[Turn] Introduction to AppArmor

Introduction to AppArmor

http://ubuntuforums.org/showthread.php?t=1008906

Contents

• Post 1 Introduction (this is it).
• Post 2 AppArmor on Ubuntu.
• Post 3 Anatomy of a profile.
• Post 4 generating Profiles.

Introduction

The intent of this post are to increase awareness of AppArmor and encourage it's use by Ubuntu users. Although there is portions of the This post the May seem quite technical, it's not my intent to give a full technical Revie W of the workings of AppArmor or compare AppArmor to alternate options, such as SELinux.

From the Novell site:

? AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is a access control system lets you specify per program which files the program may read, write, and Execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can Preve NT attacks even if they is exploiting previously unknown vulnerabilities.

AppArmor is a security tool and uses name-based mandatory access controls to restrict or confine system access by "at risk "Applications." At risk ' applications generally include both server and client applications with network access. In this post I'll use Firefox as an example.

The goal is to apply application specific rules or "profiles" to "confine" for Firefox, or any other application directories, files, and POSIX 1003.1e draft capabilities needed for normal functioning. In the event Firefox is compromised, Apparmor's confinement helps to prevent the compromising of the system as a whole.

AppArmor is a powerful program and, if an application is confined, AppArmor can restrict the activity of even the root U Ser. AppArmor was designed as a alternative to SELinux and are designed to being easier to use.

AppArmor is configured by writing a profiles for an application. Profiles is written one application at at time and and typically targeted at applications which with network access. These profiles is a text files which restrict or confine an application. These restrictions is in addition to the standard Linux permissions. For example, you can not give access to a directory or file with AppArmor if such access violates the permissions.

Let us imagine, for example, your browser, Firefox, was hijacked (due to some flaw in the code). Let us also imagine the cracker you and I use Firefox to access your home directory or system files, allowing him or she to Read and modify system files and/or execute arbitrary code. This hypothetical flaw in Firefox then leads to a escalation of privileges and root access is obtained.

The "traditional" security model would remedy the problem by first correcting the flaw in the code (ie a "security update" For Firefox) and possibly result in a new rule for HIDS, such as viruses scanners or root kits.

The problem with this model it does nothing to protect against the next attack, aka a Zero day attack. AppArmor adds another check to the system, asking the question, should Firefox being accessing or making changes to system fi Les? AppArmor confines Firefox And if there is a new exploit, AppArmor would help prevent any escalation of privileges.

I set up a collection of AppArmor profiles here. Additional Contributions is welcome (PM me if interested).

References
Http://en.wikipedia.org/wiki/Selinux
Http://en.wikipedia.org/wiki/AppArmor
Https://help.ubuntu.com/8.04/serverg.../apparmor.html
http://www.linux.com/feature/58789
Http://www.linuxtopia.org/online_boo...ide/index.html

AppArmor on Ubuntu

First, by default AppArmor does very little (and thus with the This post I am hoping to the change that ...). With a default installation of Ubuntu 8.04, AppArmor protects only CUPS (Ubutu 9.04 includes 7 profiles by DEFAULT:DHCLI Ent-script (listed twice), Dhclient3, CUPSD, Tcpdump, Cups-pdf, nm-dhcp-clinet.action {Basically CPUs, dhclient, and TCPDU MP}).

You can install additional apparmor-profiles, which would get you started with a few additional applications, but we must Also write and customize our own profiles. I'll cover Firefox as an example.

To install some additional profiles:

Code:

sudo apt-get install Apparmor-profiles

Although this installs some additional profiles, they is permissive in that they default to the complain mode (you'll n Eed to manually activate them).

Profiles is stored in /etc/apparmor.d

On Ubuntu, AppArmor logs profiles violations to /var/log/messages

Apparmor uses the kernel standard SECURITYFS mechanism load and monitor profiles.

SECURITYFS is moutned on /sys/kernel/security .

/sys/kernel/security/apparmor/profiles is a virtualized file representing the currently loaded set of profiles.

On Ubuntu There is no GUI tools to manage or write profiles, so we is talking good old command line tools and editing co nfiguration files. The configuration files is text files and, with a little reading, is fairly easy to understand.

