Page 3 of 19 FirstFirst 1234513 ... LastLast
Results 21 to 30 of 185

Thread: AppArmor Support Thread

  1. #21
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    Code:
    Feb 16 10:53:31 linux2009 kernel: [  382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453
    Feb 16 10:53:43 linux2009 kernel: [  395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat"
    Feb 16 10:53:43 linux2009 kernel: [  395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile"
    also xchat has asked for killall5.
    I think I found this one. /bin/pidof is a symbolic link to /sbin/killall5. So programs that find /bin/pidof and follow the link rather than just calling 'pidof' will find themselves calling /sbin/killall5. My first instinct now is that this is harmless and it's the program trying to find a PID. Hopefully not its own, C has getpid() for that...

    Quote Originally Posted by q.dinar View Post
    what is null-complain-profile ?
    Check out this post over at Novell's forums and see if that applies to you. null-complain-profile is used in learning mode, it complains about absolutely everything.
    Joel Goguen

  2. #22

    Re: AppArmor Support Thread

    there is other message in log.

    how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.

  3. #23
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.
    OK, I see where you're going with this. Yes, that does seem to be the case, and I'm not sure why, or even if that's the correct behaviour...sounds like a good candidate for a bug to me. You can report bugs here.
    Joel Goguen

  4. #24
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    i am quite sad. .

    you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !
    While I agree apparmor requires active monitoring, I would also suggest you file this as a bug report in Launchpad.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #25
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    how to create profile for x server? as was said in this thread or "share your apparmor profiles" to limit/set rules for/confine/restrict video driver profile for x server should be created.
    Very carefully I'm only half-joking, and I'm not completely sure where to start. Probably /usr/sbin/gdm and /usr/X11R6/bin/X, and be prepared to do a lot of work tracing why it's not working and what it's asking for. You may want to put the profiles into complain mode so you don't completely lose graphics:
    Code:
    sudo aa-complain /path/to/profile
    Then when you're satisfied and/or ready to test your profile in enforcing mode:
    Code:
    sudo aa-enforce /path/to/profile
    Remember of course that this doesn't give you the ability to have separate profiles for nvidia, nv, radeon, etc., the profile is for X in general.

    To get an idea of the programs you'd need to have profiles for (or give execute permissions with 'ix') open a terminal and use this command:
    Code:
    ps fax
    That prints out a process tree. Look for the set starting with '/usr/sbin/gdm'.
    Joel Goguen

  6. #26
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Locking down X or GDM with apparmor will probably be impractical, to say the least.

    The things, IMO, you should look at are network facing applications or deamons (firefox, ssh, etc) and not something big like X.

    If you need to lock down X or a shell (like bash) take a look at jdong's jailbash.

    http://www.friedcpu.net/?p=70

    Just make jailbash the default, log in shell

    Or something like selinux.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #27
    Join Date
    Oct 2008
    Location
    Tulsa,Ok
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: AppArmor Support Thread

    I just recently installed apparmor and I am fine tuning my profiles. I have got just one more message, related to Firefox, popping up in my log that I want to address.

    Mar 20 20:01:08 my-computer kernel: [ 0000.000000] type=0000 audit(000000.000:0000): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/duanedesign/.icons/" pid=5664 profile="/usr/lib/firefox-3.0.7/firefox.sh"

    I have in my Firefox profile:

    @{HOME}/.icons/** r,

    adding the line above did fix five or six log messages like these:

    ~/.icons/hydroxygen/16x16/categories
    ~/.icons/hydroxygen/16x16/devices
    ~/.icons/hydroxygen/16x16/emblems
    ECT...

    So I get the feeling it is working on some level.

    I understand the colon's significance in showing (owner permissions:extended ownership tests: other permissions). Does this provide a clue to help me solve this.

    I thank you in advance for any help you can give me.

    UPDATE: funny I worked on this for over an hour and five minutes after i break down and ask for help I come up with a solution

    I added the following to my firefox profile:

    @{HOME}/.icons/ r,

    I started Firefox, and no message in my log. I guess I still have a question do I need both
    @{HOME}/.icons/ r,
    @{HOME}/.icons/** r,
    or is there a better way to get apparmor to allow firefox to access all my icons.
    Last edited by duanedesign; March 21st, 2009 at 02:38 AM. Reason: update situation

  8. #28
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Short answer - yes, you do need both, but only if the application actually needs to read the directory That tends to be true if it doesn't know for sure what the path to the file is, which may be the case here.

    The issue is that using ** will match everything in the directory and its subdirectories - but not the directory itself. So using
    Code:
    @{HOME}/.icons/** r,
    will provide read access for all files and directories under /home/<username>/.icons/, but does not provide any access for /home/<username>/.icons/ at all. That's taken care of by the other rule you discovered you need:
    Code:
    @{HOME}/.icons/ r,
    This is the rule that gives access to read the directory itself.

    Similarly, but going further than needed to answer your question, if you only used
    Code:
    @{HOME}/.icons/* r,
    you still would have no read access for /home/<username>/.icons/, but you would have read access for all files directly inside it, plus all subdirectories directly underneath it - but not the contents of those subdirectories. As an example, you could see that /home/<username>/.icons/16x16/ exists, and you could also see that /home/<username>/.icons/16x16/unknown.png exists, but you would not be able to read that file.

    Hope that helps and doesn't raise more questions than it answers - but feel free to ask away if you have any more questions or if I wasn't clear enough
    Last edited by jgoguen; March 21st, 2009 at 03:05 AM.
    Joel Goguen

  9. #29
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    That was going to be my advice

    Nice to see people learning apparmor.

    FYI: I have posted some apparmor profiles for your reference here :

    http://bodhizazen.net/aa-profiles/

    I am looking for people willing to post their profiles, so if anyone is willing please send me a PM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #30
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    That was going to be my advice
    I just learn from my betters
    Joel Goguen

Page 3 of 19 FirstFirst 1234513 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •