Ubuntu Security :: Configure AppArmor And Add Ability To Bind - Failed To Set Capabilities On File
May 18, 2011
A create an application which has to bind to port less than 1024 and must be launched under non-root user. OS: Ubuntu 10.04. Decision 1: Using a firewall to redirect packets. Problem: This decision is not good for me. I need simple way to solve the problem. Decision 2: Use CAP_NET_BIN_SERVICE. Problem: My execution file has 2,7G size. It is very big application with a lot of debug info. setcat command return an error:
[code]...
View 1 Replies
ADVERTISEMENT
Jan 7, 2010
I get the error message in the subject line, followed by a red failed message.
However, once the system is finished booting, I can log in and
Code:
sudo /etc/init.d/apparmor start
and it starts normally.
View 7 Replies
View Related
Sep 21, 2010
I am trying to use apparmor to restrict my file browser, which is Thunar to only let me view the files that are in the home directory and also removable media.I tried following the apparmor sticky with no success.I created the profile and tried editing it and it either started and let me do pretty much everything or did not start at all. Would it be possible for someone to help me step by step to set up a profile for thunar that would only show the home directory and removable media.
View 2 Replies
View Related
Nov 9, 2010
This might sound really stupid, so you'll all have to excuse my lacking knowledge. I read that USB attacks get more and more common, like putting in an USB stick with a malicious autorun script on it, and it's game over. Can AppArmor protect devices and limit their access to the file system?
View 5 Replies
View Related
Aug 31, 2010
Or do you just use Ubuntu feeling safe enough without them? If you do use AppArmor and other security measures, what do you use them for? Obviously Firefox and Chrome would be two things. But what else?
View 9 Replies
View Related
May 31, 2011
I'd like to modify a linux distro, specifically Puppy, so that the drivers/mechanisms for mounting local HDDs and Networking is Disabled completely. A step further than simply disabling "auto-mounting" at boot time, I don't even want mounting to be possible (at least by default).Likewise, further than just disabling network devices, I'd like to remove the ability to use network devices. How are these "mounting" and "device drivers" mechanisms implemented, where are they, and what are my options?
View 14 Replies
View Related
Nov 15, 2010
It is known that binaries with the SetUID bit enabled are a threat for the system.I saw on this ArchLinux wiki[URL].tead_Of_Setuida way to limit the use of SetUID bit thanks to POSIX capabilities.It looks very interesting.Does anyone of you used it already?Is it a burden for the system afterwards (like binaries not working, needing to be fixed); or is it seamless
View 3 Replies
View Related
Mar 7, 2010
Ubuntu 9.10 stops booting with apparmor profiles failed to load error message in recovery mode.In the usual mode it hangs at the logo stage.I tried all the kernels listed but the boot process hangs every time.I searched for a solution but could not find it. Windows 7 boots fine.I haven't installed grub to the MBR.I had to reinstall the windows bootloader but I am not sure if it's related to the problem.I would like not to reinstall the os.
View 7 Replies
View Related
Jun 10, 2011
I set the profile for Firefox to enforce sudo aa-enforce firefox.Does this now apply to all users on my system or just the user I was logged in as?
View 2 Replies
View Related
Apr 17, 2011
I have a laptop with Windows 7, and about a week ago I installed Ubuntu 10.10 64-bit via LiLi USB creator. Worked beautifully, but I was having some issues with the brightness controls so I decided to get cute and upgrade to 11.04. So I downloaded the beta2 and used LiLi to make the USB (unsupported for that version of course) which used the same parameters as 10.10. I then tried to do a fresh install over the partition I had set aside for Ubuntu and had 10.10 installed on (~80 GB).
So in the installation itself, something got majorly screwed, and the entire system froze. Next thing I knew, I was rebooting and got the Grub Rescue prompt and no ability to load into either my old Ubuntu 10.10 or my new failed 11.04, or of course my Windows 7 partition either. The partition is obviously there, and as I only have one PC in my house, with no Windows 7 recovery discs, I currently cannot fix the mbr to just get my Windows back. I can of course get this in a couple days, but I'd like to be able to fix this without going to my parents.
[Code]....
Those are my partitions. /dev/sda3 is my Windows Partition, which I want to boot from. Only problem is, I'm not really sure where the computer is looking to find the boot record. I think it's from my fubarred /dev/sda4 partition which means it's basically looking nowhere. So I can't modify it to point to my Windows so I can just get back there.
View 7 Replies
View Related
Jan 29, 2010
Does anyone know if Apparmor will work on the Ubuntu 10.04 livecd? I know there are currently issues running Apparmor on stacked filesystems with aufs. Currently a casper scripts disables Apparmor during boot up. Would be very useful if it could be run in a live session.
View 4 Replies
View Related
Apr 28, 2010
Anyone set up an Apparmor profile for Firefox?
View 9 Replies
View Related
Aug 8, 2010
Inspite i have read through the sticky link but i have a query.
Example,
If you have your firefox under enforce mode in apparmor,are you still able to install an update / addon to it to a newer version.
If not,how to disable the apparmor in firefox.Is it as below?
Code:
View 9 Replies
View Related
Oct 9, 2010
So I activated the Firefox profile:
Code:
And restarted Firefox (even rebooted), but it doesn't seem to be working. When I open Firefox I am able to perform a "Save Page As" in locations I shouldn't be able to, like my Desktop or Pictures folder.
The following command says the Firefox process is in enforce mode:
Code:
Of the following lines, the only directory which is "rw" is /Downloads, why am I still able to write to other places?
Code:
OS: Ubuntu 10.10
Can someone with an active Firefox profile do this simple test for me? Click File -> Save As and try to save somewhere the Apparmor profile shouldn't let you, and let me know the results.
View 9 Replies
View Related
Nov 12, 2010
Tried the apparmor profile for Firefox. how to turn it off. No matter what I do, it still shows up as being on in apparmor status.
View 3 Replies
View Related
Nov 15, 2010
I'm trying to understand the Apparmor and would like to get FF profile from Bodhi.zazen [thank you],but I'm kinda new to Linux.Did lots of reading but missing one thing:
1.where is FF profile? I can't see any usr.lib.firefox-3.6.12
2. how do I do copy FF profile from Bodhi.zazen?
View 5 Replies
View Related
Jun 7, 2011
I followed this thread:[URL]...When I get to this part:sudo genprof firefox it does not work in the terminal. Is this still supported for Ubuntu 11?
Also, I installed the profiles. Is something supposed to happen now or do I need to configure them?
sudo apt-get install apparmor-profiles
View 6 Replies
View Related
Jun 12, 2011
Where is some good documentation with concrete examples on the best practices for how to update AppArmor profiles?
View 2 Replies
View Related
Jun 18, 2011
When I enable a new AppArmor profile that is not in the kernel, I've used this command:
Code:
apparmor_parser -r /path/to/profile
But when I recently read the manual for AppArmor, it says to use this command for new profiles:
Code:
apparmor_parser -a /path/to/profile
Have I done something wrong by using -r instead of -a?
View 1 Replies
View Related
Jan 8, 2011
It seems that AppArmor can't be effectively used to protect read access to files from users (including roots). It is possible to create a profile for, eg, 'cat', but then the users can use 'less'.Is this true? Should use SELinux instead for this?
View 5 Replies
View Related
Apr 19, 2011
I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.
Is there a way to let it enforce restrictions but not log denials?
View 9 Replies
View Related
Apr 29, 2011
Since Ubuntu 9.10 I used:
"sudo apt-get install apparmor-profiles
sudo enforce firefox"
However in Lubuntu 11.04 the "sudo enforce firefox" command does no longer work. It looks like the enforce command is no longer recognised.
View 6 Replies
View Related
Jun 21, 2011
i was trying to edit my firefox apparmor profile. I used aa-genprof, and accidentally closed the terminal before the program was finished. Firefox wouldn't load properly after that whenever it was enforced. I uninstalled and reinstalled the profiles, but it didn't help.Finally I deleted the files for the profile itself ... now it will not reinstall them..I marked all the apparmor packages for complete removal and then reinstalled them but it will not put the original firefox profile back in.
View 2 Replies
View Related
Apr 25, 2010
This page [URL] shows how to enable apparmor firefox profile. Why isnt apparmor firefox profile enabled by default? I would postulate that this would be because there must be some limitation by having the profile enabled. If so, what would the limitation be?
View 9 Replies
View Related
Sep 3, 2010
I've read and re-read everything I can find about AppArmor, to no avail. On the whole, AppArmor isn't for me. However, rather than give up on it completely, I have an idea: create a profile that I could use as a template for any untrusted application, with the aim of 1) blocking it from network access and 2) blocking it from installing other applications. I've got as far as creating an empty profile:
Code:
# Generic AppArmor Profile for UntrustedApplication
#include <tunables/global>
/usr/sbin/UntrustedApplication {
#include <abstractions/base> }
What do I need to add to make this profile 100% permissive, except for the two exceptions stated above?
View 9 Replies
View Related
Feb 28, 2011
I use Ubuntu 10.10 with encrypted home. I'm new with apparmor. My firefox-3.6.13 is now in enforce mode - with standard profile. With this profile it should have write access only to:
owner @{HOME}/Downloads/* rw,
But I can save files (with standard downloadmanager of firefox) e.g. in $HOME itself and I can't find any other rule, which could allow that. I have thing, that ecryptfs workaround just affects the eCryptFS "part of things" and limitations of normal filenames/paths (in mounted ecryptfs) are still possible. Why can firefox write elsewhere as in to ${HOME}/Downloads? I get also this in kern.log (but not by saving a file as wrote above):
Feb 27 05:49:30 duron650 kernel: [ 2284.886631] type=1400 audit(1298782170.190:4: apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/home/.ecryptfs/hugo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVX6-OCUaSGk2nU5ADkJx.rdk--/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVXFlmP1qlJBZ2eq7XFiWljUE--" pid=2209 comm="firefox-bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Why do firefox try to write to it and why do it fail even with #13 workaround?
Feb 27 06:03:23 duron650 kernel: [ 3118.231818] type=1400 audit(1298783003.534:49): apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/tmp/.X0-lock" pid=2304 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Why try firefox to access X lock?
View 4 Replies
View Related
Jun 12, 2011
Perhaps it is my misinterpretation of AppArmor, how can it be configured to restrict TCP or UDP traffic to/from specific ports?
The profile "abstractions/nameservice", under the section "# TCP/UDP network access", doesn't seem to lock the application to port 53. What am I missing? Restriction to specific ports is something that systrace can do so I'd expect nothing less from AppArmor.
View 5 Replies
View Related
Aug 9, 2011
I have quiet splash disabled so I can see what boot processes are run on startup, and I notice that on every time I boot my computer the Firefox profile is skipped. Here's the message: Code: Skipping profile in /etc/ apparmor.d/disable: usr.bin.firefox,I checked /etc/apparmor.d/disable, and see that there is indeed a link to usr.bin.firefox. So I'm wondering how/why it got there. I haven't touched anything in AppArmor since my clean install of Natty.
View 6 Replies
View Related
Mar 9, 2011
I decided to consult you before making any changes, because the clients' PCs are spread all over the country and I do not have the physical access to their boxes.The idea is to take away the ability of using sudo for common users.I know that the syntax of this file may vary a bit in different distributions.Our OS is Ubuntu 10.10.I created the account 'support' for me and other technician stuff of our department. So, 'support' user must have all the power. And common users mustn't have access to 'sudo'. This is the requirement.As far as I remember, in Slackware the user must be a member of 'wheel' group to be able to use 'sudo' (but I may be wrong).
View 3 Replies
View Related
Apr 15, 2011
I've been reading a lot of articles on Xorg XWindow System having the ability to allow 6600/tcp for remote screen connections and I've been trying to find a way to remove the functionality without having to just dump XWindow and settle for CLI on my server. I heard it was disabled by default, but I just want to get rid of that ability completely by cutting it out of it's code and yes, I'm feeling very, very paranoid.
View 2 Replies
View Related