Profile do Apparmor

Firefox:

[code=C]#include <tunables/global>

/usr/{lib/firefox,bin}/firefox {

#include <abstractions/pulse> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/gnome> #include <abstractions/dconf> #include <abstractions/user-download> #include <abstractions/freedesktop.org> #include <abstractions/consoles> #include <abstractions/site/base> #include <abstractions/site/de> #include <abstractions/site/flash_plugin>

# Launcher /dev/tty* rw, /usr/@{multiarch}{lib/firefox,bin}/firefox rix, /usr/@{multiarch}lib/xulrunner/xulrunner-stub ix,

owner @{HOME}/.mozilla/firefox/** rwk, owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/mozilla/ rw, owner @{HOME}/.cache/mozilla/firefox/ rw, owner @{HOME}/.cache/mozilla/firefox/** rwk, owner @{HOME}/.cache/gstreamer-*/ rw, owner @{HOME}/.cache/gstreamer-*/** rw,

/opt/netscape/plugins/ r, /opt/netscape/plugins/** mr, owner @{HOME}/.mozilla/plugins/ r, owner @{HOME}/.mozilla/plugins/** mr, owner @{HOME}/.mozilla/firefox/*/extensions/** m, owner @{HOME}/.mozilla/extensions/** mr,

/etc/mime.types r, /etc/mailcap r, /usr/share/ r, /usr/share/mime/ r, /usr/share/glib-*/schemas/* r, /usr/share/applications/screensavers/ r, owner @{HOME}/.local/share/ r, owner @{HOME}/.local/share/applications/ r, owner @{HOME}/.local/share/applications/** r,

deny /{,var/}run/user/*/dconf/user w, deny @{HOME}/.config/dconf/user w,

owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/statm r, # for about:memory owner @{PROC}/@{pid}/task/[0-9]*/stat r,

# Minor udev stuff /etc/udev/udev.conf r, /sys/devices/pci**/uevent r, /run/udev/data/* r, /sys/bus/ r, /sys/class/ r,

# Used in private mode /usr/@{multiarch}bin/shred ix,

## Site-local paths # Images in file selection dialogs owner @{HOME}/.thumbnails/** w, # Download handlers owner @{HOME_BIN}/wrappers/leech_*.wrapper Ux, deny /usr/@{multiarch}bin/bash x, # flashgot leechers' detection # It's All Text owner @{HOME}/hatch/cFG/bin/ec Ux, # downloads /etc/fstab r,

/usr/lib/firefox/plugin-container cx -> plugin_container,

profile plugin_container {

#include <abstractions/pulse> #include <abstractions/nameservice> #include <abstractions/consoles> #include <abstractions/gnome> #include <abstractions/site/base> #include <abstractions/site/de> #include <abstractions/site/flash_plugin> #include <abstractions/openssl>

deny @{PROC}/@{pid}/fd/ r, deny @{PROC}/uptime r, deny @{PROC}/@{pid}/smaps r,

deny /etc/passwd r, deny @{HOME}/.mozilla/firefox/** r,

/opt/netscape/plugins/ r, /opt/netscape/plugins/** mr, owner @{HOME}/.mozilla/plugins/ r, owner @{HOME}/.mozilla/plugins/** mr,

deny /usr/@{multiarch}bin/bash x, # execve("/bin/sh", ["sh", "-c", "ps x | grep netscape"])

# VDPAU /etc/adobe/mms.cfg r, /etc/vdpau_wrapper.cfg r, /etc/udev/udev.conf r, /sys/devices/pci**/uevent r, /run/udev/data/+pci* r,

## Site-local paths /etc/core/app/X/* r, /etc/core/app/sec/openssl.cnf r,

}

} [/code]

Iceweasel

/etc/apparmor.d/usr.bin.iceweasel

początek profilu:

