1 [18:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html following the conclusion of the session.
2 [18:05] <jjohansen> well lets get started
3 [18:05] <jjohansen> Hello and welcome to the AppArmor session.
4 [18:05] <jjohansen> My name is John Johansen and I am a Kernel Engineer for Canonical
5 [18:06] <jjohansen> For those not familiar with AppArmor it is a mandatory access control (MAC) style security system. Basically it limits an application to a preset list of resources,
6 [18:06] <jjohansen> whether it is run as root or not, and it is always gets applied ie. the user doesn't get to change it.
7 [18:06] <jjohansen> Today I plan to walk through the basics of AppArmor, feel free to ask questions at anytime, though if they don't fit into the current discussion I may wait until later to answer them.
8 [18:07] <jjohansen> We are going to need a terminal open as AppArmor currently does not have
9 [18:07] <jjohansen> any GUI based tools.
10 [18:07] <jjohansen> In unity you can do this by pressing the meta (windows) key and typing terminal
11 [18:07] <jjohansen> or in the classic gnome environment Applications >> Accessories >> Terminal
12 [18:08] <jjohansen> First up we will look do some basic introspection of AppArmor
13 [18:08] <jjohansen> To see if apparmor is enabled from the terminal type
14 [18:08] <jjohansen> aa-status
15 [18:09] <jjohansen> if enabled it will return
16 [18:09] <jjohansen> apparmor module is loaded.
17 [18:09] <jjohansen> You do not have enough privilege to read the profile set.
18 [18:09] <jjohansen> that is enough to tell apparmor is loaded and active but not see what it is doing
19 [18:10] <jjohansen> to get a full picture we need to use sudo
20 [18:10] <jjohansen> sudo aa-status
21 [18:10] <jjohansen> will return a much larger list of items
22 [18:11] <jjohansen> eg.
23 [18:11] <jjohansen> apparmor module is loaded.
24 [18:11] <jjohansen> 47 profiles are loaded.
25 [18:11] <jjohansen> 12 profiles are in enforce mode.
26 [18:11] <jjohansen> /sbin/dhclient
27 [18:11] <jjohansen> /usr/bin/evince
28 [18:11] <jjohansen> /usr/bin/evince-previewer
29 [18:11] <jjohansen> /usr/bin/evince-thumbnailer
30 [18:11] <jjohansen> /usr/lib/NetworkManager/nm-dhcp-client.action
31 [18:11] <jjohansen> /usr/lib/chromium-browser/chromium-browser//browser_java
32 [18:11] <jjohansen> /usr/lib/chromium-browser/chromium-browser//browser_openjdk
33 [18:11] <jjohansen> /usr/lib/connman/scripts/dhclient-script
34 [18:11] <jjohansen> /usr/lib/cups/backend/cups-pdf
35 [18:11] <jjohansen> /usr/sbin/cupsd
36 [18:11] <jjohansen> /usr/sbin/tcpdump
37 [18:11] <jjohansen> /usr/share/gdm/guest-session/Xsession
38 [18:11] <jjohansen> 35 profiles are in complain mode.
39 [18:11] <jjohansen> that is just part of my listing
40 [18:12] <jjohansen> so on my example system, there are 47 profiles loaded into the kernel
41 [18:13] <jjohansen> of those 47 profiles only 12 of them are being enforced
42 [18:13] <jjohansen> this means that applications confined by those programs, can only do what is specified by the profile
43 [18:14] <jjohansen> if they try to do anything not specified by the profile the access will denied the application with EPERM or EACCES
44 [18:14] <jjohansen> the rest of the loaded profiles are in complain mode
45 [18:15] <jjohansen> this is a special "learning" mode where profiles confined by a profile don't have access listed in a profile fail
46 [18:16] <jjohansen> instead, the access is logged and allowed, so the application runs normally but the behavior and accesses are logged so they can be learned and a profile developed
47 [18:18] <jjohansen> the information aa-status spits out can also be obtained using ps -Z, but it won't be organized near as nice
48 [18:18] <jjohansen> but can be useful to know if you need to do something with shell scripting
49 [18:18] <jjohansen> eg.
50 [18:19] <jjohansen> pidof cupsd | xargs ps -Z
51 [18:19] <jjohansen> LABEL PID TTY STAT TIME COMMAND
52 [18:19] <jjohansen> /usr/sbin/cupsd 939 ? Ss 0:00 /usr/sbin/cupsd -F
53 [18:19] <jjohansen> shows that cupsd is confined by the /usr/sbin/cupsd profile
54 [18:20] <jjohansen> the LABEL column provided by the -Z option to ps is the profile listing
55 [18:20] <jjohansen> applications that are not confined by a profile are listed as unconfined
56 [18:21] <jjohansen> unconfined 4497 pts/1 00:00:00 bash
57 [18:22] <jjohansen> there is another useful command for introspecting network facing programs
58 [18:22] <jjohansen> aa-unconfined
59 [18:22] <jjohansen> it will show programs that are unconfined and have open network sockets
60 [18:22] <jjohansen> eg.
