View previous topic :: View next topic |
Author |
Message |
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Aug 28, 2012 12:05 am Post subject: restricting skype and wine, disallow a use by a user[solved] |
|
|
I am intending to install skype and only run it from a new, dedicated user to limit my system's exposure to it. Not installing skype really is not an option, so if there are any other ideas, I would like to hear them.
Second, I would like to disallow my normal user from running skype, just so I don't do it by accident. I can't seem to find any instructions on how to do this on Google.
I would like to do the same thing with wine.
By the way, the method I intend to use is as follows:
add a group called skype
make a new user with primary group skype and also add to the audio group
add an alias to my .bashrc file: alias skype="xhost +local: && sudo -u skype /opt/bin/skype"
add %wheel ALL=(skype) NOPASSWD: /usr/bin/skype to my soders file
This method comes from Arch Linux Wiki
I would like to do the same for wine, and even more critically I want to prevent wine from ever starting as my normal user. If it dose catch a cold, I don't want it spreading to my data.
Thanks! _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Last edited by The Doctor on Tue Aug 28, 2012 1:38 am; edited 1 time in total |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Aug 28, 2012 12:59 am Post subject: |
|
|
chgrp blobusers, chmod o-x,g+x /usr/bin/wine? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Aug 28, 2012 1:08 am Post subject: Re: restricting skype and wine, disallow a use by a user |
|
|
penguin swordmaster wrote: | limit my system's exposure to it |
I run skype (along with e.g. firefox) under AppArmor. I'd recommend it. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Aug 28, 2012 1:18 am Post subject: |
|
|
Ant P. wrote: | chgrp blobusers, chmod o-x,g+x /usr/bin/wine? |
Thanks, that works! _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Aug 28, 2012 1:24 am Post subject: Re: restricting skype and wine, disallow a use by a user |
|
|
PaulBredbury wrote: | penguin swordmaster wrote: | limit my system's exposure to it |
I run skype (along with e.g. firefox) under AppArmor. I'd recommend it. |
Thanks for the recommendation, I look into it. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Jacekalex Guru
Joined: 17 Sep 2009 Posts: 553
|
Posted: Tue Sep 04, 2012 2:45 am Post subject: |
|
|
Apparmor is a good choice, but it requires a patch to ensure compatibility with version 2.4, which I have not found (working) on the kernel older than 3.2.9, not to mention the version 3.5.3 - which I'm currently using
Without this patch you will see the result:
Code: | / etc / init.d / apparmor start
apparmor | * Starting apparmor ...
apparmor | * apparmor compatibility is not present in the kernel [!! ]
apparmor | * ERROR: apparmor failed to start |
You can also use Grsecurity - and set up the ACL policy for the system, step by step information you have on the wiki - Gentoo Hardened.
A sample profile of grsecurity ACL skype (skype works as a separate user voip):
Code: | subject /opt/skype/skype o {
/ h
/SYSV00000000 x
/SYSV00003400 x
/SYSV00003401 x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/snd rxw
/dev/urandom r
/dev/video1 rw
/etc rx
/etc/grsec h
/etc/gshadow h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/ssh h
/etc/ssl/private h
/home h
/home/*/.ssh h
/home/*/.purple h
/home/*/.mozilla h
/home/*/.opera h
/home/*/.thunderbird h
/home/voip rw
/home/voip/.Skype rwcd
/home/voip/.Skype/{PROFILE_NAME} rwcd
/home/voip/.Skype/shared_dynco
/home/voip/.Skype/shared_dynco/dc.db rw
/home/voip/.Skype/shared_dynco/dc.db-journal rwcd
/home/voip/.Skype/shared_dynco/dc.lock rwcd
/home/voip/.Skype/shared_httpfe
/home/voip/.Skype/shared_httpfe/queue.db rw
/home/voip/.Skype/shared_httpfe/queue.lock rwcd
/lib rx
/lib/modules h
/opt
/opt/skype rx
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/selinux
/tmp rwcd
/usr
/usr/bin/dbus-launch x
/usr/lib rx
/usr/share rx
/usr/src h
/var h
/var/cache h
/var/cache/fontconfig rx
/var/lib h
/var/lib/dbus/machine-id r
-CAP_ALL
bind 127.0.0.1/32:0 dgram udp
bind 0.0.0.0/32:0 stream dgram ip tcp udp
bind 0.0.0.0/32:7334 stream dgram ip tcp udp
connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
connect 0.0.0.0/0:443 stream dgram tcp udp
connect 0.0.0.0/0:80 stream dgram tcp udp
connect 0.0.0.0/0:53 stream dgram tcp udp
sock_allow_family netlink |
This is automatically generated rules in the gradm learning mode.
http://www.gentoo.org/proj/en/hardened/grsecurity.xml
Cheers
|
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Sep 04, 2012 3:00 am Post subject: |
|
|
Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.
Jacekalex wrote: | to ensure compatibility with version 2.4 |
Version 2.4 of *what*? |
|
Back to top |
|
|
Jacekalex Guru
Joined: 17 Sep 2009 Posts: 553
|
Posted: Tue Sep 04, 2012 10:41 am Post subject: |
|
|
PaulBredbury wrote: |
Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.
......
|
Code: | echo $PWD
/usr/src/linux-3.4.7-hardened
patch -p1 < ../patch34/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
patching file security/apparmor/.gitignore
patching file security/apparmor/Makefile
patching file security/apparmor/apparmorfs.c
Hunk #1 succeeded at 201 (offset -226 lines).
patching file security/apparmor/include/audit.h
patching file security/apparmor/include/net.h
patching file security/apparmor/include/policy.h
patching file security/apparmor/lsm.c
Hunk #2 FAILED at 623.
1 out of 3 hunks FAILED -- saving rejects to file security/apparmor/lsm.c.rej
patching file security/apparmor/net.c
patching file security/apparmor/policy.c
patching file security/apparmor/policy_unpack.c
|
Code: |
cat security/apparmor/lsm.c.rej
security/apparmor/lsm.c.rej
--- security/apparmor/lsm.c
+++ security/apparmor/lsm.c
@@ -623,6 +624,104 @@
return error;
}
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+ struct aa_profile *profile;
+ int error = 0;
+
+ if (kern)
+ return 0;
+
+ profile = __aa_current_profile();
+ if (!unconfined(profile))
+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+ NULL);
+ return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+ struct sockaddr *address, int addrlen)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+ struct sockaddr *address, int addrlen)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+ struct msghdr *msg, int size)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+ struct msghdr *msg, int size, int flags)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+ int optname)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+ int optname)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+ struct sock *sk = sock->sk;
+
+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
static struct security_operations apparmor_ops = {
.name = "apparmor",
|
Generally, perhaps one day will AppArmor had real support in Gentoo, but for now it is the overlay userspace and kernel requires patches from Ubuntu, I would not call this normal support, which the widths of the system responsible for the safety of a very important
In general, I do not understand, if you need compatibility with userspace apparmor-2.4 version, how did it happen that the kernel apparmor went without this (very important) compatibility.
Both Grsecurity in hardened-sources, as well as all sources SELINUX any special patch does not need to just work.
Cheers
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|