Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
AppArmor
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Superfox_il_Volpone
n00b
n00b


Joined: 14 Aug 2012
Posts: 47

PostPosted: Fri Nov 07, 2014 9:44 pm    Post subject: AppArmor Reply with quote

Hello,
I am new to AppArmor, but would like to give a try.

So I updated the kernel & set AppArmor as default MAC. The I emerged "sys-apps/apparmor". So far so good.

I see that the other packages are masked though. Where do I find the reason for being blacklisted?
sec-policy/apparmor-profiles
sys-apps/apparmor-utils
sys-libs/libapparmor

Anyway I unlocked the packages to install apparmor-utils to follow this article http://www.la-samhna.de/library/apparmor.html. However I am already stuck at step 1:
Code:

[root@sebastian] /usr/local/bin: aa-genprof git-crypt

Can't include file abstractions/authentication: No such file or directory at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6222.
   Immunix::AppArmor::get_include_data('abstractions/authentication') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6237
   Immunix::AppArmor::loadinclude('abstractions/authentication') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile for restricting lightdm guest...', 'abstractions/lightdm', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238
   Immunix::AppArmor::loadinclude('abstractions/lightdm') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile abstraction for restricting c...', 'abstractions/lightdm_chromium-browser', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238
   Immunix::AppArmor::loadinclude('abstractions/lightdm_chromium-browser') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386
   Immunix::AppArmor::loadincludes() called at /usr/sbin/aa-genprof line 117

The error simply says that the given file does not exist, and it is right. I think that my profile is messed up:

Code:

[root@sebastian] /etc/apparmor.d: ll
total 8
drwxr-xr-x 2 root root 4096 Nov  6 23:32 abstractions
-rw-r--r-- 1 root root  369 Sep 14 23:40 lightdm-guest-session
[root@sebastian] /etc/apparmor.d: ll abstractions/
total 8
-rw-r--r-- 1 root root 2167 Sep 14 23:40 lightdm
-rw-r--r-- 1 root root 1495 Sep 14 23:40 lightdm_chromium-browser


lightdm is trying to include other profiles I have not:
Code:

[root@sebastian] /etc/apparmor.d/abstractions: cat lightdm
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>

# This abstraction provides the majority of the confinement for guest sessions.
# It is in its own abstraction so we can have a centralized place for
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
# etc). Note that this profile intentionally omits chromium-browser.

  #include <abstractions/authentication>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/nameservice>
  #include <abstractions/wutmp>
  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678

  / r,
  /bin/ rmix,
  /bin/fusermount Px,
  /bin/** rmix,
  /cdrom/ rmix,
  /cdrom/** rmix,
  /dev/ r,
  /dev/** rmw, # audio devices etc.
  owner /dev/shm/** rmw,
  /etc/ r,
  /etc/** rmk,
  /etc/gdm/Xsession ix,
  /lib/ r,
  /lib/** rmixk,
  /lib32/ r,
  /lib32/** rmixk,
  /lib64/ r,
  /lib64/** rmixk,
  owner /media/ r,
  owner /media/** rmwlixk,  # we want access to USB sticks and the like
  /opt/ r,
  /opt/** rmixk,
  @{PROC}/ r,
  @{PROC}/* rm,
  @{PROC}/asound rm,
  @{PROC}/asound/** rm,
  @{PROC}/ati rm,
  @{PROC}/ati/** rm,
  owner @{PROC}/** rm,
  # needed for gnome-keyring-daemon
  @{PROC}/*/status r,
  /sbin/ r,
  /sbin/** rmixk,
  /sys/ r,
  /sys/** rm,
  # needed for confined trusted helpers, such as dbus-daemon
  /sys/kernel/security/apparmor/.access rw,
  /tmp/ rw,
  owner /tmp/** rwlkmix,
  /usr/ r,
  /usr/** rmixk,
  /var/ r,
  /var/** rmixk,
  /var/guest-data/** rw, # allow to store files permanently
  /var/tmp/ rw,
  owner /var/tmp/** rwlkm,
  /{,var/}run/ r,
  # necessary for writing to sockets, etc.
  /{,var/}run/** rmkix,
  /{,var/}run/shm/** wl,
  # libpam-xdg-support/logind
  owner /{,var/}run/user/*/** rw,

  capability ipc_lock,

  # silence warnings for stuff that we really don't want to grant
  deny capability dac_override,
  deny capability dac_read_search,
  #deny /etc/** w, # re-enable once LP#697678 is fixed
  deny /usr/** w,
  deny /var/crash/ w,


Code:



Any idea on how to proceed?

Thanks,
S.Fox
Back to top
View user's profile Send private message
kensington
Developer
Developer


Joined: 02 Jan 2013
Posts: 175
Location: Australia

PostPosted: Thu Nov 13, 2014 8:08 am    Post subject: Reply with quote

AppArmor is not masked because there's anything wrong with it - rather it's just still in testing (~arch).

It looks like the missing files are provided by sec-policy/apparmor-profiles.
Back to top
View user's profile Send private message
Superfox_il_Volpone
n00b
n00b


Joined: 14 Aug 2012
Posts: 47

PostPosted: Thu Nov 13, 2014 5:41 pm    Post subject: Reply with quote

Hello,

thanks for your reply. I went forward, but it is still trying to import files which I have not
Code:

[root@sebastian] /usr/local/bin: aa-genprof git-crypt

Can't include file abstractions/dbus-accessibility: No such file or directory at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6222.
   Immunix::AppArmor::get_include_data('abstractions/dbus-accessibility') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6237
   Immunix::AppArmor::loadinclude('abstractions/dbus-accessibility') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile for restricting lightdm guest...', 'abstractions/lightdm', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238
   Immunix::AppArmor::loadinclude('abstractions/lightdm') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343
   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile abstraction for restricting c...', 'abstractions/lightdm_chromium-browser', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238
   Immunix::AppArmor::loadinclude('abstractions/lightdm_chromium-browser') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386
   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386
   Immunix::AppArmor::loadincludes() called at /usr/sbin/aa-genprof line 117




available profiles:
Code:

