Re: What can AppArmor do?

To: debian-user@lists.debian.org
Subject: Re: What can AppArmor do?
From: Richard Owlett <rowlett@cloud85.net>
Date: Fri, 20 May 2016 09:57:27 -0500
Message-id: <[🔎] 573F25D7.5030409@cloud85.net>
In-reply-to: <[🔎] 20160518152748.GA4426@darac.org.uk>
References: <[🔎] 573C7AE6.9010509@cloud85.net> <[🔎] 20160518152748.GA4426@darac.org.uk>

On 5/18/2016 10:27 AM, Darac Marjal wrote:

On Wed, May 18, 2016 at 09:23:34AM -0500, Richard Owlett wrote:

https://packages.debian.org/jessie/apparmor is uninformative.

It says:
"This provides the system initialization scripts needed to use
the AppArmor Mandatory Access Control system, including the
AppArmor Parser which is required to convert AppArmor text
profiles into machine-readable policies that are loaded into
the kernel for use with the AppArmor Linux Security Module."

There is a link to http://wiki.apparmor.net/index.php/Main_Page
which gives no hints!

My application question.
1. If BrowserA and BrowserB are installed, can AppArmor prevent
BrowserB from
  connecting to the internet independent of user permissions?
2. Can AppArmor default to preventing *ALL* but specific
applications from
  connecting to the internet independent of user permissions?


 From that wiki page: "AppArmor security policies completely
define what system resources individual applications can access,
and with what privileges."

That statement reminds me of one of George Orwell's characterssaying "It means whatever I want it to mean."


"Network access" is, although not explicitly stated on that page,
a system resource. So yes, you can prevent, say, an application
called "firefox" from accessing the network entirely. Looking
deeper, I see
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules
which defines the network rules of AppArmor. It appears that you
should be able to constrain said application to only connect to
certain addresses.

The very first line of the page said "Don't trust me."[paraphrased ;]I was looking for descriptive information aimed at a generalaudience. I was looking for guidance on "suitability for intendeduse". A "No" to my narrowly stated question would have eliminatedAppArmor. To actually want to use it is a wider question. I washoping for a response from an actual user.


Just a warning that you need to think carefully about the rules
you implement. Can a user get around your rules by renaming
"firefox" to "iceweasel"? If, instead, you put blanket rules in
place check that you aren't blocking other networking functions
(like X talking over the local network, for example). AppArmor
does, however, have a "complain" mode where, rather than
enforcing rules it will log violations to syslog. You can use
this to guide your profile creation.

After initially reading your post I found something that hintedthat "blacklist all except explicit exceptions" would bepossible. More reading required.


Thank you for your time.

Reply to:

Follow-Ups:
- Re: What can AppArmor do?
  - From: Lisi Reisz <lisi.reisz@gmail.com>

References:
- What can AppArmor do?
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: What can AppArmor do?
  - From: Darac Marjal <mailinglist@darac.org.uk>

Prev by Date: Android gmail through ferm /iptables firewall
Next by Date: Re: What can AppArmor do?
Previous by thread: Re: What can AppArmor do?
Next by thread: Re: What can AppArmor do?
Index(es):
- Date
- Thread