/etc/apparmor.d/
وهي تحوي قائمة من قواعد التحكم بالوصول لكل الموارد التي يمكن أن يستخدمها أي برنامج. يترجم apparmor_parser
هذه البروفايلات ويحملها إلى النواة. يمكن تحميل كل بروفايل إما في وضع الإلزام أو وضع الشكوى. يفرض الوضع الأول اتباع السياسة ويبلغ عن محاولات اختراقها، أما الوضع الثاني فلا يفرض السياسة بل يكتفي بتسجيل نداءات النظام التي تخالف السياسة والتي كان الوضع الأول سيمنعها.
apt install apparmor apparmor-profiles apparmor-profiles-extra apparmor-utils
with root privileges.
aa-status
will confirm it quickly:
#
aa-status
apparmor module is loaded. 40 profiles are loaded. 18 profiles are in enforce mode. /usr/bin/man [..] 22 profiles are in complain mode. [..] dnsmasq [..] 0 profiles are in kill mode. 0 profiles are in unconfined mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dhclient (473) /{,usr/}sbin/dhclient 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode.
aa-enforce
and aa-complain
giving as parameter either the path of the executable or the path to the policy file. Additionally a profile can be entirely disabled with aa-disable
or put in audit mode (to log accepted system calls too) with aa-audit
.
#
aa-enforce /usr/bin/pidgin
Setting /usr/bin/pidgin to enforce mode.
#
aa-complain /usr/sbin/dnsmasq
Setting /usr/sbin/dnsmasq to complain mode.
aa-unconfined
الذي يسرد البرامج التي توفر مقابس شبكية مفتوحة دون أن ترتبط مع أي بروفايل. ومع استخدام الخيار --paranoid
سيذكر لك كل العمليات التي تملك اتصالاً شبكياً واحداً نشطاً أو أكثر.
#
aa-unconfined
473 /usr/sbin/dhclient confined by '/{,usr/}sbin/dhclient (enforce)' 521 /usr/sbin/sshd (sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups) not confined 1206 /usr/sbin/squid not confined 9931 /usr/bin/containerd not confined 11171 /usr/sbin/exim4 not confined
/sbin/dhclient
(there already is a profile shipped by apparmor-profiles, so you can compare your results to the official one). For this we will use aa-genprof dhclient
. It will invite you to use the application in another window and when done to come back to aa-genprof
to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
#
aa-genprof dhclient
Updating AppArmor profiles in /etc/apparmor.d. Writing updated profile for /usr/sbin/dhclient. Setting /usr/sbin/dhclient to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inish
S
Reading log entries from /var/log/syslog. Profile: /usr/sbin/dhclient Execute: /usr/sbin/dhclient-script Severity: unknown (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inishP
Should AppArmor sanitise the environment when switching profiles? Sanitising environment is more secure, but some applications depend on the presence of LD_PRELOAD or LD_LIBRARY_PATH. [(Y)es] / (N)oY
Writing updated profile for /usr/sbin/dhclient-script. WARNING: Ignoring exec event in /usr/sbin/dhclient//null-/usr/sbin/dhclient-script//null-/usr/bin/systemctl, nested profiles are not supported yet. Complain-mode changes: Profile: /usr/sbin/dhclient Capability: net_raw Severity: 8 [1 - capability net_raw,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishA
Adding capability net_raw, to profile. Profile: /usr/sbin/dhclient Capability: net_bind_service Severity: 8 [1 - include <abstractions/nis>] 2 - capability net_bind_service, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishA
Adding include <abstractions/nis> to profile. Profile: /usr/sbin/dhclient Path: /etc/dhcp/dhclient.conf New Mode: owner r Severity: unknown [1 - owner /etc/dhcp/dhclient.conf r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding owner /etc/dhcp/dhclient.conf r, to profile. Profile: /usr/sbin/dhclient Path: /var/lib/dhcp/dhclient.leases New Mode: owner rw Severity: unknown [1 - owner /var/lib/dhcp/dhclient.leases rw,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding owner /var/lib/dhcp/dhclient.leases rw, to profile. [..] Profile: /usr/sbin/dhclient-script Path: /usr/bin/dash New Mode: owner r Severity: unknown [1 - include <abstractions/gvfs-open>] 2 - include <abstractions/ubuntu-browsers.d/plugins-common> 3 - include <abstractions/xdg-open> 4 - owner /usr/bin/dash r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish2
Profile: /usr/sbin/dhclient-script Path: /usr/bin/dash New Mode: owner r Severity: unknown 1 - include <abstractions/gvfs-open> [2 - include <abstractions/ubuntu-browsers.d/plugins-common>] 3 - include <abstractions/xdg-open> 4 - owner /usr/bin/dash r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding include <abstractions/ubuntu-browsers.d/plugins-common> to profile. [..] Enforce-mode changes: = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/sbin/dhclient] 2 - /usr/sbin/dhclient-script (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)tS
Writing updated profile for /usr/sbin/dhclient. Writing updated profile for /usr/sbin/dhclient-script. Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inishF
Setting /usr/sbin/dhclient to enforce mode. Setting /usr/sbin/dhclient-script to enforce mode. Reloaded AppArmor profiles in enforce mode. Please consider contributing your new profile! See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Finished generating profile for /usr/sbin/dhclient.
أول حدث مكتشف هو تنفيذ برنامج آخر. في هذه الحالة، لديك عدة اختيارات: يمكنك تشغيل البرنامج باستخدام بروفايل العملية الأم (خيار الوراثة ”Inherit“)، أو يمكنك تنفيذه باستخدام بروفايل خاص (عبر خياري ”Profile“ و”Named“ اللذان يختلفان عن بعضهما بإمكانية استخدام اسم بروفايل عشوائي فقط)، أو يمكنك تشغيله باستخدام بروفايل فرعي من العملية الأم (خيار ”Child“)، أو يمكنك تشغيله دون أي بروفايل (خيار ”Unconfined“) أو يمكنك عدم السماح بتشغيله نهائياً (خيار ”Deny“).
لاحظ أنك إذا اخترت تشغيله باستخدام بروفايل مخصص غير موجود بعد، فسوف تنشئ الأداة البروفايل المفقود كما ستقترح قواعد وصول لذلك البروفايل في الاستدعاء نفسه.
| |
على مستوى النواة، قُسِّمت صلاحيات المستخدم الجذر إلى ”capabilities“ أو قدرات. إذا كانت إحدى نداءات النظام تحتاج لقدرة معينة، يتحقق AppArmor من أن البروفايل يسمح للبرنامج باستخدام هذه المقدرة.
| |
Here the program seeks read permissions for its configuration file /etc/dhcp/dhclient.conf .
| |
Here the program seeks read and write permissions to write the lease into /var/lib/dhcp/dhclient.leases .
| |
Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed /usr/sbin/dhclient-script to run with its own profile.
aa-genprof detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, we opted for selection “2” to first select the “#include <abstractions/ubuntu-browsers.d/plugins-common>” choice and then “A” to allow it.
بعد المرور على كل الأحداث المسجلة، يعرض عليك البرنامج حفظ البروفايلات التي أنشأتها أثناء العملية. في هذه الحالة، لدينا بروفايلين وقد حفظناهما معاً باستخدام ”Save“ (لكن يمكنك حفظهما بشكل إفرادي أيضاً) قبل الخروج من البرنامج باستخدام ”Finish“.
|
aa-genprof
ما هو إلا غلاف ذكي للأمر aa-logprof
: فهو ينشئ بروفايلاً فارغاً، ويحمله في وضع الشكوى ثم يستدعي aa-logprof
وهي عبارة عن أداة تحدث البروفايل اعتماداً على انتهاكات القواعد المسجلة. ويمكنك إعادة استدعاء تلك الأداة لاحقاً لتحسين البروفايل الذي أنشأته الآن.
/etc/apparmor.d/usr.sbin.dhclient
close to the profile shipped by apparmor-profiles in /usr/share/apparmor/extra-profiles/sbin.dhclient
.
/etc/apparmor.d/usr.sbin.dhclient-script
might be similar to /usr/share/apparmor/extra-profiles/sbin.dhclient
, shipped in apparmor-profiles too.