[root@sebastian] ~: ll /etc/apparmor.d/abstractions/
total 272
-rw-r--r-- 1 root root  435 Nov 13 17:29 apache2-common
-rw-r--r-- 1 root root  259 Nov 13 17:29 aspell
-rw-r--r-- 1 root root 1555 Nov 13 17:29 audio
-rw-r--r-- 1 root root 1544 Nov 13 17:29 authentication
-rw-r--r-- 1 root root 4719 Nov 13 17:29 base
-rw-r--r-- 1 root root 1512 Nov 13 17:29 bash
-rw-r--r-- 1 root root  798 Nov 13 17:29 consoles
-rw-r--r-- 1 root root  713 Nov 13 17:29 cups-client
-rw-r--r-- 1 root root  507 Nov 13 17:29 dbus
-rw-r--r-- 1 root root  512 Nov 13 17:29 dbus-session
-rw-r--r-- 1 root root  227 Nov 13 17:29 dconf
-rw-r--r-- 1 root root 2007 Nov 13 17:29 enchant
-rw-r--r-- 1 root root 1819 Nov 13 17:29 fonts
-rw-r--r-- 1 root root 1636 Nov 13 17:29 freedesktop.org
-rw-r--r-- 1 root root 2721 Nov 13 17:29 gnome
-rw-r--r-- 1 root root  278 Nov 13 17:29 gnupg
-rw-r--r-- 1 root root  548 Nov 13 17:29 ibus
-rw-r--r-- 1 root root 2019 Nov 13 17:29 kde
-rw-r--r-- 1 root root 1103 Nov 13 17:29 kerberosclient
-rw-r--r-- 1 root root  824 Nov 13 17:29 launchpad-integration
-rw-r--r-- 1 root root  686 Nov 13 17:29 ldapclient
-rw-r--r-- 1 root root 2167 Sep 14 23:40 lightdm
-rw-r--r-- 1 root root 1495 Sep 14 23:40 lightdm_chromium-browser
-rw-r--r-- 1 root root  489 Nov 13 17:29 likewise
-rw-r--r-- 1 root root  436 Nov 13 17:29 mdns
-rw-r--r-- 1 root root  641 Nov 13 17:29 mysql
-rw-r--r-- 1 root root 2668 Nov 13 17:29 nameservice
-rw-r--r-- 1 root root  524 Nov 13 17:29 nis
-rw-r--r-- 1 root root  425 Nov 13 17:29 nvidia
-rw-r--r-- 1 root root  470 Nov 13 17:29 openssl
-rw-r--r-- 1 root root   93 Nov 13 17:29 orbit2
-rw-r--r-- 1 root root  814 Nov 13 17:29 p11-kit
-rw-r--r-- 1 root root  860 Nov 13 17:29 perl
-rw-r--r-- 1 root root  928 Nov 13 17:29 php5
-rw-r--r-- 1 root root 1303 Nov 13 17:29 private-files
-rw-r--r-- 1 root root  746 Nov 13 17:29 private-files-strict
-rw-r--r-- 1 root root 1507 Nov 13 17:29 python
-rw-r--r-- 1 root root  966 Nov 13 17:29 ruby
-rw-r--r-- 1 root root  700 Nov 13 17:29 samba
-rw-r--r-- 1 root root  476 Nov 13 17:29 smbpass
-rw-r--r-- 1 root root  742 Nov 13 17:29 ssl_certs
-rw-r--r-- 1 root root  556 Nov 13 17:29 ssl_keys
-rw-r--r-- 1 root root 1646 Nov 13 17:29 svn-repositories
-rw-r--r-- 1 root root  682 Nov 13 17:29 ubuntu-bittorrent-clients
-rw-r--r-- 1 root root 1615 Nov 13 17:29 ubuntu-browsers
drwxr-xr-x 2 root root 4096 Nov 13 17:29 ubuntu-browsers.d
-rw-r--r-- 1 root root  611 Nov 13 17:29 ubuntu-console-browsers
-rw-r--r-- 1 root root  601 Nov 13 17:29 ubuntu-console-email
-rw-r--r-- 1 root root  809 Nov 13 17:29 ubuntu-email
-rw-r--r-- 1 root root  339 Nov 13 17:29 ubuntu-feed-readers
-rw-r--r-- 1 root root  182 Nov 13 17:29 ubuntu-gnome-terminal
-rw-r--r-- 1 root root 2978 Nov 13 17:29 ubuntu-helpers
-rw-r--r-- 1 root root  343 Nov 13 17:29 ubuntu-konsole
-rw-r--r-- 1 root root 2234 Nov 13 17:29 ubuntu-media-players
-rw-r--r-- 1 root root  237 Nov 13 17:29 ubuntu-xterm
-rw-r--r-- 1 root root  750 Nov 13 17:29 user-download
-rw-r--r-- 1 root root  786 Nov 13 17:29 user-mail
-rw-r--r-- 1 root root  889 Nov 13 17:29 user-manpages
-rw-r--r-- 1 root root  654 Nov 13 17:29 user-tmp
-rw-r--r-- 1 root root  717 Nov 13 17:29 user-write
-rw-r--r-- 1 root root  123 Nov 13 17:29 video
-rw-r--r-- 1 root root  705 Nov 13 17:29 web-data
-rw-r--r-- 1 root root  739 Nov 13 17:29 winbind
-rw-r--r-- 1 root root  585 Nov 13 17:29 wutmp
-rw-r--r-- 1 root root 1450 Nov 13 17:29 X
-rw-r--r-- 1 root root  883 Nov 13 17:29 xad
-rw-r--r-- 1 root root  673 Nov 13 17:29 xdg-desktop


the profile dbus-accessibility, should not at least reported in http://www.portagefilelist.de/site/query/file/? ?

Thanks,
S. Fox
Back to top
View user's profile Send private message
kensington
Developer
Developer


Joined: 02 Jan 2013
Posts: 175
Location: Australia

PostPosted: Fri Nov 14, 2014 2:35 am    Post subject: Reply with quote

Missing abstractions/dbus-accessibility looks like bug #494426 come back to life.
Back to top
View user's profile Send private message
Superfox_il_Volpone
n00b
n00b


Joined: 14 Aug 2012
Posts: 47

PostPosted: Fri Nov 14, 2014 1:49 pm    Post subject: Reply with quote

hello,
should I file a new bug then?
Back to top
View user's profile Send private message
kensington
Developer
Developer


Joined: 02 Jan 2013
Posts: 175
Location: Australia

PostPosted: Sat Nov 15, 2014 1:45 am    Post subject: Reply with quote

Yes please.
Back to top
View user's profile Send private message
Gentoo64
n00b
n00b


Joined: 21 Oct 2011
Posts: 52
Location: ::

PostPosted: Tue Nov 18, 2014 2:29 pm    Post subject: Reply with quote

I find the most secure and reliable way is not to install the apparmor-profiles package, just make the dir's yourself and use abstractions/base and write the profiles entirely by hand. It takes a lot longer but you know exactly what's being enforced.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum