Ubuntu Security :: Generic AppArmor Profile For Untrusted Application
Sep 3, 2010
I've read and re-read everything I can find about AppArmor, to no avail. On the whole, AppArmor isn't for me. However, rather than give up on it completely, I have an idea: create a profile that I could use as a template for any untrusted application, with the aim of 1) blocking it from network access and 2) blocking it from installing other applications. I've got as far as creating an empty profile:
Code:
# Generic AppArmor Profile for UntrustedApplication
#include <tunables/global>
/usr/sbin/UntrustedApplication {
#include <abstractions/base> }
What do I need to add to make this profile 100% permissive, except for the two exceptions stated above?
I'm a Windows user, but now trying to migrate to Ubuntu. I have read AppArmor Docs/FAQs, and very impressed with it's possibilities. But I'm still not sure, can I have a profile which is applied to all applications I run (not listed in other profiles)? That would be great to have a "Simple Application" default profile, with permissions, say, to read/write to app's folder and to display graphics/play sounds!
I'm trying to understand the Apparmor and would like to get FF profile from Bodhi.zazen [thank you],but I'm kinda new to Linux.Did lots of reading but missing one thing:
1.where is FF profile? I can't see any usr.lib.firefox-3.6.12 2. how do I do copy FF profile from Bodhi.zazen?
i was trying to edit my firefox apparmor profile. I used aa-genprof, and accidentally closed the terminal before the program was finished. Firefox wouldn't load properly after that whenever it was enforced. I uninstalled and reinstalled the profiles, but it didn't help.Finally I deleted the files for the profile itself ... now it will not reinstall them..I marked all the apparmor packages for complete removal and then reinstalled them but it will not put the original firefox profile back in.
This page [URL] shows how to enable apparmor firefox profile. Why isnt apparmor firefox profile enabled by default? I would postulate that this would be because there must be some limitation by having the profile enabled. If so, what would the limitation be?
I have quiet splash disabled so I can see what boot processes are run on startup, and I notice that on every time I boot my computer the Firefox profile is skipped. Here's the message: Code: Skipping profile in /etc/ apparmor.d/disable: usr.bin.firefox,I checked /etc/apparmor.d/disable, and see that there is indeed a link to usr.bin.firefox. So I'm wondering how/why it got there. I haven't touched anything in AppArmor since my clean install of Natty.
But I couldn't find a modified version of it for Swiftfox anywhere, so I decided to modify it myself. But I'm not 100% sure that I did it correctly, so I thought I'd ask here.
Also, will Swiftfox 3.6.4 be able to use this same profile? I thought it might not because of the new "Out of process plugins" feature being added.
I'm trying to figure out Apparmor,in doing so I've seen that there are no pre-configured profiles for Iceweasel,but there are two for Firefox in /usr/share/doc/apparmor-profiles/extras/ : Will it work if I simply replace "iceweasel" for "firefox" and set those profiles to complain mode,just to see what will eventually happen? Is that too obvious?
I am new to linux but will try and be as precise as I can. I have a Dell Insp. 1545 with 3GB ram with 10.04_64
Problem: Rather out of the blue upon login, from the time of entering password to the desktop, is MUCH slower. I have no splash enabled and there is some reference to AppArmour profiles (it sits there at this apparmour reference , then sits trying to load desktop). However, I have never configured apparmor. Finally, on last login, there was some sort of screen corruption prior to getting to desktop.
Prior to all this i noticed that firefox "blinked" when I was using it, and then said that it needed to shutdown/restart for updates. I did notice at that time two of my previous tabs sortof acted oddly (moved around then disappeared).
I have no SSH/Server software etc activated.
I did change visudo so that sudo timeout shorter than it was. However that is the only modification to the system recently.
Or do you just use Ubuntu feeling safe enough without them? If you do use AppArmor and other security measures, what do you use them for? Obviously Firefox and Chrome would be two things. But what else?
I want to start using videos/music files downloaded from untrusted sources (BT,Sharing Forums, etc.). Haven't made this a habit b4 because of the security risks. I want to take steps to reduce the risk & protect my computer from anything malicious. What are some good choices for this? The biggest step I took so far is using Ubuntu since it's very virus resistant, but other threats do exist out there (rootkits, malicious scripts, etc.). When downloading files from untrusted sources, who knows what may be hidden inside.Some options I'm thinking about:
1) Using a VM (with Ubuntu installed inside) & playing the files inside the VM. If anything malicious happen, it would be trapped inside & I could easily revert to a clean snapshot.
2) Using AppArmor to restrict what the files or program used to play the files can/can't do. AA seems very complicated though.
Are the above overkill? Would it be sufficient enough to just open these files on a non-admin user account since no access to root or sudo?
At the login webpage of <[URL]>, the Time Warner Cable (TWC) Webmail site, I am immediately confronted with a warning that the Security Certificate is invalid & that the site is untrusted. This occurs with Firefox, Seamonkey, & Konqueror. This does not occur on Microsoft or Apple systems; I have checked other colleagues machines. I have manually overridden the warning & everything functions fine. I have contacted TWC & am awaiting their tests. But, I would like some independent corroboration from other users in the Linux community. Could some of you perform the test yourself on this URL? An error will be readily apparent.
Does anyone know if Apparmor will work on the Ubuntu 10.04 livecd? I know there are currently issues running Apparmor on stacked filesystems with aufs. Currently a casper scripts disables Apparmor during boot up. Would be very useful if it could be run in a live session.
And restarted Firefox (even rebooted), but it doesn't seem to be working. When I open Firefox I am able to perform a "Save Page As" in locations I shouldn't be able to, like my Desktop or Pictures folder.
The following command says the Firefox process is in enforce mode:
Code:
Of the following lines, the only directory which is "rw" is /Downloads, why am I still able to write to other places?
Code:
OS: Ubuntu 10.10
Can someone with an active Firefox profile do this simple test for me? Click File -> Save As and try to save somewhere the Apparmor profile shouldn't let you, and let me know the results.
I was recently connecting securely to the website where I have my mail account, and I connected through Tor. When doing so firefox presents me with the screen saying that the connection is untrusted and it can't verify the certificate. So I cancelled. I'm using torbutton and I turned torbutton to off and connected again with no problem. Then with torbutton on again, same thing (untrusted).
Is it possible the exit node I was going through is doing a man in the middle attack? However later when connecting through tor I did NOT get the warning about the site being untrusted. I really don't know what exit node I was using when I got the certificate warning and what exit node I was using when I did not recieve the warning. I don't know how long I stay on the same node or how/when it changes.
I am trying to use apparmor to restrict my file browser, which is Thunar to only let me view the files that are in the home directory and also removable media.I tried following the apparmor sticky with no success.I created the profile and tried editing it and it either started and let me do pretty much everything or did not start at all. Would it be possible for someone to help me step by step to set up a profile for thunar that would only show the home directory and removable media.
It seems that AppArmor can't be effectively used to protect read access to files from users (including roots). It is possible to create a profile for, eg, 'cat', but then the users can use 'less'.Is this true? Should use SELinux instead for this?
I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.
Is there a way to let it enforce restrictions but not log denials?
