Create a Profile in AppArmor

You will need to know how to create profiles as even in Ubuntu 8.04 Hardy Heron, the only profile running is for cups printing.  So, since AppArmor offers virtually no security by default you have to create it.  For an article on the Ubuntu 8.04 Server and AppArmor, Click Here.

 

The aa-genprof command is used to create a new profile. From a terminal, as root, use the command aa-genprof:

sudo aa-genprof executable

The man page has more information: man aa-genprof.

When you choose a program to create an AppArmor for, you will find that some of them are restricted, apparently for you own good. For example if you tried to create a profile for ls you will find that you will not be able to.

 

# sudo aa-genprof /bin/ls

/bin/ls is currently marked as a program that should not have it's own profile. Usually, programs are

marked this way if creating a profile for them is likely to break the rest of the system. If you know what

you're doing and are certain you want to create a profile for this program, edit the corresponding entry

in the [qualifiers] section in /etc/apparmor/logprof.conf.

Here is an example of creating a profile for SSH. Note that even when Ubuntu is using AppArmor you

will see strong ties to SUSE as when you create a profile it will ask if you want to access the repository

that SUSE maintains. Interesting to see the list of apparmor profiles uploaded by Ubuntu users. This

site allows you to share your profile with others. You will be asked to use the application that you will create

the profile for in a separate terminal or window. As you create the profile it will ask you to scan the system

to look for system events when you use the application like SSH. This scan will try to determine the

resources and access that the application needs. Once you have answered all of the questions then

choose finish to complete the profile. The profile will be create in Complain mode that it does not shut

down an important application.


# aa-genprof ssh

Repository: http://apparmor.test.opensuse.org/backend/api

Would you like to enable access to the profile repository?

(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Connecting to repository.....
Writing updated profile for /usr/bin/ssh.
Setting /usr/bin/ssh to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/bin/ssh

[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile: /usr/bin/ssh
Path: /dev/tty
Mode: rw
Severity: 9

1 - #include <abstractions/consoles>
[2 - /dev/tty]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /dev/tty rw to profile.

Profile: /usr/bin/ssh
Path: /etc/host.conf
Mode: r
Severity: unknown

1 - #include <abstractions/nameservice>
[2 - /etc/host.conf]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/host.conf r to profile.

Profile: /usr/bin/ssh
Path: /etc/hosts
Mode: r
Severity: unknown

1 - #include <abstractions/nameservice>
[2 - /etc/hosts]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/hosts r to profile.

Profile: /usr/bin/ssh
Path: /etc/nsswitch.conf
Mode: r
Severity: unknown

1 - #include <abstractions/nameservice>
[2 - /etc/nsswitch.conf]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/nsswitch.conf r to profile.

Profile: /usr/bin/ssh
Path: /etc/passwd
Mode: r
Severity: 4

1 - #include <abstractions/nameservice>
[2 - /etc/passwd]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/passwd r to profile.

Profile: /usr/bin/ssh
Path: /etc/resolv.conf
Mode: r
Severity: 2

1 - #include <abstractions/nameservice>
[2 - /etc/resolv.conf]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/resolv.conf r to profile.

Profile: /usr/bin/ssh
Path: /etc/services
Mode: r
Severity: unknown

1 - #include <abstractions/nameservice>
[2 - /etc/services]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/services r to profile.

Profile: /usr/bin/ssh
Path: /etc/ssh/ssh_config
Mode: r
Severity: 3

[1 - /etc/ssh/ssh_config]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/ssh/ssh_config r to profile.

Profile: /usr/bin/ssh
Path: /home/mike/.ssh/known_hosts
Mode: r
Severity: 7

1 - /home/mike/.ssh/known_hosts
[2 - /home/*/.ssh/known_hosts]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /home/*/.ssh/known_hosts r to profile.

Profile: /usr/bin/ssh
Path: /tmp/ssh-wLiivg5356/agent.5356
Mode: w
Severity: unknown

1 - #include <abstractions/gnome>
2 - #include <abstractions/kde>
3 - #include <abstractions/user-tmp>
[4 - /tmp/ssh-wLiivg5356/agent.5356]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /tmp/ssh-wLiivg5356/agent.5356 w to profile.

Profile: /usr/bin/ssh
Path: /var/run/avahi-daemon/socket
Mode: w
Severity: unknown

1 - #include <abstractions/nameservice>
[2 - /var/run/avahi-daemon/socket]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/run/avahi-daemon/socket w to profile.

Profile: /usr/bin/ssh
Network Family: inet
Socket Type: dgram

[1 - #include <abstractions/nameservice>]
2 - network inet dgram

[(A)llow] / (D)eny / Abo(r)t / (F)inish
Adding #include <abstractions/nameservice> to profile.
Deleted 7 previous matching profile entries.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /usr/bin/ssh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/bin/ssh.

Repository: http://apparmor.test.opensuse.org/backend/api

Would you like to upload newly created and changed profiles to
the profile repository?

(Y)es / (N)o / Ask Me (L)ater

Profiling: /usr/bin/ssh

[(S)can system log for SubDomain events] / (F)inish
FINISHING

Once it is finished the completed profile can be found in the /etc/apparmor.d directory. Here the the actual profile.

# Last Modified: Fri Oct 26 15:18:18 2007
#include <tunables/global>
/usr/bin/ssh flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>

/dev/tty rw,
/etc/ssh/ssh_config r,
/home/*/.ssh/known_hosts r,
/tmp/ssh-wLiivg5356/agent.5356 w,
/usr/bin/ssh mr,
}

The application is created in complain mode but that can be changed once you are sure it works correctly.

You can change the mode to enforce with this command:

# sudo aa-enforce /usr/bin/ssh

As you review the profile you see that the /dev/tty is able to read and write, the ssh_config file can only be read, the known_hosts

file can be read and the ssh agent has write access. The executable can only be read. These rights maintain the integrity of the program.


Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874