Paranoid Penguin - AppArmor in Ubuntu 9

Psst! Your Ubuntu system has been secretly hardened with AppArmor!

Happily, if I run spaztacle.sh again, it still works. But, is AppArmor doing anything? I can make sure the new profile is loaded with this command:

bash-$ sudo aa-status

Here's part of its output:

apparmor module is loaded.
26 profiles are loaded.
13 profiles are in enforce mode.
   /usr/sbin/clamd
   /usr/sbin/cupsd
   /usr/bin/spaztacle.sh
[...]

Great! The spaztacle.sh profile is loaded in enforce mode. Besides showing what profiles are loaded and in what mode, aa-status also lists which processes are being protected actively. Because spaztacle.sh isn't actually running at the moment, it doesn't turn up in aa-status' output as an active process, but that's okay—normally you'd expect server dæmons, not commands per se, to turn up in that part of aa-status' output.

There's just one more test we'll do to see if AppArmor is doing its job. The more astute among you may have noticed that there's a glaring flaw in my little shell script (Listing 1). Because I didn't contain $1 in quotation marks, it's possible for a mischievous user to execute spaztacle.sh like this:

bash-$ spaztacle.sh "tarfile.tar /etc/apparmor.d/"

When the tar command in spaztacle expands the command input, it will correctly interpret tarfile.tar as the target file, but will include not only /var/spaetzle but also /etc/apparmor.d/ in the tar archive! On the one hand, local file permissions still apply. This works only if users in question have read access to /etc/apparmor.d, which means that although they're tricking spaztacle.sh, they aren't copying anything they'd otherwise be unable to get at.

But on the other hand, this is unexpected behavior for my unfortunate script. I don't want users to be able to include arbitrary directories in their authorized backups of /var/spaetzle.

So I'm glad to see that if I actually try running spaztacle.sh that way with my new AppArmor profile in enforce mode, this is the result:

tar: /etc/apparmor.d: Cannot open: Permission denied
tar: Error exit delayed from previous errors

The following message also has been written to /var/log/messages:

Jun 16 01:17:43 micksbox kernel: [57354.414567] type=1503
audit(1245133063.520:1004): operation="inode_permission"
requested_mask="::r" denied_mask="::r" 
fsuid=1000 name="/etc/apparmor.d/"
pid=28019 profile="/usr/bin/spaztacle.sh"

Success! AppArmor has correctly identified bad behavior on spaztacle.sh's part. And, the intended tar file (tarfile.tar) not only was created, it also contains the backup of /var/spaetzle that I did want the user to be able to create—only the unexpected part of spaztacle.sh's activity was blocked. Success indeed!

Conclusion

Using genprof may seem a little involved, but the man pages for genprof, logprof and apparmor.d explain most of what you need to know. The tutorials listed in Resources should be helpful too. I hope I've covered enough here to get you started using AppArmor on your own Ubuntu system!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Ubuntu 9.10, soon to be

Anonymous's picture

Ubuntu 9.10, soon to be released, has even more profiles. See:
https://wiki.ubuntu.com/KarmicKoala/TechnicalOverview#GNOME
https://wiki.ubuntu.com/KarmicKoala/TechnicalOverview#AppArmor

It should also be noted that the Ubuntu kernel team has put a lot of effort into getting AppArmor into the upstream kernel. See http://thread.gmane.org/gmane.linux.kernel.lsm/9493 for details. IMO, the future of AppArmor has never looked better.

I switched from Suse because

Tinker's picture

I switched from Suse because of their policy of messing with my system, I avoided distro's that implemented SELinux without my permission. I noticed the stealth introduction of AppArmor which I do not want and the fact there is no documentation of how to disable it. Is there any Linux distro left that allows me freedom of choice?

Disabling AppArmor is

John Johansen's picture

Disabling AppArmor is documented here

Sorry for the bad link, See

John Johansen's picture

Sorry for the bad link,

See https://help.ubuntu.com/community/AppArmor#Disable%20AppArmor%20framework for details on how to disable AppArmor.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState