On Sat, Dec 09, 2017 at 07:08:32PM +0530, harshad wadkar wrote: > I am trying to solve a problem wherein I would like to give (read, write) > access to file X, if it is accessed by only application Y and again if the > application Y is invoked by root user. > > I do not want file X can be accessed (read, write, delete etc) using > application Z - even if Z is invoked by root user.
Hello Harshad, thanks for your interest in AppArmor. AppArmor's mediation is best understood from the perspective of processes: You provide profiles that apply to processes. Confined processes carry their policy into their children across fork() or clone() systemcalls, the policy may change on execve() systemcalls, or an application may drive its own policy changes with the aa_change_hat(), aa_change_hatv(), aa_change_profile() or aa_change_onexec() library calls. Depending upon what you mean by "using application Z" above, the policy might be trivial to write or might be extremely difficult to write. If the question is, "can root processes be confined?" then the answer is "yes". If the question is, "can I write file-oriented policy rather than process-oriented policy?", it's probably best to assume the answer is "probably not". (Correctly enumerating everything else that all processes on the system is allowed to do, and successfully putting all processes into that profile, is extremely difficult.) If you can fill in the details of what exactly you're trying to accomplish then we can probably give more useful answers. It's hard to respond to hypothetical questions. > 2) > is there any firefox profile for Apparmor available? This profile is shipped in the Ubuntu 16.04 LTS package for Firefox: # vim:syntax=apparmor # Author: Jamie Strandboge <ja...@canonical.com> # Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/usr/lib/firefox #include <tunables/global> # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> #include <abstractions/dconf> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/p11-kit> #include <abstractions/ubuntu-unity7-base> #include <abstractions/ubuntu-unity7-launcher> #include <abstractions/dbus-accessibility-strict> dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/arp r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, dbus (send) bus=system path=/org/freedesktop/NetworkManager member=state, dbus (receive) bus=system path=/org/freedesktop/NetworkManager, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/*.desktop r, owner /tmp/** m, owner /var/tmp/** m, owner /{,var/}run/shm/shmfd-* rw, owner /{dev,run}/shm/org.chromium.* rwk, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, # let the shell know we launched something dbus (send) bus=session interface=org.gtk.gio.DesktopAppInfo member=Launched, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # firefox specific /etc/firefox*/ r, /etc/firefox*/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/firefox-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, # TODO: investigate deny /usr/bin/gconftool-2 x, # These are needed when a new user starts firefox and firefox.sh is used @{MOZ_LIBDIR}/** ixr, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /sbin/killall5 ixr, /bin/which ixr, /usr/bin/tr ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, @{PROC}/sys/vm/overcommit_memory r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/platform/**/uevent r, /sys/devices/pci*/**/{busnum,idVendor,idProduct} r, /sys/devices/pci*/**/{,subsystem_}device r, /sys/devices/pci*/**/{,subsystem_}vendor r, /sys/devices/system/node/node[0-9]*/meminfo r, owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # so browsing directories works / r, /**/ r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # per-user firefox configuration owner @{HOME}/.{firefox,mozilla}/ rw, owner @{HOME}/.{firefox,mozilla}/** rw, owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/plugins/** rm, owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, owner @{HOME}/.gnome2/firefox* rwk, owner @{HOME}/.cache/mozilla/{,firefox/} rw, owner @{HOME}/.cache/mozilla/firefox/** rw, owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/dconf/user w, owner /{,var/}run/user/*/dconf/user w, dbus (send) bus=session path=/org/gnome/GConf/Server member=GetDefaultDatabase peer=(label=unconfined), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify} peer=(label=unconfined), dbus (send) bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo peer=(label=unconfined), # gnome-session dbus (send) bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} peer=(label=unconfined), # unity screen API dbus (send) bus=system interface="org.freedesktop.DBus.Introspectable" path="/com/canonical/Unity/Screen" member="Introspect" peer=(label=unconfined), dbus (send) bus=system interface="com.canonical.Unity.Screen" path="/com/canonical/Unity/Screen" member={keepDisplayOn,removeDisplayOnRequest} peer=(label=unconfined), # freedesktop.org ScreenSaver dbus (send) bus=session path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit,SimulateUserActivity} peer=(label=unconfined), # gnome, kde and cinnamon screensaver dbus (send) bus=session path=/{,ScreenSaver} interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver} member=SimulateUserActivity peer=(label=unconfined), # UPower dbus (send) bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(label=unconfined), # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, # Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr, /usr/bin/lsb_release Cxr -> lsb_release, profile lsb_release { #include <abstractions/base> #include <abstractions/python> /usr/bin/lsb_release r, /bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2.[4567]/pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /usr/share/distro-info/*.csv r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-6]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-6] mr, # file_inherit deny /tmp/gtalkplugin.log w, } # Addons #include <abstractions/ubuntu-browsers.d/firefox> # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.firefox> } Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor