deleted
deleted
Last edited by loudog23; May 3rd, 2009 at 03:49 AM.
If you've got the profile you had quoted loaded, that's because AppArmor thinks it should deny everything. Try using this profile as a base, and tweak it to your needs: http://bodhizazen.net/aa-profiles/jg...usr.bin.pidgin
I'm not very familiar with genprof, and I can't figure out why it's asking for a username. Hopefully someone else has some insights. I would completely remove whatever profile is currently there, reload AppArmor (sudo /etc/init.d/apparmor reload) and try sudo aa-genprof /usr/bin/pidgin again. Failing that, or if you just want something to look at for comparison, I would make use of the profile I linked to.
Yes and I think so. A chroot jail can be broken out of. AppArmor restrictions aren't so easy to break. As for the two playing nicely together, I don't see why not. It would require some extra thought as to the absolute paths of programs required before and after calling chroot(), and I don't know for sure if AppArmor would apply to absolute paths relative to the real root directory or relative to the chroot() but that wouldn't be too hard to figure out.
Whether AppArmor is worth it for you depends on what you're trying to achieve. The answer, especially if you're accepting arbitrary data from an arbitrary source (which you are with both programs you've mentioned) is typically "quite likely" for network applications. Apache would certainly be an interesting beast to configure, but even with subprocesses it wouldn't be that much worse than any other single-process application. Just remember to put your profiles (because you'll quite likely be writing multiple profiles for Apache and its children) into complain mode and check /var/log/messages for AppArmor deny entries. Keep in mind that multiple profiles doesn't mean multiple files - a single file can contain all the profiles you want. This profile is an example of how to handle multiple profiles in one file. If you were trying to restrict mod_perl, mod_php, mod_python, and other Apache modules it would probably get a little weird. To make things a little easier (or harder?) for that, you could find mod_change_hat (which isn't in the Ubuntu repos) and use that. It will allow you to have a sub-profile for each script and a default sub-profile for scripts that don't match an existing sub-profile.
Joel Goguen
ty for your reply,
Quick technical question.
I have a private ftp (proftpd), If i can make a profile to succefully connect locally (ip 127.0.1.1), can i assume web request to be allowed too?
I don't have access to another web connection, therefore i can't try it from external source.
If your profile allows you to connect from localhost, you can safely assume that your AppArmor profile won't prevent other incoming connections. AppArmor can't restrict IP addresses, it can only allow or deny TCP and/or UDP connections for IPv4 and/or IPv6. Doesn't mean your firewall won't be restricting anything though, so be sure to check that, and also check port forwarding on your router (if applicable).
Joel Goguen
i am not going to allow some files. but apparmor writes messages to syslog not stopping, continuously, near 3 messages per second in syslog and messgages. how to stop it? apparmor must have such ability, because this is its main target, goal - to block up programs, it is normal, so it should not write so many to log files.
AppArmor writes one message per access attempt. So if you write a profile for /usr/bin/myprogram that does not allow access to /etc/shadow and /usr/bin/myprogram makes 10 attempts per second to access /etc/shadow, you will get approximately 10 messages per second in your log saying that access was denied.
Joel Goguen
Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:Code:sudo aa-genprof firefox
but it finds no log messages. However, there is a "null-complain-profile" that is still listed in complain mode. ps -A shows this as being firefox. So, what's the deal with these null-profiles and how does one integrate them with an existing firefox profile?Code:sudo aa-logprof
Also, firefox is asking for dac_overide capabilities. It should not need this!
I saw that there were some bugs filed about AppArmor (in Jaunty) not parsing error logs properly. Some people on launchpad said that installing autid.d helped them. It doesn't work for me -- I'm still getting this strange behavior.
Or maybe I am just not doing it right?
I'll be profiling the latest Firefox later today. I can't imagine why it's asking for dac_override, but then again I still haven't figured out why it wants to read ~/.rsynclist (a file I created myself for one of my scripts) or why it's looking for a lot of things in /proc/ that aren't related to it...
I'll be starting from my current profile, which is posted here. I'll be removing a lot of stuff and trying to re-integrate the file-roller profile back into Firefox, so I'll be sure to post the result here once I'm done.
Joel Goguen
If it helps , my profile is here
http://bodhizazen.net/aa-profiles/bo....10.firefox.sh
All I changed was the version from "10" to "!!"
Have not looked at logs ..
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Bookmarks