Hello
Last year I've created an AppArmor profile for Parole application. However,
it was done on the 12.04 LTS Release, which is in EoL status now. After
fresh 16.04 LTS installation and checking log files for any new
DENIED/ALLOWED entries (Parole was in a "complain" mode), I was surprised
that there will be so many rules needed.
(Anyway, Parole is working okay; I can listen to an audio CD, change
settings and so on.)
But, I would like to ask for some advices and opinions etc. To make it a
little simpler, I decided to create, let say, a "section number" (1-7). I
hope, that with these numbers it will be more readable etc. Okay, so let's
start.
(1) During testing, log files contained many entries related to the
'xdg-screensaver'. Here are two of them;
✗ May 26 11:28:05 t1aa-test kernel: [ 1701.937292] audit: type=1400
audit(1494762639.594:78): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/bin/parole" pid=2801 comm="xdg-screensaver" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/bin/parole//null-/usr/bin/xdg-screensaver"
✗ May 26 11:25:21 t1aa-test kernel: [ 223.424709] audit: type=1400
audit(1495790885.561:103): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/bin/parole//null-/usr/bin/xdg-screensaver" pid=2236
comm="xdg-screensaver" family="unix" sock_type="stream" protocol=0
requested_mask="send receive" denied_mask="send receive" addr=none
peer_addr=none
As You can see, above log entries are different: one of them contain
peer=""/usr/bin/parole//*", since second have only peer_addr="none". I was
thinking about proper solution; e.g. creating a child profile for
'xdg-screensaver' etc. Generally, after more tests and added other rules,
aa-status(8) command showed something like this:
/usr/bin/parole
/usr/bin/parole//null-/usr/bin/xdg-screensaver
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/grep
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/ln
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/mktemp
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/mv
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/rm
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/sed
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/bin/which
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/usr/bin/cut/usr
/bin/parole//null-/usr/bin/xdg-screensaver//null-/usr/bin/dbus-send
/usr/bin/parole//null-/usr/bin/xdg-screensaver//null-/usr/bin/xprop
But after next system boot/start, above entries vanished. There was many
more issues with this thing. I wondered how to solve this: create a child
profile or a separate "xdg-screensaver" profile?
And at last I used this rule, which seems to solve all these issues with
"xdg-screensaver", but I don't know if this rule is secure etc.:
/usr/bin/xdg-screensaver PUx,
What do you think abouth this rules? Is it okay and can be used in a Parole
profile?
(2) Next thing, that showed up during testing is:
✗ May 27 17:29:27 t1aa-test kernel: [ 9102.161080] audit: type=1400
audit(1495898967.296:70): apparmor="DENIED" operation="connect"
profile="/usr/bin/parole" pid=3181 comm="parole" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive connect"
denied_mask="send connect" addr=none
peer_addr="@/dbus-vfs-daemon/socket-dYRYyAQi" peer="unconfined"
I have had many problems with this entry, because I have no idea, which
rule I should use. And I decided to use this one:
unix (connect, receive, send) type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
Again: what do you think about this rule? Can it be used in a profile? Is
it secure enough? I remind, that Parole works normally.
(3) Now an 'abstractions' issue. It's better to use 'abstractions' or I
should create the right rule? At some moment, log files started to include
something like this one: "addr=none peer_addr="@/tmp/.X11-unix/X0"
denied_mask="send connect" and so on.
Similar rules can be found in <abstractions/X>. So, what should I do: use
'abstractions' or only rules? These rules are:
/tmp/.X11-unix/* w,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
For now, I'm using <abstractions/X> but I would like to ask what is the
better solution in this case? What is your opinion on this one?
(4) Log entries related to the dbus. There is an log entry to which I have
had to create a rule. A log entry looks this way:
✗ May 27 18:25:42 t1aa-test kernel: [12477.582553] audit: type=1107
audit(1495902342.717:109): pid=1023 uid=106 auid=4294967295 ses=4294967295
msg='apparmor="DENIED" operation="dbus_method_call" bus="system"
path="/org/freedesktop/hostname1"
interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send"
name=":1.113" pid=3670 label="/usr/bin/parole" peer_pid=3678
peer_label="unconfined"
And a rule (please note path= entry; it contains "hostname1".) Is it okay
to use something like this one?
dbus send
bus=accessibility
path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll,
(5) At some point, there appeared a log entries, which can be found in the
<abstractions/audio> file. And a question arises: it's better to use an
'abstractions' or a rules? For now, I'm using a rules, because I don't need
everything from an 'audio' abstractions etc.
Needed rules concern e.g.: '/etc/pulse/' folder, '/{run,dev}/shm/' or
'/etc/openal/alsoft.conf' file. So, what should I do?
(6) There was a problem with a Gstreamer module error after insterting an
audio CD disc etc. Everything start to work after adding this rule to the
Parole profile:
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
Gstreamer doesn't work without this, right? So I think, that this rule is
okay and should be leave. Am I right?
(7) There was also issues with an "orcexec.*". Because I have /tmp
partition mounted with a "noexec" option, I have had to add a couple of
rules. Log entry and rules:
✗ May 28 11:20:24 t1aa-test kernel: [ 3238.285728] audit: type=1400
audit(1495963224.908:82): apparmor="DENIED" operation="mknod"
profile="/usr/bin/parole" name="/run/user/1000/orcexec.IveM1L" pid=3649
comm="aqueue:src" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
The rest of this log entry contains; "/home/user1/orcexec.iiRYBl" and
"/tmp/orcexec.yeFccV". Added rules:
owner /tmp/orcexec.* mrw,
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
owner @{HOME}/orcexec.* mrw,
Are they okay? Can I leave them in a Parole profile?
Okay; that's all for now. By the way; why there is no Parole in the
'/etc/apparmor.d/abstractions/ubuntu-media-players' file? There is e.g.
Totem and VLC but no Parole. Is there any reason for such situation?
I have one more question; what means something like this one:
comm="aqueue:src". It was in one of the log entry, but I don't remember
where. Is it something bad or normall?
Please forgive me; I'm sorry for such a long message. It seems, that Parole
is working in an 'enforce' mode. I can paste this profile somewhere and
someone of you could check if it's secure profile to use etc. Once again:
I'm sorry.
Thanks, best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
