== Open Week -- Introduction to AppArmor -- John Johansen -- Wed, May 4 ==
{{{#!IRC
[18:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html following the conclusion of the session.
[18:05] <jjohansen> well lets get started
[18:05] <jjohansen> Hello and welcome to the AppArmor session.
[18:05] <jjohansen> My name is John Johansen and I am a Kernel Engineer for Canonical
[18:06] <jjohansen> For those not familiar with AppArmor it is a mandatory access control (MAC) style security system.  Basically it limits an application to a preset list of resources,
[18:06] <jjohansen> whether it is run as root or not, and it is always gets applied ie. the user doesn't get to change it.
[18:06] <jjohansen> Today I plan to walk through the basics of AppArmor, feel free to ask questions at anytime, though if they don't fit into the current discussion I may wait until later to answer them.
[18:07] <jjohansen> We are going to need a terminal open as AppArmor currently does not have
[18:07] <jjohansen> any GUI based tools.
[18:07] <jjohansen> In unity you can do this by pressing the meta (windows) key and typing terminal
[18:07] <jjohansen> or in the classic gnome environment  Applications >> Accessories >> Terminal
[18:08] <jjohansen> First up we will look do some basic introspection of AppArmor
[18:08] <jjohansen> To see if apparmor is enabled from the terminal type
[18:08] <jjohansen>  aa-status
[18:09] <jjohansen> if enabled it will return
[18:09] <jjohansen> apparmor module is loaded.
[18:09] <jjohansen> You do not have enough privilege to read the profile set.
[18:09] <jjohansen> that is enough to tell apparmor is loaded and active but not see what it is doing
[18:10] <jjohansen> to get a full picture we need to use sudo
[18:10] <jjohansen> sudo aa-status
[18:10] <jjohansen> will return a much larger list of items
[18:11] <jjohansen> eg.
[18:11] <jjohansen> apparmor module is loaded.
[18:11] <jjohansen> 47 profiles are loaded.
[18:11] <jjohansen> 12 profiles are in enforce mode.
[18:11] <jjohansen>    /sbin/dhclient
[18:11] <jjohansen>    /usr/bin/evince
[18:11] <jjohansen>    /usr/bin/evince-previewer
[18:11] <jjohansen>    /usr/bin/evince-thumbnailer
[18:11] <jjohansen>    /usr/lib/NetworkManager/nm-dhcp-client.action
[18:11] <jjohansen>    /usr/lib/chromium-browser/chromium-browser//browser_java
[18:11] <jjohansen>    /usr/lib/chromium-browser/chromium-browser//browser_openjdk
[18:11] <jjohansen>    /usr/lib/connman/scripts/dhclient-script
[18:11] <jjohansen>    /usr/lib/cups/backend/cups-pdf
[18:11] <jjohansen>    /usr/sbin/cupsd
[18:11] <jjohansen>    /usr/sbin/tcpdump
[18:11] <jjohansen>    /usr/share/gdm/guest-session/Xsession
[18:11] <jjohansen> 35 profiles are in complain mode.
[18:11] <jjohansen> that is just part of my listing
[18:12] <jjohansen> so on my example system, there are 47 profiles loaded into the kernel
[18:13] <jjohansen> of those 47 profiles only 12 of them are being enforced
[18:13] <jjohansen> this means that applications confined by those programs, can only do what is specified by the profile
[18:14] <jjohansen> if they try to do anything not specified by the profile the access will denied the application with EPERM or EACCES
[18:14] <jjohansen> the rest of the loaded profiles are in complain mode
[18:15] <jjohansen> this is a special "learning" mode where profiles confined by a profile don't have access listed in a profile fail
[18:16] <jjohansen> instead, the access is logged and allowed, so the application runs normally but the behavior and accesses are logged so they can be learned and a profile developed
[18:18] <jjohansen> the information aa-status spits out can also be obtained using ps -Z, but it won't be organized near as nice
[18:18] <jjohansen> but can be useful to know if you need to do something with shell scripting
[18:18] <jjohansen> eg.
[18:19] <jjohansen> pidof cupsd | xargs ps -Z
[18:19] <jjohansen> LABEL                             PID TTY      STAT   TIME COMMAND
[18:19] <jjohansen> /usr/sbin/cupsd                   939 ?        Ss     0:00 /usr/sbin/cupsd -F
[18:19] <jjohansen> shows that cupsd is confined by the /usr/sbin/cupsd profile
[18:20] <jjohansen> the LABEL column provided by the -Z option to ps is the profile listing
[18:20] <jjohansen> applications that are not confined by a profile are listed as unconfined
[18:21] <jjohansen> unconfined                       4497 pts/1    00:00:00 bash
[18:22] <jjohansen> there is another useful command for introspecting network facing programs
[18:22] <jjohansen> aa-unconfined
[18:22] <jjohansen> it will show programs that are unconfined and have open network sockets
[18:22] <jjohansen> eg.