[code=C]# vim:syntax=apparmor # Author: Jamie Strandboge <jamie@canonical.com>

# Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/@MOZ_LIBDIR@

#include <tunables/global>

# We want to confine the binaries that match: # /@MOZ_LIBDIR@/@MOZ_APP_NAME@ # /@MOZ_LIBDIR@/iceweasel # but not: # /@MOZ_LIBDIR@/iceweasel.sh /usr/lib/iceweasel/iceweasel { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-session> #include <abstractions/gnome> #include <abstractions/nameservice> #include <abstractions/p11-kit>

# Addons /usr/share/xul-ext/** r, # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r,

# should maybe be in abstractions /usr/lib/iceweasel/iceweasel ixr, /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, owner @{HOME}/.gstreamer*/{,**} rw, owner /tmp/** m, owner /var/tmp/** m, /tmp/.X[0-9]*-lock r,

/etc/timezone r, /etc/wildmidi/wildmidi.cfg r,

# iceweasel specific /etc/iceweasel*/ r, /etc/iceweasel*/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r,

# noisy deny @{MOZ_LIBDIR}/** w, deny /@MOZ_ADDONDIR@/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r,

# TODO: investigate deny /usr/bin/gconftool-2 x,

# These are needed when a new user starts iceweasel and iceweasel.sh is used @{MOZ_LIBDIR}/** ixr, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /sbin/killall5 ixr, /bin/which ixr, /usr/bin/tr ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, owner @{HOME}/.thumbnails/*/*.png r,

/etc/mtab r, /etc/fstab r,

# Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r,

# about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r,

# Needed for container to work in xul builds /usr/lib/xulrunner{,-*}/** ixr,

# allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/lib/{,**} rm, /usr/share/iceweasel/{,**} r, /usr/share/mozilla/{,**} r, /usr/{local/,}share/glib-2.0/{,**} r, /usr/share/xulrunner{,-*}/{,**} r, /usr/share/mime/{,**} r, /usr/share/gstreamer*/{,**} r, /usr/share/hunspell/{,**} r,

# so browsing directories works

# Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/** rwk,

# per-user iceweasel configuration owner @{HOME}/.cache/{iceweasel,mozilla}/{,**} rw, owner @{HOME}/.cache/dconf/user rw, owner @{HOME}/.cache/dconf/ rw, owner @{HOME}/.config/dconf/user r, owner @{HOME}/.{iceweasel,mozilla}/ rw, owner @{HOME}/.{iceweasel,mozilla}/** rw, owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, owner @{HOME}/.config/ibus/bus/ w, owner @{HOME}/.gnome2/iceweasel*-bin-* rw,

# # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr,

deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w,

# Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr,

# Site-specific additions and overrides. See local/README for details. }[/code]

WINE

/etc/apparmor.d/usr.bin.wine

początek profilu:

[code=C]#include <tunables/global>

/usr/bin/wine-preloader {

#include <abstractions/base> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/site/de> #include <abstractions/site/base> #include <abstractions/X> #include <abstractions/freedesktop.org> #include <abstractions/pulse> #include <abstractions/p11-kit>

/usr/@{multiarch}bin/wine-preloader rix, /usr/@{multiarch}bin/wineserver px, /usr/@{multiarch}bin/wine mr,

/usr/@{multiarch}lib/wine/*.so mr, /usr/share/wine/fonts/ r, /usr/share/wine/fonts/* r, /usr/share/wine/wine.inf r,

/etc/fstab r, /usr/share/terminfo/** r,

/tmp/.wine-*/ rw, /tmp/.wine-*/server-*/ rw, /tmp/.wine-*/server-*/* rwmk,

owner @{HOME}/ r, owner @{HOME}/.wine/ rw, owner @{HOME}/.wine/** rwmk, owner @{HOME}/.local/share/icons/hicolor/** rwk, owner @{HOME}/.local/share/applications/** rwk, owner @{HOME}/.config/menus/applications-merged/wine-* rwk, owner @{HOME}/.local/share/desktop-directories/wine-* rwk,

# Mostly winemenubuilder stuff deny /usr/@{multiarch}bin/update-mime-database x, deny /usr/@{multiarch}bin/update-desktop-database x, deny @{HOME}/.local/share/mime/** w,

# For winedbg deny capability sys_ptrace, # owner @{PROC}/*/mem rw,

# hw /etc/udev/udev.conf r, /run/udev/data/* r, /run/udev/queue.bin r, /sys/devices/pci** r, /dev/video0 rw, # dri?

# for initial ~/.wine creation/updates only / r, /usr/share/wine/** r, owner @{HOME}/.cache/ r, owner @{HOME}/.cache/wine/ rwk, owner @{HOME}/.cache/wine/** rwk,

# Actual apps/games owner @{PROC}/@{pid}/mounts r, /etc/machine-id r, /mnt/iso/ r, /mnt/iso/** r, deny @{HOME}/Downloads/ rw, deny @{HOME}/Downloads/** rw, deny @{HOME}/.local/share/Trash/ rw,

/usr/bin/dosbox cx -> dosbox,

profile dosbox { #include <abstractions/base> #include <abstractions/X> #include <abstractions/pulse> #include <abstractions/site/base>

/etc/fstab r, owner @{PROC}/@{pid}/mounts r,

# DosBox seem to use these directly /dev/input/event[0-9]* r, /dev/input/js[0-9]* r,

owner @{HOME}/ r, owner @{HOME}/.wine/ rw, owner @{HOME}/.wine/** rwmk,

# Actual apps/games /mnt/iso/ r, /mnt/iso/** r, }

}

/usr/bin/wineserver {

#include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/freedesktop.org>

/usr/@{multiarch}bin/wineserver r,

/tmp/.wine-*/ rw, /tmp/.wine-*/server-*/ rw, /tmp/.wine-*/server-*/* rwmk,

owner @{HOME}/ r, owner @{HOME}/.wine/ rw, owner @{HOME}/.wine/** rwmk, owner @{HOME}/.local/share/icons/hicolor/** rwk,

# For winedbg deny capability sys_ptrace, # owner @{PROC}/*/mem rw,

# for initial ~/.wine creation only / r, /usr/share/wine/** rk, owner @{HOME}/.cache/ r, owner @{HOME}/.cache/wine/ rwk, owner @{HOME}/.cache/wine/** rwk,

# Actual apps/games network ipx dgram, # IPX, wow ;) /etc/machine-id r, /etc/ld.so.preload r, /mnt/iso/ r, /mnt/iso/** r, deny @{HOME}/Downloads/ rw, deny @{HOME}/.local/share/Trash/ rw,

}[/code]

Aby uruchomić dany profil w Apparmor:

aa-enforce /etc/apparmor.d/nazwa-profilu

np.

aa-enforce /etc/apparmor.d/usr.bin.iceweasel

Jeśli dany profil blokuje działanie aplikacji wtedy można dodać brakujące uprawnienia przez czytanie z logu i dodanie "Allow" brakujacych uprawnień

aa-logprof

.

Jeżeli są problemy z działaniem aplikacji należy przestawić dany profil w tryb pasywny:

aa-complain /etc/apparmor.d/nazwa-profilu

.

Przez Apparmor najlepiej jest zabezpieczać te programy których używa sie do korzystania z internetu - najczęściej przęglądarki.Nie ma sensu ograniczać programu który nie korzysta z usług sieciowych.

Zbiór gotowych profili można zainstalować z repo:

aptitude -y install apparmor-profiles apparmor-profiles-extra

Sprawdzenie stanu aplikacji tryb aktywny (enforced) / tryb pasywny (complain) / niezdefiniowany (unconfined)

sudo aa-status

@Update

Podstawowa składnia profili (żeby sie zorientować jak są wykonywane):

owner - aplikacja ma prawa użytkownika w tym katalogu/procesie deny - aplikacja nie ma praw dostepu do tego katalogu /procesu Inne zmienne: r -możliwosc odczytu w -możliwosc zapisu m -możliwośc wykonywania procesu k -mozliwosc zapisu do pliku i jego zablokowania