Ubuntu Wiki

   1 [18:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html following the conclusion of the session.
   2 [18:05] <jjohansen> well lets get started
   3 [18:05] <jjohansen> Hello and welcome to the AppArmor session.
   4 [18:05] <jjohansen> My name is John Johansen and I am a Kernel Engineer for Canonical
   5 [18:06] <jjohansen> For those not familiar with AppArmor it is a mandatory access control (MAC) style security system.  Basically it limits an application to a preset list of resources,
   6 [18:06] <jjohansen> whether it is run as root or not, and it is always gets applied ie. the user doesn't get to change it.
   7 [18:06] <jjohansen> Today I plan to walk through the basics of AppArmor, feel free to ask questions at anytime, though if they don't fit into the current discussion I may wait until later to answer them.
   8 [18:07] <jjohansen> We are going to need a terminal open as AppArmor currently does not have
   9 [18:07] <jjohansen> any GUI based tools.
  10 [18:07] <jjohansen> In unity you can do this by pressing the meta (windows) key and typing terminal
  11 [18:07] <jjohansen> or in the classic gnome environment  Applications >> Accessories >> Terminal
  12 [18:08] <jjohansen> First up we will look do some basic introspection of AppArmor
  13 [18:08] <jjohansen> To see if apparmor is enabled from the terminal type
  14 [18:08] <jjohansen>  aa-status
  15 [18:09] <jjohansen> if enabled it will return
  16 [18:09] <jjohansen> apparmor module is loaded.
  17 [18:09] <jjohansen> You do not have enough privilege to read the profile set.
  18 [18:09] <jjohansen> that is enough to tell apparmor is loaded and active but not see what it is doing
  19 [18:10] <jjohansen> to get a full picture we need to use sudo
  20 [18:10] <jjohansen> sudo aa-status
  21 [18:10] <jjohansen> will return a much larger list of items
  22 [18:11] <jjohansen> eg.
  23 [18:11] <jjohansen> apparmor module is loaded.
  24 [18:11] <jjohansen> 47 profiles are loaded.
  25 [18:11] <jjohansen> 12 profiles are in enforce mode.
  26 [18:11] <jjohansen>    /sbin/dhclient
  27 [18:11] <jjohansen>    /usr/bin/evince
  28 [18:11] <jjohansen>    /usr/bin/evince-previewer
  29 [18:11] <jjohansen>    /usr/bin/evince-thumbnailer
  30 [18:11] <jjohansen>    /usr/lib/NetworkManager/nm-dhcp-client.action
  31 [18:11] <jjohansen>    /usr/lib/chromium-browser/chromium-browser//browser_java
  32 [18:11] <jjohansen>    /usr/lib/chromium-browser/chromium-browser//browser_openjdk
  33 [18:11] <jjohansen>    /usr/lib/connman/scripts/dhclient-script
  34 [18:11] <jjohansen>    /usr/lib/cups/backend/cups-pdf
  35 [18:11] <jjohansen>    /usr/sbin/cupsd
  36 [18:11] <jjohansen>    /usr/sbin/tcpdump
  37 [18:11] <jjohansen>    /usr/share/gdm/guest-session/Xsession
  38 [18:11] <jjohansen> 35 profiles are in complain mode.
  39 [18:11] <jjohansen> that is just part of my listing
  40 [18:12] <jjohansen> so on my example system, there are 47 profiles loaded into the kernel
  41 [18:13] <jjohansen> of those 47 profiles only 12 of them are being enforced
  42 [18:13] <jjohansen> this means that applications confined by those programs, can only do what is specified by the profile
  43 [18:14] <jjohansen> if they try to do anything not specified by the profile the access will denied the application with EPERM or EACCES
  44 [18:14] <jjohansen> the rest of the loaded profiles are in complain mode
  45 [18:15] <jjohansen> this is a special "learning" mode where profiles confined by a profile don't have access listed in a profile fail
  46 [18:16] <jjohansen> instead, the access is logged and allowed, so the application runs normally but the behavior and accesses are logged so they can be learned and a profile developed
  47 [18:18] <jjohansen> the information aa-status spits out can also be obtained using ps -Z, but it won't be organized near as nice
  48 [18:18] <jjohansen> but can be useful to know if you need to do something with shell scripting
  49 [18:18] <jjohansen> eg.
  50 [18:19] <jjohansen> pidof cupsd | xargs ps -Z
  51 [18:19] <jjohansen> LABEL                             PID TTY      STAT   TIME COMMAND
  52 [18:19] <jjohansen> /usr/sbin/cupsd                   939 ?        Ss     0:00 /usr/sbin/cupsd -F
  53 [18:19] <jjohansen> shows that cupsd is confined by the /usr/sbin/cupsd profile
  54 [18:20] <jjohansen> the LABEL column provided by the -Z option to ps is the profile listing
  55 [18:20] <jjohansen> applications that are not confined by a profile are listed as unconfined
  56 [18:21] <jjohansen> unconfined                       4497 pts/1    00:00:00 bash
  57 [18:22] <jjohansen> there is another useful command for introspecting network facing programs
  58 [18:22] <jjohansen> aa-unconfined
  59 [18:22] <jjohansen> it will show programs that are unconfined and have open network sockets
  60 [18:22] <jjohansen> eg.