[18:23] <jjohansen> sudo aa-unconfined
[18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
[18:23] <jjohansen> 825 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
[18:23] <jjohansen> 939 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
[18:23] <jjohansen> 1671 /sbin/dhclient confined by '/sbin/dhclient (enforce)'
[18:23] <jjohansen> 1970 /usr/bin/mumble not confined
[18:24] <jjohansen> this can be real nice to help find applications that you would like to limit, as internet facing applications are generally the ones you need to worry about being hacked
[18:25] <jjohansen> aa-unconfined does have a limitation in that it only picks up applications with current connections, if an application is opening and closing connections (eg firefox), it may not list it
[18:26] <jjohansen> QUESTION: Why does sudo aa-unconfined show me multiple programs with the same pid?
[18:27] <jjohansen> well good question, it is likely because there are multiple threads, which share the pid
[18:31] <jjohansen> aa-unconfined, and aa-status both have man pages that are worth looking at
[18:31] <jjohansen> man aa-unconfined
[18:31] <jjohansen> man aa-status
[18:32] <jjohansen> both commands get their information mostly from 2 places (for those who like nitty gritty details)
[18:32] <jjohansen> /proc/<pid>/attr/current
[18:32] <jjohansen> /sys/kernel/security/apparmor/profiles
[18:33] <jjohansen> they are worth poking at if you like figuring things out, btw <pid> should be replaced with a processes pid
[18:33] <jjohansen> eg.  /proc/825/attr/current
[18:34] <jjohansen> so if you are using apparmor, I find one of the most useful things is the notifier
[18:35] <jjohansen> its in the apparmor-notifier package if you don't have it installed
[18:36] <jjohansen> from the command line you can install it using
[18:36] <jjohansen>  sudo apt-get install apparmor-notifier
[18:36] <jjohansen> or you can search for it in the software center
[18:37] <jjohansen> this will install the aa-notify program and in natty turn it on by default
[18:38] <jjohansen> the notifier will pop up notifications when apparmor denies access to something
[18:39] <jjohansen> this can be real nice to have
[18:40] <jjohansen> either because it reminds you that apparmor is confining the application and that is possibly why you are getting unexpected behavior
[18:41] <jjohansen> or well because something happend that wasn't expected and apparmor stopped it
[18:41] <jjohansen> man aa-notify
[18:41] <jjohansen> for more details
[18:42] <jjohansen> actually one more detail
[18:43] <jjohansen> it doesn't start on its own, the enabled bit just allows it to get the information from the log files
[18:43] <jjohansen> I have it added to my startup applications
[18:43] <jjohansen> Name: AppArmor Notify
[18:43] <jjohansen> Command: /usr/sbin/apparmor-notify -p
[18:43] <jjohansen> Comment: startup apparmor notifications
[18:45] <jjohansen> so we have covered basic introspection, I want to switch gears for a minute and mention how to disable apparmor
[18:46] <jjohansen> generally I wouldn't but if it is causing problems, there are multiple ways to get it out of your way
[18:47] <jjohansen> the best is just disabling a profile, if you just have apparmor interfering with a single application that you need
[18:48] <jjohansen> you can run
[18:48] <jjohansen>   sudo aa-disable <profile name>
[18:48] <jjohansen> or if you like doing things manually
[18:49] <jjohansen>   sudo ln -s /etc/apparmor.d/<profile file> /etc/apparmor.d/disable/<profile file name>
[18:49] <jjohansen> where <profile file> is the file name for the profile causing problems
[18:50] <jjohansen> however if you don't use aa-disable you will need to manually reload the profile set
[18:50] <jjohansen>   /etc/init.d/apparmor reload
[18:51] <jjohansen> will do that for you
[18:51] <jjohansen> you can verify that the profile is gone with aa-status
[18:52] <jjohansen> disabling a single profile is the recommended way of working around a problem as it still leaves other applications protected by apparmor
[18:52] <ClassBot> There are 10 minutes remaining in the current session.
[18:52] <jjohansen> if you want to stop apparmor for all applications for the current session
[18:53] <jjohansen>   /etc/init.d/apparmor teardown
[18:53] <jjohansen> will remove all current profiles, making every process unconfined
[18:54] <jjohansen> on reboot apparmor will be back to normal
[18:54] <jjohansen> if you want to disable apparmor on boot, you can enter
[18:54] <jjohansen>   apparmor=0
[18:54] <jjohansen> on the grub command line,
[18:55] <jjohansen> hopefully nobody will need those but it always seems to come up in bug reports
[18:56] <jjohansen> Alright switching back, so as you might have inferred apparmor stores its policy in
[18:56] <jjohansen>   /etc/apparmor.d/
[18:56] <jjohansen> these are simple text files, that get compiled by the apparmor_parser and loaded into the kernel for enforcement
[18:57] <jjohansen> the file names in the directory are actually arbitrary
[18:57] <ClassBot> There are 5 minutes remaining in the current session.
[18:57] <jjohansen> they don't have to be named after the applications that are being confined
[18:57] <jjohansen> it is just done by convention
[18:58] <jjohansen> also a file can contain multiple profiles, that is not usually done however unless they are related
[19:02] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/05/04/%23ubuntu-classroom.html
}}}