Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Something strange with apparmor

  1. #11
    Join Date
    May 2011
    Beans
    42
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Something strange with apparmor (update: apparmor is broken!)

    Quote Originally Posted by bodhi.zazen View Post
    Sounds as if your security guru does not understand Linux permissions.
    Maybe so, but please make sure that we have understood you right on this one:

    If I confine a program (a program with file browsing and editing capabilities) with apparmor, and make sure that this program is confined with no write permissions to the file system at all, only read access (like /** r,), apparmor will still allow this program to delete files and folders if they are owned by the same user who runs the confined program? Even create new folders?

    Quote Originally Posted by wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
    w - write - permission to create, delete, write to a file and extend it
    I've interpreted the apparmor wiki as you'll need the write flag to be able to e.g. delete files and create new folders.

    I've also interpreted apparmor as an application firewall that should stop write access even if the owner of the confined program owns the directories being written too. Apparmor should have been that extra layer of security!

    Quote Originally Posted by bodhi.zazen View Post
    In addition, if you need help with apparmor, you will need to post your apparmor profile for the program you are trying to confine. I can not tell from your original post if you are using one or two applications. You do understand each application needs it's own profile.
    I don't have access to the profile from this computer.

    It was the Gwenview image viewer that was tested. I don't know how it works. Maybe it mysteriously calls another program somehow for folder editing. Aa-genproof didn't notice that anyway.

    My friend is pretty sure there's something wrong with apparmor. If apparmor can't confine a program from deleting and writing to the user's own home folder, then I'm having trouble seeing the benefits of using apparmor at all.

  2. #12
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Something strange with apparmor (update: apparmor is broken!)

    Quote Originally Posted by desire.linux View Post
    Maybe so, but please make sure that we have understood you right on this one:

    If I confine a program (a program with file browsing and editing capabilities) with apparmor, and make sure that this program is confined with no write permissions to the file system at all, only read access (like /** r,), apparmor will still allow this program to delete files and folders if they are owned by the same user who runs the confined program? Even create new folders?

    I've interpreted the apparmor wiki as you'll need the write flag to be able to e.g. delete files and create new folders.

    I've also interpreted apparmor as an application firewall that should stop write access even if the owner of the confined program owns the directories being written too. Apparmor should have been that extra layer of security!



    I don't have access to the profile from this computer.

    It was the Gwenview image viewer that was tested. I don't know how it works. Maybe it mysteriously calls another program somehow for folder editing. Aa-genproof didn't notice that anyway.

    My friend is pretty sure there's something wrong with apparmor. If apparmor can't confine a program from deleting and writing to the user's own home folder, then I'm having trouble seeing the benefits of using apparmor at all.
    Hard to say from what little you have posted.

    You need to post the apparmor profile and describe what you are trying to have apparmor do exactly.

    As far as
    I'm having trouble seeing the benefits of using apparmor at all.
    Well, if you can't describe what you want apparmor to do for you, and can not post a profile, I guess it is hard to see the benefits.

    Example:

    I want to use apparmor to restrict access of some programs in my home directory.

    Specifically, I do not want firefox to have any access to ~/.ssh

    Here is what I use:

    Code:
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/* r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/{Desktop,Downloads}/ r,
      owner @{HOME}/{Desktop,Downloads}/** rw,
    
      # per-user firefox configuration
      owner @{HOME}/.mozilla/ rw,
      owner @{HOME}/.mozilla/** rw,
      owner @{HOME}/.mozilla/**/*.sqlite* k,
      owner @{HOME}/.mozilla/**/.parentlock k,
      owner @{HOME}/.mozilla/plugins/** rm,
      owner @{HOME}/.mozilla/**/plugins/** rm,
    
      #
      # Extensions
      # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
      # Allow 'x' for downloaded extensions, but inherit policy for safety
      owner @{HOME}/.mozilla/**/extensions/** mixr,
    
      # Flash
      owner @{HOME}/.adobe/ rw,
      owner @{HOME}/.adobe/** rw,
      owner @{HOME}/.macromedia/ rw,
      owner @{HOME}/.macromedia/** rw,
    
      # Allow flash to use video acceleration
      /dev/nvidiactl rw, 
      /dev/nvidia0 rw,
    
      # Other permissions in HOME directories
      owner @{HOME}/.config/ r,
      owner @{HOME}/.config/** r,
      owner @{HOME}/.config/ibus/bus/ rw,
    So you need to start with a definition of a purpose
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #13
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Something strange with apparmor (update: apparmor is broken!)