  61 [18:23] <jjohansen> sudo aa-unconfined
  62 [18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
  63 [18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
  64 [18:23] <jjohansen> 939 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
  65 [18:23] <jjohansen> 1671 /sbin/dhclient confined by '/sbin/dhclient (enforce)'
  66 [18:23] <jjohansen> 1970 /usr/bin/mumble not confined
  67 [18:24] <jjohansen> this can be real nice to help find applications that you would like to limit, as internet facing applications are generally the ones you need to worry about being hacked
  68 [18:25] <jjohansen> aa-unconfined does have a limitation in that it only picks up applications with current connections, if an application is opening and closing connections (eg firefox), it may not list it
  69 [18:26] <jjohansen> QUESTION: Why does sudo aa-unconfined show me multiple programs with the same pid?
  70 [18:27] <jjohansen> well good question, it is likely because there are multiple threads, which share the pid
  71 [18:31] <jjohansen> aa-unconfined, and aa-status both have man pages that are worth looking at
  72 [18:31] <jjohansen> man aa-unconfined
  73 [18:31] <jjohansen> man aa-status
  74 [18:32] <jjohansen> both commands get their information mostly from 2 places (for those who like nitty gritty details)
  75 [18:32] <jjohansen> /proc/<pid>/attr/current
  76 [18:32] <jjohansen> /sys/kernel/security/apparmor/profiles
  77 [18:33] <jjohansen> they are worth poking at if you like figuring things out, btw <pid> should be replaced with a processes pid
  78 [18:33] <jjohansen> eg.  /proc/825/attr/current
  79 [18:34] <jjohansen> so if you are using apparmor, I find one of the most useful things is the notifier
  80 [18:35] <jjohansen> its in the apparmor-notifier package if you don't have it installed
  81 [18:36] <jjohansen> from the command line you can install it using
  82 [18:36] <jjohansen>  sudo apt-get install apparmor-notifier
  83 [18:36] <jjohansen> or you can search for it in the software center
  84 [18:37] <jjohansen> this will install the aa-notify program and in natty turn it on by default
  85 [18:38] <jjohansen> the notifier will pop up notifications when apparmor denies access to something
  86 [18:39] <jjohansen> this can be real nice to have
  87 [18:40] <jjohansen> either because it reminds you that apparmor is confining the application and that is possibly why you are getting unexpected behavior
  88 [18:41] <jjohansen> or well because something happend that wasn't expected and apparmor stopped it
  89 [18:41] <jjohansen> man aa-notify
  90 [18:41] <jjohansen> for more details
  91 [18:42] <jjohansen> actually one more detail
  92 [18:43] <jjohansen> it doesn't start on its own, the enabled bit just allows it to get the information from the log files
  93 [18:43] <jjohansen> I have it added to my startup applications
  94 [18:43] <jjohansen> Name: AppArmor Notify
  95 [18:43] <jjohansen> Command: /usr/sbin/apparmor-notify -p
  96 [18:43] <jjohansen> Comment: startup apparmor notifications
  97 [18:45] <jjohansen> so we have covered basic introspection, I want to switch gears for a minute and mention how to disable apparmor
  98 [18:46] <jjohansen> generally I wouldn't but if it is causing problems, there are multiple ways to get it out of your way
  99 [18:47] <jjohansen> the best is just disabling a profile, if you just have apparmor interfering with a single application that you need
 100 [18:48] <jjohansen> you can run
 101 [18:48] <jjohansen>   sudo aa-disable <profile name>
 102 [18:48] <jjohansen> or if you like doing things manually
 103 [18:49] <jjohansen>   sudo ln -s /etc/apparmor.d/<profile file> /etc/apparmor.d/disable/<profile file name>
 104 [18:49] <jjohansen> where <profile file> is the file name for the profile causing problems
 105 [18:50] <jjohansen> however if you don't use aa-disable you will need to manually reload the profile set
 106 [18:50] <jjohansen>   /etc/init.d/apparmor reload
 107 [18:51] <jjohansen> will do that for you
 108 [18:51] <jjohansen> you can verify that the profile is gone with aa-status
 109 [18:52] <jjohansen> disabling a single profile is the recommended way of working around a problem as it still leaves other applications protected by apparmor
 110 [18:52] <ClassBot> There are 10 minutes remaining in the current session.
 111 [18:52] <jjohansen> if you want to stop apparmor for all applications for the current session
 112 [18:53] <jjohansen>   /etc/init.d/apparmor teardown
 113 [18:53] <jjohansen> will remove all current profiles, making every process unconfined
 114 [18:54] <jjohansen> on reboot apparmor will be back to normal
 115 [18:54] <jjohansen> if you want to disable apparmor on boot, you can enter
 116 [18:54] <jjohansen>   apparmor=0
 117 [18:54] <jjohansen> on the grub command line,
 118 [18:55] <jjohansen> hopefully nobody will need those but it always seems to come up in bug reports
 119 [18:56] <jjohansen> Alright switching back, so as you might have inferred apparmor stores its policy in
 120 [18:56] <jjohansen>   /etc/apparmor.d/
 121 [18:56] <jjohansen> these are simple text files, that get compiled by the apparmor_parser and loaded into the kernel for enforcement
 122 [18:57] <jjohansen> the file names in the directory are actually arbitrary
 123 [18:57] <ClassBot> There are 5 minutes remaining in the current session.
 124 [18:57] <jjohansen> they don't have to be named after the applications that are being confined
 125 [18:57] <jjohansen> it is just done by convention
 126 [18:58] <jjohansen> also a file can contain multiple profiles, that is not usually done however unless they are related
 127 [19:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html