61 [18:23] <jjohansen> sudo aa-unconfined
62 [18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
63 [18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
64 [18:23] <jjohansen> 939 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
65 [18:23] <jjohansen> 1671 /sbin/dhclient confined by '/sbin/dhclient (enforce)'
66 [18:23] <jjohansen> 1970 /usr/bin/mumble not confined
67 [18:24] <jjohansen> this can be real nice to help find applications that you would like to limit, as internet facing applications are generally the ones you need to worry about being hacked
68 [18:25] <jjohansen> aa-unconfined does have a limitation in that it only picks up applications with current connections, if an application is opening and closing connections (eg firefox), it may not list it
69 [18:26] <jjohansen> QUESTION: Why does sudo aa-unconfined show me multiple programs with the same pid?
70 [18:27] <jjohansen> well good question, it is likely because there are multiple threads, which share the pid
71 [18:31] <jjohansen> aa-unconfined, and aa-status both have man pages that are worth looking at
72 [18:31] <jjohansen> man aa-unconfined
73 [18:31] <jjohansen> man aa-status
74 [18:32] <jjohansen> both commands get their information mostly from 2 places (for those who like nitty gritty details)
75 [18:32] <jjohansen> /proc/<pid>/attr/current
76 [18:32] <jjohansen> /sys/kernel/security/apparmor/profiles
77 [18:33] <jjohansen> they are worth poking at if you like figuring things out, btw <pid> should be replaced with a processes pid
78 [18:33] <jjohansen> eg. /proc/825/attr/current
79 [18:34] <jjohansen> so if you are using apparmor, I find one of the most useful things is the notifier
80 [18:35] <jjohansen> its in the apparmor-notifier package if you don't have it installed
81 [18:36] <jjohansen> from the command line you can install it using
82 [18:36] <jjohansen> sudo apt-get install apparmor-notifier
83 [18:36] <jjohansen> or you can search for it in the software center
84 [18:37] <jjohansen> this will install the aa-notify program and in natty turn it on by default
85 [18:38] <jjohansen> the notifier will pop up notifications when apparmor denies access to something
86 [18:39] <jjohansen> this can be real nice to have
87 [18:40] <jjohansen> either because it reminds you that apparmor is confining the application and that is possibly why you are getting unexpected behavior
88 [18:41] <jjohansen> or well because something happend that wasn't expected and apparmor stopped it
89 [18:41] <jjohansen> man aa-notify
90 [18:41] <jjohansen> for more details
91 [18:42] <jjohansen> actually one more detail
92 [18:43] <jjohansen> it doesn't start on its own, the enabled bit just allows it to get the information from the log files
93 [18:43] <jjohansen> I have it added to my startup applications
94 [18:43] <jjohansen> Name: AppArmor Notify
95 [18:43] <jjohansen> Command: /usr/sbin/apparmor-notify -p
96 [18:43] <jjohansen> Comment: startup apparmor notifications
97 [18:45] <jjohansen> so we have covered basic introspection, I want to switch gears for a minute and mention how to disable apparmor
98 [18:46] <jjohansen> generally I wouldn't but if it is causing problems, there are multiple ways to get it out of your way
99 [18:47] <jjohansen> the best is just disabling a profile, if you just have apparmor interfering with a single application that you need
100 [18:48] <jjohansen> you can run
101 [18:48] <jjohansen> sudo aa-disable <profile name>
102 [18:48] <jjohansen> or if you like doing things manually
103 [18:49] <jjohansen> sudo ln -s /etc/apparmor.d/<profile file> /etc/apparmor.d/disable/<profile file name>
104 [18:49] <jjohansen> where <profile file> is the file name for the profile causing problems
105 [18:50] <jjohansen> however if you don't use aa-disable you will need to manually reload the profile set
106 [18:50] <jjohansen> /etc/init.d/apparmor reload
107 [18:51] <jjohansen> will do that for you
108 [18:51] <jjohansen> you can verify that the profile is gone with aa-status
109 [18:52] <jjohansen> disabling a single profile is the recommended way of working around a problem as it still leaves other applications protected by apparmor
110 [18:52] <ClassBot> There are 10 minutes remaining in the current session.
111 [18:52] <jjohansen> if you want to stop apparmor for all applications for the current session
112 [18:53] <jjohansen> /etc/init.d/apparmor teardown
113 [18:53] <jjohansen> will remove all current profiles, making every process unconfined
114 [18:54] <jjohansen> on reboot apparmor will be back to normal
115 [18:54] <jjohansen> if you want to disable apparmor on boot, you can enter
116 [18:54] <jjohansen> apparmor=0
117 [18:54] <jjohansen> on the grub command line,
118 [18:55] <jjohansen> hopefully nobody will need those but it always seems to come up in bug reports
119 [18:56] <jjohansen> Alright switching back, so as you might have inferred apparmor stores its policy in
120 [18:56] <jjohansen> /etc/apparmor.d/
121 [18:56] <jjohansen> these are simple text files, that get compiled by the apparmor_parser and loaded into the kernel for enforcement
122 [18:57] <jjohansen> the file names in the directory are actually arbitrary
123 [18:57] <ClassBot> There are 5 minutes remaining in the current session.
124 [18:57] <jjohansen> they don't have to be named after the applications that are being confined
125 [18:57] <jjohansen> it is just done by convention
126 [18:58] <jjohansen> also a file can contain multiple profiles, that is not usually done however unless they are related
127 [19:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html