    Quote Originally Posted by desire.linux View Post
    Maybe so, but please make sure that we have understood you right on this one:

    If I confine a program (a program with file browsing and editing capabilities) with apparmor, and make sure that this program is confined with no write permissions to the file system at all, only read access (like /** r,), apparmor will still allow this program to delete files and folders if they are owned by the same user who runs the confined program? Even create new folders?
    As Bohdi said, we would need to see the profile. One of three things are happening here, in my opinion:

    1) You are not understanding the syntax in the profile.

    2) You are allowing the profile to call some other executable as unconfined (Ux).

    3) The profile abstractions are allowing the profile to do things you might not want.

    Also from the AppArmor Wiki:
    AppArmor leverages DACs existing labeling (but not permissions) for owner and groups, and does not have a concept of user or owner that is separate from the systems user or owner. Certain security models require that policy be setup in conjunction with other linux security controls, such as owner and groups and the pam_cap module.
    Also, AppArmor has an IRC channel you can visit if you want to talk to the real experts (developers). It's on OFTC, channel: #apparmor.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  4. #14
    Join Date
    May 2011
    Beans
    42
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Something strange with apparmor

    Here's a mail from my security guru friend about the issue:

    This has less to do with DAC and more to do with apparmor not appreciating socket files that certain applications are programmed to use to pipe/access other programs. This makes apparmor primitive, highly limited and outrageous dangerous to inexperienced users who rely on it as an application firewall. Not to mention it actually doesn't support all applications, I mean applications that use socket files.

    An application confined with apparmor may call another application to do certain stuff, like an execute. An image viewer may call a file manager to be able to manipulate files and folders. Normally you would give the main application and its apparmor profile execute right to that external application by inheriting the current profile, so that the external application is just as much confined as the primary application. But some programs call other programs trough socket files just by reading and writing to them. And if you give apparmor read and write access to a certain socket file, needed for the main application to work properly, that application is free to call any other program or application it likes to do whatever it wants, without being confined nor inherited by the main profile. And apparmor doesn't understand that by writing to a socket file, it pipes actions that normally would be denied by the main profile to applications that are not confined. Hence your problem.

    This is where selinux doesn't fail. The bad thing about selinux is that you'll need to be a skilled programmer to make any sense and use of it.

    Just make sure that you do severe investigations when you let an apparmor profile read and write to files that look like this: srw-rw-rw-. The best is to avoid those programs altogether if you need to confine them with apparmor.
    I don't know, but maybe this makes things more clear. Gwenview does need read and write access to a socket file within /tmp to be able to manage files and folders. I've just not figured out which program is uses and when.

  5. #15
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Something strange with apparmor

    Sounds more like an opinion then fact. You are running in circles as you have not stated what it is you are wanting to do, what restrictions you want to place on an application, nor have you posted an apparmor profile.

    It is certainly possible you have found a bug. It could be apparmor does not do what you think or want it to do. It could be a faulty profile. None of those possibilities makes apparmor "highly limited".

    In fact, statements such as "This makes apparmor primitive, highly limited and outrageous dangerous to inexperienced users" amount to nothing more then FUD, play no role in support, education, or security, and is unprofessional.

    It suggests your security expert is giving you an opinion rather then quality advice, does not appreciate apparmor, or that you may be using the wrong tool for the task. It may well be that selinux is a better option.

    If you would like support for apparmor, please provide the necessary information.

    If you wish to learn to use apparmor, start with

    http://ubuntuforums.org/showthread.php?t=1008906

    selinux is here : http://docs.fedoraproject.org/en-US/...nhanced_Linux/

    Yes there is a learning curve to both tools. Yes both tools have advantages and disadvantages.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •