Getting started with AppArmor

1. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux

2. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator

3. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project

4. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify

5. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!

6. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation

7. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs

8. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile

9. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-deﬁned ﬁles

10. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link

11. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notiﬁcations

12. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)

13. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Ofﬁcial wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)

14. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!