/etc/apparmor.d/
y contienen una lista de reglas de control de acceso sobre los recursos que puede utilizar cada programa. Los perfiles se compilan y son cargados por el núcleo por la orden apparmor_parser
. Cada perfil se puede cargar bien en modo estrícto (enforcing) o bien en modo relajado (complaining). El modo estricto aplica las reglas y registra las tentativas de violación, mientras que en el modo relajado sólo se registran las llamadas al sistema que hubieran sido bloqueadas, pero no se bloquean realmente.
apt install apparmor apparmor-profiles apparmor-profiles-extra apparmor-utils
with root privileges.
aa-status
lo confirmará rápidamente:
#
aa-status
apparmor module is loaded. 40 profiles are loaded. 18 profiles are in enforce mode. /usr/bin/man [..] 22 profiles are in complain mode. [..] dnsmasq [..] 0 profiles are in kill mode. 0 profiles are in unconfined mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dhclient (473) /{,usr/}sbin/dhclient 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode.
aa-enforce
y aa-complain
, pasándoles como parámetro bien la ruta del ejecutable o la ruta del archivo de perfil. De igual manera se puede desactivar completamente un perfil mediante aa-disable
, o establecerlo en el modo de auditoría (de forma que registre incluso las llamadas del sistema aceptadas) mediante aa-audit
.
#
aa-enforce /usr/bin/pidgin
Setting /usr/bin/pidgin to enforce mode.
#
aa-complain /usr/sbin/dnsmasq
Setting /usr/sbin/dnsmasq to complain mode.
aa-unconfined
, que lista los programas que exponen al menos un zócalo de red (NT: ¿mejor puerto de red?) sin tener ningún perfil asociado. Con la opción --paranoid
se obtienen todos los procesos que tienen activa al menos una conexión de red y no están confinados.
#
aa-unconfined
473 /usr/sbin/dhclient confined by '/{,usr/}sbin/dhclient (enforce)' 521 /usr/sbin/sshd (sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups) not confined 1206 /usr/sbin/squid not confined 9931 /usr/bin/containerd not confined 11171 /usr/sbin/exim4 not confined
/sbin/dhclient
(there already is a profile shipped by apparmor-profiles, so you can compare your results to the official one). For this we will use aa-genprof dhclient
. It will invite you to use the application in another window and when done to come back to aa-genprof
to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
#
aa-genprof dhclient
Updating AppArmor profiles in /etc/apparmor.d. Writing updated profile for /usr/sbin/dhclient. Setting /usr/sbin/dhclient to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inish
S
Reading log entries from /var/log/syslog. Profile: /usr/sbin/dhclient Execute: /usr/sbin/dhclient-script Severity: unknown (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inishP
Should AppArmor sanitise the environment when switching profiles? Sanitising environment is more secure, but some applications depend on the presence of LD_PRELOAD or LD_LIBRARY_PATH. [(Y)es] / (N)oY
Writing updated profile for /usr/sbin/dhclient-script. WARNING: Ignoring exec event in /usr/sbin/dhclient//null-/usr/sbin/dhclient-script//null-/usr/bin/systemctl, nested profiles are not supported yet. Complain-mode changes: Profile: /usr/sbin/dhclient Capability: net_raw Severity: 8 [1 - capability net_raw,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishA
Adding capability net_raw, to profile. Profile: /usr/sbin/dhclient Capability: net_bind_service Severity: 8 [1 - include <abstractions/nis>] 2 - capability net_bind_service, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishA
Adding include <abstractions/nis> to profile. Profile: /usr/sbin/dhclient Path: /etc/dhcp/dhclient.conf New Mode: owner r Severity: unknown [1 - owner /etc/dhcp/dhclient.conf r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding owner /etc/dhcp/dhclient.conf r, to profile. Profile: /usr/sbin/dhclient Path: /var/lib/dhcp/dhclient.leases New Mode: owner rw Severity: unknown [1 - owner /var/lib/dhcp/dhclient.leases rw,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding owner /var/lib/dhcp/dhclient.leases rw, to profile. [..] Profile: /usr/sbin/dhclient-script Path: /usr/bin/dash New Mode: owner r Severity: unknown [1 - include <abstractions/gvfs-open>] 2 - include <abstractions/ubuntu-browsers.d/plugins-common> 3 - include <abstractions/xdg-open> 4 - owner /usr/bin/dash r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish2
Profile: /usr/sbin/dhclient-script Path: /usr/bin/dash New Mode: owner r Severity: unknown 1 - include <abstractions/gvfs-open> [2 - include <abstractions/ubuntu-browsers.d/plugins-common>] 3 - include <abstractions/xdg-open> 4 - owner /usr/bin/dash r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inishA
Adding include <abstractions/ubuntu-browsers.d/plugins-common> to profile. [..] Enforce-mode changes: = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/sbin/dhclient] 2 - /usr/sbin/dhclient-script (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)tS
Writing updated profile for /usr/sbin/dhclient. Writing updated profile for /usr/sbin/dhclient-script. Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inishF
Setting /usr/sbin/dhclient to enforce mode. Setting /usr/sbin/dhclient-script to enforce mode. Reloaded AppArmor profiles in enforce mode. Please consider contributing your new profile! See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Finished generating profile for /usr/sbin/dhclient.
El primer evento detectado es la ejecución de otro programa. En este caso se ofrecen varias opciones: puede lanzar el programa con el perfil del programa padre (“Inherit”), con un perfil dedicado (“Profile” o “Name”, que sólo se diferencian por la posibilidad de elegir un nombre de perfil arbitrario), con un sub-perfil del proceso padre (“Child”), o bien puede lanzar sin nigún perfil (“Unconfined”). También puede impedir que el programa se ejecute (“Deny”).
Cuando se elije lanzar el proceso hijo con un perfil de dedicado que no exista aún, la herramienta creará el perfil que falta y propondrá sugerencias de reglas en la misma sesión de trabajo.
| |
A nivel del núcelo, los permisos especiales del usuario root se han separado en "capacidades" («capabilities»). Cuando una llamada del sistema requiere una capacidad específica, AppArmor verifica que el perfil permite al programa utilizar esta capacidad.
| |
Here the program seeks read permissions for its configuration file /etc/dhcp/dhclient.conf .
| |
Here the program seeks read and write permissions to write the lease into /var/lib/dhcp/dhclient.leases .
| |
Hay que tener en cuenta que este intento de acceso no forma parte del perfil dhclient, sino del nuevo perfil que hemos creado cuando hemos autorizado a /usr/sbin/dhclient-script para que funcione bajo el suyo propio.
aa-genprof detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, we opted for selection “2” to first select the “#include <abstractions/ubuntu-browsers.d/plugins-common>” choice and then “A” to allow it.
Después de examinar todos los eventos registrados, el programa propone guardar todos los perfiles que se han creado durante la ejecución. En este caso tenemos dos perfiles que guardamos simultáneamente mediante «Save» antes de cerrar el programa con «Finish» (pero podríamos igualmente haberlos guardados individualmente).
|
aa-genprof
no es sino un pequeño script inteligente que utiliza aa-logprof
: crea un perfil vacío, lo carga en modo relajado y después ejecuta aa-logprof
. Esta última es una utilidad que actualiza un perfil en función de las violaciones que han sido registradas. Por lo tanto se puede volver a ejecutar esta herramienta para mejorar el perfil que se ha creado.
/etc/apparmor.d/usr.sbin.dhclient
close to the profile shipped by apparmor-profiles in /usr/share/apparmor/extra-profiles/sbin.dhclient
.
/etc/apparmor.d/usr.sbin.dhclient-script
might be similar to /usr/share/apparmor/extra-profiles/sbin.dhclient
, shipped in apparmor-profiles too.