AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
AppArmor
App sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
What is
• it’s not a proper MAC tool
• just meant for app sandboxing
• can’t defend against root privilege escalation
• module of LSM
• apparmor-utils
• init scripts, log parser for learning mode, policy
generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Development timeline
• 1998 born from WireX as subdomain
• 2005 bought by Novell and renamed as AppArmor
• 2007 Novell stops development
• Ubuntu 7.10 released!
• 2009 Canonical takes over Novell, it reborn
• 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Features
• enforce is not default. no policy means unconfined!
• policy split in profiles: one profile per executable
• policy can be modified by hand in text editors
• loads all profiles at startup (both complain and enforce)
• path-based ACL (for loaded profiles)
• notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
How it works
• uses LSM
• path-based profiles (save in /etc/apparmor.d)
• each profile manages…
• accessible paths (permissions)
• system capabilities the executable has
• complain mode to log (…and then learn)
• again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Out of the box
• Comes preinstalled and
active since Ubuntu 7.10
• By default some profiles
are already in enforcing
mode, others in complain
root@vm1:/home/francesco# aa-status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/bin/ubuntu-core-launcher
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/tcpdump
webbrowser-app
webbrowser-app//oxide_helper
0 profiles are in complain mode.
0 processes are unconfined but have a profile
defined.
defaults in
Ubuntu 16.04
after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Installation
• sudo apt-get install …
• apparmor, the system itself
• apparmor-utils, managing utilities
• apparmor-profiles, for additional profiles
• (optional) apparmor-notify, to get desktop notification
upon attempted violation
• auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Usage
• aa-status to see what’s active, what’s not
• aa-genprof to scaffold a (empty) policy
• aa-logprof to generate policy out of log (learning mode)
• (e.g.) aa-logprof -f /var/log/audit/audit.log
• aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name)
• aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name)
• apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile
• apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Policy example (for vsftpd)
#include <tunables/global>
/usr/sbin/vsftpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/authentication>
/dev/urandom r,
/etc/fstab r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/usr/sbin/vsftpd rmix,
/var/log/vsftpd.log w,
/var/log/xferlog w,
# anon chroots
/ r,
/pub r,
/pub/** r,
@{HOMEDIRS} r,
@{HOME}/** rwl,
}
wildcards
path and relative permissions
including rules in other
pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Permissions
• r read
• w write
• ux unconfined execute
• Ux unconfined execute - scrub environment
• px discrete profile execute
• Px discrete profile execute - scrub environment
• i ineherit execute
• m allow PROT_EXEC with mmap calls
• l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The good
• friendly management tools
• policies easy to maintain
• using audit.log and aa-logprof
• integrates with audit
• decent logs
• integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The bad
• basic enforcing (e.g. can’t limit access to range of tcp ports)
• useless against root privilege escalation (can be disabled or removed!)
• no memory protection
• bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Resources
• Official wiki (wiki.apparmor.net/)
• Ubuntu wiki (wiki.ubuntu.com/AppArmor/)
• Debian wiki (https://wiki.debian.org/AppArmor/HowToUse)
• Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor)
• irc.oftc.net #apparmor
• Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!