Profiles

Profiles is stored in /etc/apparmor.d

Profiles is names for the application they confine, using the full path, dropping the First/and converting the others T o A. Firefox is a bit confusing because/usr/bin/firefox are a link to/usr/bin/firefox-3.0, which in turn is a link to/usr/lib /firefox-3.0.4/firefox.sh (on Ubuntu 9.04 Alpha).

Thus /usr/lib/firefox-3.0.4/firefox.sh

becomes usr.lib.firefox-3.0.4.firefox.sh

and is stored in /etc/apparmor.d/usr.lib.firefox-3.0.4.firefox.sh

More on profiles later.

Enforcement

Once A profile was defined it was automatically activated when the application was started. There is 2 modes of operation, complain and enforce.

complain -in complain mode AA monitors applications and logs violations to your profile without restricting or C Onfining the application. I think of this as "testing" mode.

enforce -in enforce mode AA monitors applications and logs violations to your profiles. In the event of a violation, access to the resource are denied and the application is confined.

Start/stop AppArmor

Usage:/etc/init.d/apparmor {Start|stop|restart|try-restart|reload|force-reload|status|kill}

Start:sudo/etc/init.d/apparmor start

Stop:sudo/etc/init.d/apparmor stop

Reload:sudo/etc/init.d/apparmor Reload

Show status:sudo/etc/init.d/apparmor Status

And on ...

Additional Useful AppArmor Commands

Note: In these examples, | = or. Geprof or Aa-gprof (and on).

Source:novell AppArmor Guide

Genprof | Aa-genprof

Generate or update a profile. When running, you must specify a. IF The specified program isn't an absolute path, genprof searches the $PATH variable. If A profile is does not exist, Genprof creates one using AUTODEP.

Syntax:sudo genprof Application

Example sudo genprof Firefox

This generates a profiles for Firefox at/etc/apparmor.d/usr.lib.firefox-3.0.4.firefox.sh

AUTODEP | Aa-autodep

? Guess Basic AppArmor profile requirements. AUTODEP creates a stub profiles for the program or application examined. The resulting profile was called approximate because it does not necessarily contain all of the profiles entries that th E program needs to be confined properly.

complain | Aa-complain

Set an AppArmor profiles to enforce mode from complain mode.

Syntax:complain rule

Example:sudo complain Firefox

Enforce | Aa-enforce

? Set an AppArmor profiles to enforce mode from complain mode.

Syntax:enforce rule

Example:sudo Enforce Firefox

unconfined | aa-unconfined

? Output a list of processes with open TCP or UDP ports this does not have AppArmor profiles loaded.

Logprof | Aa-logprof

? Manage AppArmor profiles. Logprof is a interactive tool used to review the learning or complain mode output found in the AppArmor syslog entries an D to generate new entries in AppArmor profiles.

Translation:search your logs for problems and use this information to modify the Firefox profile.

Apparmor_parser

This is used-to-load, or more commonly reload a profiles into the kernel. After modifying (editing) a profiles use:

Code:

sudo apparmor_parser-r/etc/apparmor.d/<profile>

Where "<profile>" is the profiles to re-load.

If you prefer can restart AppArmor (same as Reload)

Code:

/etc/init.d/apparmor restart

Anatomy of a profile

Now we is getting into the nitty gritty

Each application-wish to confine under AppArmor are given a profile which are stored in THE/ETC/APPARMOR.D directory.

The named after the application to which it applies, changing the/in the path to a. (The first/is simply dropped).

So,/usr/lib/firefox-3.0.4/firefox.sh becomes usr.lib.firefox-3.0.4.firefox.sh.

Profiles is nothing more then text files and is generated by your the user sometimes with the assistance of AppArmor tool s from the command line (sorry no GUI in Ubuntu, although there are a GUI in YAST on OpenSUSE). They can viewed and manually managed (tweaked) with any editor (gedit, Nano, vim, etc). I'll walk you through generating a profiles for Firefox in the next post.

Profiles is comprised of 4 sections #include, capability entries, rules, and hats.

# include

#include is akin to sourcing or libraries and allows you to generate a list of common restrictions. Rather then writing the this list over and over in profiles, where can keep it in a common location and incorporate it into a PR Ofile with an #include. When you update the common list, all your profiles is updated.

Capability entries

In 中文版, this is permission checking.

In Geek speak:

? Capabilities statements is simply the word capability followed by the name of the POSIX.1E capability as defined in the C Apabilities (7) man page.

And, if you is interested, capabilities (7) man page.

Rules

These is basically a set of permissions applied to files or directories. The Syntas is a path followed by a set of rules.

[Path] [Rules]

Path

Globing or special characters in the path.

Code:

*  substitutes for any number of characters, except/. * * Substitutes for any number of characters, including/.?  Substitutes for any single character, except/. [ABC]  Substitutes for the single character A, b, or C. [A-c] Substitutes for the single character A, b, or C. {AB,CD} Expand To a rule to match AB and another to match CD. [^a] Substitutes for any character except A.

Rules for files include

Code:

r = READW = Writel = LINKK = Locka = Append

Rules for executable (applications) include

Code:

IX = Inherit = Inherit the parent ' s PROFILE.PX = requires a separate profile exists for the application, with ENVIRONM ENT scrubbing. Px = requires a separate profile exists for the application, without environment scrubbing. UX and UX = Allow execution of a application unconfined, with and without environmental scrubbing. (Use with caution if @ All). m = Allow executable mapping.

For a more detailed explaination see the Man Page:apparmor (5)

Example (from the above Mans page)

?
# a variable definition
@{home} =/home/*//root/
# a comment about Foo.
/usr/bin/foo {
/bin/mount UX,
/dev/{,u}random R,
/etc/ld.so.cache R,
/etc/foo.conf R,
/etc/foo/* R,
/lib/ld-*.so* x,
/lib/lib*.so* R,
/proc/[0-9]** R,
/usr/lib/** R,
/tmp/foo.pid WR,
/tmp/foo.* LRW,
/@{home}/.foo_file RW,
# a comment about Foo ' s subprofile, bar.
^bar {
/lib/ld-*.so* x,
/usr/bin/bar IX,
/var/spool/* RWL,
}
}

Comments:

1. Note the use of variable. This is the only necessary if you mount Your/home partition in a non-standard location.

   "/@{home}/.foo_file"

2. Comments start with an Octothorpe (#).
3. /etc/foo/* R,

   Allows read access to the files In/etc/foo

   /etc/** would allow read access to all sub-directories in/etc
   

Hats

While an AppArmor profiles is applied to an application, there was times with a sub-process of the program may need access Differing from the main program. In this event, the SUP process may be "change hats" or use an alternate sub-profile.

A profile May has more then 1 sub-profile and however the sub-profiles may not be sud-sub profiles (if that makes sense).

Right now very few applications use hats, and one example is Apache.

For a more detailed explanation see

Mans AppArmor

Mans APPARMOR.D

Generating Profiles

By default, Ubuntu includes a profiles only for CUPS. You can install a few additional profiles with

Code:

sudo apt-get install Apparmor-profiles

The Additional profiles is:

Usr.sbin.avahi-daemon, USR.SBIN.NMBD, bin.ping, Sbin.klogd, USR.SBIN.NSCD, Sbin.syslogd, USR.SBIN.DNSMASQ, USR.SBIN.N TPD, Sbin.syslog-ng, Usr.sbin.identd, USR.SBIN.SMBD, Gdm-guest-session, USR.SBIN.MDNSD, and Usr.sbin.traceroute

Also included is some information for #includes in/etc/apparmor.d/abstractions directory.

Note: After you generate a new profiles, or edit an existing profiles, the profile must is (re) loaded into the Kern El and the application to which it applies must is restarted. The can is performed by restarting the application or rebooting.

Code:

sudo apparmor_parser-r/etc/apparmor.d/<profile>

Where "<profile>" is the name of the reload.

As promised, let us generate a profiles for Firefox.

First, close Firefox.

Next Run

Code:

sudo genprof Firefox

This would generate a "basic" profile for Firefox and place it into complain mode. You'll be able to run Firefox and any violations of the profile would be logged.

I suggest you start by reviewing the profiles for Firefox and add what can.

Now lets follow the logs and we take Firefox for a spin. Open a terminal and enter

Code:

Tail-f/var/log/messages

The next step, with the AppArmor profiles for Firefox still in complain mode, start Firefox and perform "normal activities" . Open and close Firefox, browse some Web sites, download some simple files, browse local files, etc. This would vary from one of the setup to another and we don't all use the Firefox in the same.

During This trial period you'll see a variety of error messages flash in the terminal where your is following/var/log/ Messages. Initially you'll get a overwhelming number, that's OK, work through the error messages one at at time, modify your Pro File, quit Firefox, reload your profile and work on the next set of messages.

If you get stuck and does not understand "what to add", use Aa-logprof. I suggest a backup of your current profile first (keep backups outside OF/ETC/APPARMOR.D):

Code:

sudo cp/etc/apparmor.d/user.lib.firefox-3.0.4.firefox.sh/root/user.lib.firefox-3.0.4.firefox.sh

Next,

Code:

sudo aa-logprof Firefox

This would search your logs and modify your profiles on the basis of what you answer the resulting questions.

Note: Aa-logprof is a bit unrefined and you should review and edit the resulting changes in the profile manually.

My Final profile is (Ubuntu 9.04 Alpha, FF 3.0.4):

# last Modified:thu Dec 11 21:08:14 2008
#include <tunables/global>
/usr/lib/firefox-3.0.4/firefox.sh {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
Network Dgram,
Network Stream,
/bin/dash Rix,
/bin/grep Rix,
/bin/ps Rix,
/usr/bin/basename Rix,
/usr/lib/firefox-3.0.4/firefox Mrix,
/usr/lib/gamin/gam_server Mrix,
/DEV/SHM/R,
owner/dev/shm/pulse-* RW,
/ETC/R,
/ETC/FIREFOX-3.0/PREF/R,
/etc/firefox-3.0/pref/* R,
/ETC/GRE.D/R,
/etc/gre.d/1.9.0.4.system.conf R,
/etc/mime.types R,
/etc/pulse/client.conf R,
/etc/sound/events/gtk-events-2.soundlist R,
/etc/xulrunner-1.9/system-greprefs.js R,
owner/home/** RW,
OWNER/HOME/*/.ADOBE/RW,
owner/home/*/.adobe/** RW,
owner/home/*/.config/gtk-2.0/** Rwk,
OWNER/HOME/*/.MACROMEDIA/W,
owner/home/*/.macromedia/** RW,
owner/home/*/.mozilla/** Rwk,
Owner/home/*/.pulse-cookie Rwk,
OWNER/HOME/*/.PULSE/W,
owner/home/*/{desktop,documents,downloads}/RW,
owner/home/*/{desktop,documents,downloads}/** RW,
Owner/proc/*/maps R,
/proc/*/mounts/* R,
Owner/proc/*/stat R,
/proc/version R,
/usr/local/share/** R,
/usr/share/** R,
/var/lib/dbus/machine-id R,
}

Note: If You use this profile, you'll probably not being able to browse local files and/or pictures etc.

Generating a profile was thus an active process a one where can learn what "normal functioning" of Firefox entails. There is only really and mistakes you can make:

1. Too Restrictive. In extreme cases Firefox won't run (when Apparmor was in the enforcing mode).
2. Too permissive. Keep in mind, however, which before you make a profiles Firefox had relatively unfettered access to your system. Also standard Linux permissions still apply.

Some Helpful globs:

/home/*/
/usr/share/** R
/usr/local/share/** R

When your is ready, put the Firefox profiles into enforcing mode. Watch your log and re-start Firefox. Need to further modify your profile.

As with any application, as-AppArmor you'll get a feel for what it works and how to write efficient Profiles.

DON ' T forget to reload a profiles after editing it.

Code:

sudo apparmor_parser-r/etc/apparmor.d/<profile>

Or If you prefer,

Code:

/etc/init.d/apparmor restart

I would also like to start a thread:

Share your AppArmor Profiles