Re: [apparmor] Help needed - Apparmor usage

2017-12-11 Thread Seth Arnold 
On Sat, Dec 09, 2017 at 07:08:32PM +0530, harshad wadkar wrote:
> I am trying to solve a problem wherein I would like to give (read, write)
> access to file X, if it is accessed by only application Y and again if the
> application Y is invoked by root user.
> 
> I do not want file X can be accessed (read, write, delete etc) using
> application Z - even if Z is invoked by root user.

Hello Harshad, thanks for your interest in AppArmor.

AppArmor's mediation is best understood from the perspective of processes:
You provide profiles that apply to processes. Confined processes carry
their policy into their children across fork() or clone() systemcalls,
the policy may change on execve() systemcalls, or an application may
drive its own policy changes with the aa_change_hat(), aa_change_hatv(),
aa_change_profile() or aa_change_onexec() library calls.

Depending upon what you mean by "using application Z" above, the policy
might be trivial to write or might be extremely difficult to write.

If the question is, "can root processes be confined?" then the answer is
"yes".

If the question is, "can I write file-oriented policy rather than
process-oriented policy?", it's probably best to assume the answer is
"probably not".

(Correctly enumerating everything else that all processes on the system is
allowed to do, and successfully putting all processes into that profile,
is extremely difficult.)

If you can fill in the details of what exactly you're trying to accomplish
then we can probably give more useful answers. It's hard to respond to
hypothetical questions.

> 2)
> is there any firefox profile for Apparmor available?

This profile is shipped in the Ubuntu 16.04 LTS package for Firefox:


# vim:syntax=apparmor
# Author: Jamie Strandboge 

# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox

#include 

# We want to confine the binaries that match:
#  /usr/lib/firefox/firefox
#  /usr/lib/firefox/firefox
# but not:
#  /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  #include 
  dbus (send)
   bus=session
   peer=(name=org.a11y.Bus),
  dbus (receive)
   bus=session
   interface=org.a11y.atspi**,
  dbus (receive, send)
   bus=accessibility,

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/arp r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,
  dbus (send)
   bus=system
   path=/org/freedesktop/NetworkManager
   member=state,
  dbus (receive)
   bus=system
   path=/org/freedesktop/NetworkManager,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives
  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  /var/lib/snapd/desktop/applications/mimeinfo.cache r,
  /var/lib/snapd/desktop/applications/*.desktop r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  owner /{,var/}run/shm/shmfd-* rw,
  owner /{dev,run}/shm/org.chromium.* rwk,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,
  # let the shell know we launched something
  dbus (send)
 bus=session
 interface=org.gtk.gio.DesktopAppInfo
 member=Launched,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # firefox specific
  /etc/firefox*/ r,
  /etc/firefox*/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/firefox-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts firefox and firefox.sh is used
  @{MOZ_LIBDIR}/** ixr,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/ r,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,
  @{PROC}/sys/vm/overcommit_memory r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/platform/**/uevent r,
  /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,

[apparmor] Help needed - Apparmor usage

2017-12-10 Thread harshad wadkar 
My information :
Name : Harshad Wadkar
Student : PhD student
Area of Interest : Browser security, Operating system security.

Sir,

1)
I am trying to solve a problem wherein I would like to give (read, write)
access to file X, if it is accessed by only application Y and again if the
application Y is invoked by root user.

I do not want file X can be accessed (read, write, delete etc) using
application Z - even if Z is invoked by root user.


2)
is there any firefox profile for Apparmor available?

I have gone through the documentation of Apparmor, seccomp etc. But not
able to find solution to the problem I am trying to solve.

If you can suggest me a tool or api or library that will help me to solve
my problem, it will be great.

Your guidance is vital to me. Waiting for your reply.

I apologize for the disturbance.

Thanks & Regards
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor