linux

Client Security – AppArmor

I realize this post is a little half baked right now. Hopefully will get back to it and flush it out a little more once I have time again. But I figured I’d drop this for now since AppArmor is often perceived as scary and impenetrable and it is far from it. Hopefully this post will get you in the mood to explore more on your own.

Check which profiles AppAromor is currently enforcing. There should be a couple.

sudo apt-get install apparmor-utils
sudo apparmor_status

sudo apparmor_status
apparmor module is loaded.
40 profiles are loaded.
40 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
   /usr/lib/libvirt/virt-aa-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/clamd
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/libvirtd
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
14 processes have profiles defined.
14 processes are in enforce mode.
   /sbin/dhclient (2025) 
   /usr/bin/freshclam (1426) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11522) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11651) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11667) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11715) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11759) 
   /usr/lib/firefox/firefox{,*[^s][^h]} (11788) 
   /usr/lib/telepathy/mission-control-5 (10850) 
   /usr/sbin/clamd (12484) 
   /usr/sbin/cups-browsed (1513) 
   /usr/sbin/cupsd (1444) 
   /usr/sbin/libvirtd (1658) 
   /usr/sbin/ntpd (2658) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

If non of your app armor profiles are set to enforcing, firefox and chrome are not protected on your machine.

Firefox comes with a ready to go profile from the developer. To turn it on:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

For chrome there is no good profile included… probably bc Google is more into SE linux.

Get the relevant files from the link below or if you want to have a google session and find a better profile for Ubuntu 16.04 then go for it! šŸ™‚

https://github.com/Rafiot/apparmor-profiles/blob/master/profiles/usr.bin.chromium-browser

They go here:

sudo vi /etc/apparmor.d/usr.bin.chromium-browser 

see example from Rafiot on github below:


# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>

# We need 'flags=(attach_disconnected)' in newer chromium versions
/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
  # you want access to productivity applications, adjust the following file
  # accordingly.
  #include <abstractions/ubuntu-browsers.d/chromium-browser>

  # Networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # Should maybe be in abstractions
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/mtab r,
  /etc/xdg/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,

  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  @{PROC}/[0-9]*/smaps r,
  owner @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/statm r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/oom_{,score_}adj w,

  # Newer chromium needs these now
  /etc/udev/udev.conf r,
  /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/pci[0-9]*/**/removable r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/pci[0-9]*/**/block/**/size r,
  /sys/devices/virtual/block/**/removable r,
  /sys/devices/virtual/block/**/uevent r,
  /sys/devices/virtual/block/**/size r,
  # This is requested, but doesn't seem to actually be needed so deny for now
  deny /run/udev/data/** r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/auxv r,

  # chromium mmaps all kinds of things for speed.
  /etc/passwd m,
  /usr/share/fonts/truetype/**/*.tt[cf] m,
  /usr/share/fonts/**/*.pfb m,
  /usr/share/mime/mime.cache m,
  /usr/share/icons/**/*.cache m,
  owner /{dev,run}/shm/pulse-shm* m,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner /tmp/** m,

  @{PROC}/sys/kernel/shmmax r,
  owner /{dev,run}/shm/{,.}org.chromium.* mrw,

  /usr/lib/chromium-browser/*.pak mr,
  /usr/lib/chromium-browser/locales/* mr,

  # Noisy
  deny /usr/lib/chromium-browser/** w,

  # Allow ptracing ourselves
  ptrace (trace) peer=@{profile_name},

  # Make browsing directories work
  / r,
  /**/ r,

  # Allow access to documentation and other files the user may want to look
  # at in /usr
  /usr/{include,share,src}** r,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,

  # For migration
  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.mozilla/firefox/*/prefs.js r,

  # Helpers
  /usr/bin/xdg-open ixr,
  /usr/bin/gnome-open ixr,
  /usr/bin/gvfs-open ixr,
  # TODO: kde, xfce

  # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
  # which is provided by abstractions/ubuntu-browsers.d/user-files).
  @{PROC}/[0-9]*/oom_{,score_}adj w,
  /etc/firefox/profile/bookmarks.html r,
  owner @{HOME}/.mozilla/** k,

  # Chromium configuration
  owner @{HOME}/.pki/nssdb/* rwk,
  owner @{HOME}/.cache/chromium/ rw,
  owner @{HOME}/.cache/chromium/** rw,
  owner @{HOME}/.cache/chromium/Cache/* mr,
  owner @{HOME}/.config/chromium/ rw,
  owner @{HOME}/.config/chromium/** rwk,
  owner @{HOME}/.config/chromium/**/Cache/* mr,
  owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
  owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,

  # Allow transitions to ourself and our sandbox
  /usr/lib/chromium-browser/chromium-browser ix,
  /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
  /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,

  /bin/ps Uxr,
  /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
  /usr/bin/xdg-settings Cxr -> xdgsettings,
  /usr/bin/lsb_release Cxr -> lsb_release,

  # GSettings
  owner /{,var/}run/user/*/dconf/     rw,
  owner /{,var/}run/user/*/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,

  profile xdgsettings flags=(attach_disconnected) {
    #include <abstractions/bash>
    #include <abstractions/gnome>

    /bin/dash ixr,

    /etc/ld.so.cache r,
    /usr/bin/xdg-settings r,
    /usr/lib/chromium-browser/xdg-settings r,
    /usr/share/applications/*.desktop r,

    # Checking default browser
    /bin/grep ixr,
    /bin/readlink ixr,
    /bin/sed ixr,
    /bin/which ixr,
    /usr/bin/basename ixr,
    /usr/bin/cut ixr,

    # Setting the default browser
    /bin/mkdir ixr,
    /bin/mv ixr,
    /bin/touch ixr,
    /usr/bin/dirname ixr,
    /usr/bin/gconftool-2 ix,
    /usr/bin/[gm]awk ixr,
    /usr/bin/xdg-mime ixr,
    owner @{HOME}/.local/share/applications/ w,
    owner @{HOME}/.local/share/applications/mimeapps.list* rw,
  }

  profile lsb_release flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/python>
    /usr/bin/lsb_release r,
    /bin/dash ixr,
    /usr/bin/dpkg-query ixr,
    /usr/include/python2.[4567]/pyconfig.h r,
    /etc/lsb-release r,
    /etc/debian_version r,
    /var/lib/dpkg/** r,

    /usr/local/lib/python3.[0-4]/dist-packages/ r,
    /usr/bin/ r,
    /usr/bin/python3.[0-4] r,
  }


  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.chromium-browser>

profile chromium_browser_sandbox flags=(attach_disconnected) {
    # Be fanatical since it is setuid root and don't use an abstraction
    /lib/libgcc_s.so* mr,
    /lib/@{multiarch}/libgcc_s.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /usr/lib/libstdc++.so* mr,
    /usr/lib/@{multiarch}/libstdc++.so* mr,
    /etc/ld.so.cache r,

    # Required for dropping into PID namespace. Keep in mind that until the
    # process drops this capability it can escape confinement, but once it
    # drops CAP_SYS_ADMIN we are ok.
    capability sys_admin,

    # All of these are for sanely dropping from root and chrooting
    capability chown,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability dac_override,
    capability sys_chroot,

    capability sys_ptrace,
    ptrace (read, readby),

    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    owner @{PROC}/[0-9]*/oom_adj w,
    owner @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,

    /usr/bin/chromium-browser r,
    /usr/lib/chromium-browser/chromium-browser Px,
    /usr/lib/chromium-browser/chromium-browser-sandbox r,
    /usr/lib/chromium-browser/chrome-sandbox r,

    /dev/null rw,

    owner /tmp/** rw,
  }
}

and you will also need:

sudo vi /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser

# This file is updated currently not managed by the package but in the future
# will be overwritten on upgrades.
#
# For site-specific adjustments, please see:
# /etc/apparmor.d/local/usr.bin.chromium-browser

#include <abstractions/ubuntu-browsers.d/plugins-common>
#include <abstractions/ubuntu-browsers.d/mailto>
#include <abstractions/ubuntu-browsers.d/multimedia>
#include <abstractions/ubuntu-browsers.d/productivity>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-browsers.d/kde>
#include <abstractions/ubuntu-browsers.d/text-editors>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
#include <abstractions/ubuntu-browsers.d/user-files>

If further files are referenced, use the error messages generated when trying to enable the chrome profile with the command below to browse the git repo for those files.

sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browsr

If you ever want or need to tweak any of the existing profiles for something to work do

sudo aa-complain <profilename> 

Then use the profiled application for a while or perform the action you could not perform. Look at /var/log/syslog and grep for the keyword audit and you should see how to adjust the profile for things to work.

Advertisements
%d bloggers like this: