that also applies to rules for flash player that can be used with different browsers.
there are "bad" codec package that is in "multiverse", is it at least partially closed-source? 8:11 gmt: i have posted notice if multiverse package is completely/fully open-source in ubuntu brainstorm.

[q.dinar]

/usr/share/libthai/* r,

is in firefox's [apparmor] profile file, but it still asks for it:

Jan 28 09:52:17 linux2008 kernel: [808819.249751] type=1503 audit(1233125537.243:5497): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/usr/share/libthai/thbrk.sbm" pid=29530 profile="/usr/lib/firefox-3.0.5/firefox.sh"

[jgoguen]

how to name/create profile file for nvidia and ati videodriver.
can we make separate package for video codecs for they are used with different players.

No, and no, for the same reason you can't have a profile for the Flash player in Firefox. I believe that Gnash and swfdec both include standalone Flash players, and you could write profiles for those, but unless Firefox executes those as separate processes Flash in Firefox would remain affected only by the Firefox profile. Adobe's Flash plugin is only a plugin, not a standalone player, so you can't write a profile for it. Similarly, because the video drivers are loaded as part of X and not executed, the profile would have to be written for X, not for the video drivers. And video codecs are the same, they're loaded as part of the video player application and so the profile would have to be written for the video player (totem, mplayer, etc.) and not the video codecs themselves. I would love to be wrong on this entire paragraph though, so if anyone can show that I'm wrong please do

[jgoguen]

To start off, here's a few questions that have already been asked:

Can I have one application use different AppArmor profiles?

Yes, but not easily. You need to make a hard link from the program to a second name for the program. This is because AppArmor enforces profiles by paths. So let's say for example that you have /usr/bin/myprogram that you want to apply two different AppArmor profiles to. Create an AppArmor profile for /usr/bin/myprogram. Then, make a hard link for the path to use in the second application:

Code:

sudo ln /usr/bin/myprogram /usr/bin/myprogram2

Now, create your second AppArmor profile, but instead of /usr/bin/myprogram usr /usr/bin/myprogram2. Once that's done, you can run myprogram to have it use the first profile, or you can run myprogram2 to have it use the second profile.

What is the difference between r::, ::x, etc. in the log?

These are the permissions the program is asking for. The colons split the permissions up into user permissions, group permissions, and "other" (neither user nor group) permissions. So r:: means the program is asking for user read permissions. If you see :w:, that means the program wants group write permissions. ::x means "other" execute permissions. Note that when you're giving execute permissions, you can't just give x - you have to give Px, Ux, or ix. More on those later.

What is the difference between "requested mask" and "denied mask"?

Requested mask is what the program is asking for. This may be something like rmx::. The "m" permission means it wants permission to use mmap(2) on the executable. Denied mask is what the program isn't getting. Given the previous requested mask, if the denied mask were to be mx:: that would mean that the AppArmor profile allows read permissions, but it does not allow map or execute permissions. Before blindly giving those permissions, however, you should decide whether they're reqlly needed. If you're not certain, you can always ask here.

What's the difference between ix, ux, Px, etc.?

AppArmor provides 5 permission flags for execute permissions:

• ux - Unconfined execute
• Ux - Unconfined execute, scrub the environment
• px - execute with a profile written for the application
• Px - execute with a profile written for the application, scrub the environment
• ix - execute using the existing profile

In general, you should never use ux or Ux - that removes AppArmor protection for the executed program! Instead, use Px (or px) if the application being executed has its own profile, or ix if not.

More again later!

[Laiquendi]

Forgive me necromancy, but this is the core of the question actually - why most topics dealing with apparmor went dead? No new profiles, less and less answers - is apparmor being abandoned - any other better solution came up?

[Soul-Sing]

There used to be a sharing of profiles. But ubuntu comes with default profiles, which are in dev.