AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

AppArmorApp sandboxing comes standard in Ubuntu Linux

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

What is

• it’s not a proper MAC tool

• just meant for app sandboxing

• can’t defend against root privilege escalation

• module of LSM

• apparmor-utils

• init scripts, log parser for learning mode, policy generator

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Development timeline

• 1998 born from WireX as subdomain

• 2005 bought by Novell and renamed as AppArmor

• 2007 Novell stops development

• Ubuntu 7.10 released!

• 2009 Canonical takes over Novell, it reborn

• 2016 still in development as open-source project

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Features

• enforce is not default. no policy means unconfined!

• policy split in profiles: one profile per executable

• policy can be modified by hand in text editors

• loads all profiles at startup (both complain and enforce)

• path-based ACL (for loaded profiles)

• notifications to the user via aa-notify

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

How it works

• uses LSM

• path-based profiles (save in /etc/apparmor.d)

• each profile manages…

• accessible paths (permissions)

• system capabilities the executable has

• complain mode to log (…and then learn)

• again: enforce is not default. no policy means unconfined!

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Out of the box

• Comes preinstalled and active since Ubuntu 7.10

• By default some profiles are already in enforcing mode, others in complain

root@vm1:/home/francesco# aa-statusapparmor module is loaded.21 profiles are loaded.21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper0 profiles are in complain mode.0 processes are unconfined but have a profile defined.

defaults in Ubuntu 16.04

after installation

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Installation

• sudo apt-get install …

• apparmor, the system itself

• apparmor-utils, managing utilities

• apparmor-profiles, for additional profiles

• (optional) apparmor-notify, to get desktop notification upon attempted violation

• auditd, not part of but needed for logs

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Usage

• aa-status to see what’s active, what’s not

• aa-genprof to scaffold a (empty) policy

• aa-logprof to generate policy out of log (learning mode)

• (e.g.) aa-logprof -f /var/log/audit/audit.log

• aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name)

• aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name)

• apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile

• apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Policy example (for vsftpd)#include <tunables/global>

/usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication>

/dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl,}

wildcards

path and relative permissions

including rules in other pre-defined files

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Permissions

• r read

• w write

• ux unconfined execute

• Ux unconfined execute - scrub environment

• px discrete profile execute

• Px discrete profile execute - scrub environment

• i ineherit execute

• m allow PROT_EXEC with mmap calls

• l link

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

The good

• friendly management tools

• policies easy to maintain

• using audit.log and aa-logprof

• integrates with audit

• decent logs

• integrates with Ubuntu system notifications

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

The bad

• basic enforcing (e.g. can’t limit access to range of tcp ports)

• useless against root privilege escalation (can be disabled or removed!)

• no memory protection

• bugged utilities (learning mode often not working)

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Resources

• Official wiki (wiki.apparmor.net/)

• Ubuntu wiki (wiki.ubuntu.com/AppArmor/)

• Debian wiki (https://wiki.debian.org/AppArmor/HowToUse)

• Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor)

• irc.oftc.net #apparmor

• Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)

AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Questions?

Thank you!