getting started with apparmor
TRANSCRIPT
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
AppArmorApp sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
What is
• it’s not a proper MAC tool
• just meant for app sandboxing
• can’t defend against root privilege escalation
• module of LSM
• apparmor-utils
• init scripts, log parser for learning mode, policy generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Development timeline
• 1998 born from WireX as subdomain
• 2005 bought by Novell and renamed as AppArmor
• 2007 Novell stops development
• Ubuntu 7.10 released!
• 2009 Canonical takes over Novell, it reborn
• 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Features
• enforce is not default. no policy means unconfined!
• policy split in profiles: one profile per executable
• policy can be modified by hand in text editors
• loads all profiles at startup (both complain and enforce)
• path-based ACL (for loaded profiles)
• notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
How it works
• uses LSM
• path-based profiles (save in /etc/apparmor.d)
• each profile manages…
• accessible paths (permissions)
• system capabilities the executable has
• complain mode to log (…and then learn)
• again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Out of the box
• Comes preinstalled and active since Ubuntu 7.10
• By default some profiles are already in enforcing mode, others in complain
root@vm1:/home/francesco# aa-statusapparmor module is loaded.21 profiles are loaded.21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper0 profiles are in complain mode.0 processes are unconfined but have a profile defined.
defaults in Ubuntu 16.04
after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Installation
• sudo apt-get install …
• apparmor, the system itself
• apparmor-utils, managing utilities
• apparmor-profiles, for additional profiles
• (optional) apparmor-notify, to get desktop notification upon attempted violation
• auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Usage
• aa-status to see what’s active, what’s not
• aa-genprof to scaffold a (empty) policy
• aa-logprof to generate policy out of log (learning mode)
• (e.g.) aa-logprof -f /var/log/audit/audit.log
• aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name)
• aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name)
• apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile
• apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Policy example (for vsftpd)#include <tunables/global>
/usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication>
/dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl,}
wildcards
path and relative permissions
including rules in other pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Permissions
• r read
• w write
• ux unconfined execute
• Ux unconfined execute - scrub environment
• px discrete profile execute
• Px discrete profile execute - scrub environment
• i ineherit execute
• m allow PROT_EXEC with mmap calls
• l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The good
• friendly management tools
• policies easy to maintain
• using audit.log and aa-logprof
• integrates with audit
• decent logs
• integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The bad
• basic enforcing (e.g. can’t limit access to range of tcp ports)
• useless against root privilege escalation (can be disabled or removed!)
• no memory protection
• bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Resources
• Official wiki (wiki.apparmor.net/)
• Ubuntu wiki (wiki.ubuntu.com/AppArmor/)
• Debian wiki (https://wiki.debian.org/AppArmor/HowToUse)
• Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor)
• irc.oftc.net #apparmor
• Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!