Thursday, October 4, 2012

More AppArmor Profiles For Ubuntu 12.04

Following up on my previous two posts where I provided complete profiles for Firefox and Google Chrome (as well as peripheral things like totem, transmission, mplayer, and the OpenJDK plugin), in this post I want to provide profiles for both pidgin and xchat.


The goal of AppArmor, as described by its original developer Crispin Cowan, is to use a hybrid whitelist and blacklist approach.  That is, instead of locking down every single process on a box with complex profiles, the idea is to only lock down network facing processes/apps.  The ultimate goal is to force any remote attacker to go through an AA profile to be able to compromise the box.   So the goal of any AppArmor user should be to have profiles in place for any application that ever plans on touching the network.

While no MAC system can fully protect against kernel exploits, they can make an attacker's job much more difficult (if not impossible in some cases).  And kernel exploits, while they get lots of hype, can only be exploitable if an attacker can reach the vulnerable code in the first place.

The first app I feel is helpful to have profiled is Pidgin.  I prefer Pidgin over the default Empathy for a number of reasons, and I think I am not alone in that regard.

This profile has full functionality.  It allows you to open browsers (either FF or Chrome) from links (the browser will transition to its own profile).  I haven't tested file transfers, so you might have to make a directory where files are to be downloaded.  In any case, here is the profile:

Name: usr.bin.pidgin
Directory: /etc/apparmor.d/


# Last Modified: Thu Sep 27 23:40:46 2012
#include <tunables/global>

/usr/bin/pidgin {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>

  network inet dgram,
  network inet stream,
  network inet6 stream,

  /bin/dash r,

  /etc/gai.conf r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  /etc/ssl/certs/ r,

  /home/*/.ICEauthority r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/enchant/ r,
  /home/*/.config/enchant/*.dic rwk,
  /home/*/.config/enchant/*.exc rwk,
  /home/*/.config/ibus/bus/ w,
  /home/*/.gstreamer-0.10/* rw,
  /home/*/.icons/ r,
  /home/*/.local/share/icons/ r,
  /home/*/.local/share/icons/**/ r,
  /home/*/.local/share/mime/mime.cache r,
  /home/*/.purple/** rw,
  /home/*/orcexec.* w,

  /proc/*/fd/ r,
  /proc/*/loginuid r,

  /run/resolvconf/resolv.conf r,

  /tmp/ r,
  /tmp/orcexec.* mrw,

  # Run these with Child processes
  /usr/bin/gconftool-2 Cx,
  /usr/bin/xdg-open Cx,

  # Extra libraries needed
  /usr/lib/pidgin/ r,
  /usr/lib/pidgin/*.so* mr,
  /usr/lib/purple-2/ r,
  /usr/lib/purple-2/*.so* mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/im*.so mr,
  /usr/lib/x86_64-linux-gnu/libvisual-0.4/actor/*.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/ r,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/*.so mr,

  /usr/share/ca-certificates/mozilla/* r,
  /usr/share/enchant/enchant.ordering r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # For icons, themes, dictionaries, etc.
  /usr/share/hunspell/ r,
  /usr/share/hunspell/* r,  
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/mime.cache r,
  /usr/share/myspell/dicts/ r,
  /usr/share/pixmaps/ r,
  /usr/share/pixmaps/pidgin/ r,
  /usr/share/pixmaps/pidgin/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,
  /var/tmp/ r,


  profile /usr/bin/gconftool-2 {
    #include <abstractions/base>


    /etc/ld.so.cache r,
    /etc/locale.alias r,
    /proc/filesystems r,
    /usr/bin/gconftool-2 r,

  }

  profile /usr/bin/xdg-open {
    #include <abstractions/base>


    /bin/dash r,
    /bin/mkdir rix,
    /bin/readlink rix,
    /bin/which rix,
    /dev/tty rw,
    /etc/gnome/defaults.list r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /home/*/.local/share/applications/google-chrome.desktop r,
    /home/*/.local/share/applications/mimeapps.list r,
    /home/*/.local/share/applications/mimeinfo.cache r,
    /home/*/.local/share/mime/mime.cache r,
    /home/*/.mozilla/firefox/*.default/*.sqlite rwk,
    /home/*/.mozilla/firefox/*.default/extensions/** r,
    /opt/google/chrome/*chrome rPx,
    /proc/*/fd/ r,
    /usr/bin/dirname rix,
    /usr/bin/gvfs-open rix,
    /usr/bin/xdg-open r,
    /usr/lib/firefox/firefox.sh Px,
    /usr/share/applications/firefox.desktop r,
    /usr/share/applications/google-chrome.desktop r,
    /usr/share/applications/mimeinfo.cache r,
    /usr/share/mime/mime.cache r,

  }
}

Next up is Xchat.  This profile allows one to connect to IRC channels and chat.  I haven't tested it beyond that and have not tried advanced features like scripting or file transfers.  But for connecting to IRC, chatting, etc. it will work fine.  It works with Tor as well.

Name usr.bin.xchat
Directory: /etc/apparmor.d/


# Last Modified: Wed Oct  3 00:16:32 2012
# The abstractions used here were checked for safety.  None of them contain any Ux or Px executables.

#include <tunables/global>

/usr/bin/xchat {
  #include <abstractions/audio>
  #include <abstractions/dbus-session>
  #include <abstractions/enchant>
  #include <abstractions/fonts>
  #include <abstractions/perl>
  #include <abstractions/private-files-strict>

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,


  /dev/null r,
  /dev/urandom r,

  /etc/fstab r,
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/localtime r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/python2.7/sitecustomize.py r,

  /home/*/** r,
  /home/*/.cache/* rw,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/enchant/en_US* rwk,
  /home/*/.config/ibus/bus/ rw,
  /home/*/.local/share/recently-used.xbel* rw,
  /home/*/.pulse-cookie rwk,
  /home/*/.xchat2/** rw,

  /lib/x86_64-linux-gnu/ r,
  /lib/x86_64-linux-gnu/** mr,

  /proc/[0-9]*/mounts r,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /proc/meminfo r,
  /proc/stat r,

  /sys/devices/system/cpu/online r,

  /usr/bin/xchat mr,

  /usr/include/python2.7/pyconfig.h r,
  /usr/lib/ r,
  /usr/lib/** r,
  /usr/lib/enchant/libenchant_*spell.so m,
  /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so m,
  /usr/lib/libaspell* m,
  /usr/lib/libenchant* m,
  /usr/lib/liblaunchpad-integration* m,
  /usr/lib/liboverlay-scrollbar* m,
  /usr/lib/libperl* m,
  /usr/lib/libpython2.7.so.* mr,
  /usr/lib/libsexy* m,
  /usr/lib/libtcl8.5.so.* mr,
  /usr/lib/x86_64-linux-gnu/** m,
  /usr/lib/xchat/plugins/perl.so m,
  /usr/lib/xchat/plugins/python.so mr,
  /usr/lib/xchat/plugins/tcl.so mr,
  /usr/local/lib/python2.7/dist-packages/ r,
  
  /usr/share/X11/locale/ r,
  /usr/share/X11/locale/** r,
  /usr/share/ca-certificates/ r,
  /usr/share/ca-certificates/** r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/ r,
  /usr/share/mime/** r,
  /usr/share/pixmaps/ r,
  /usr/share/pyshared/* r,
  /usr/share/tcltk/tcl8.5/init.tcl r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,

  owner /{run,dev}/shm/pulse-shm* rk,
  /{run,dev}/shm/pulse-shm* w,

}

Test them and report feedback if you have problems.

2 comments:

  1. Rookcifer:

    Your usr.bin.xchat Novell AppArmor profile does not allow me to connect to the official Ubuntu IRC server at irc.freenode.net over port 8001/tcp. I checked my UFW firewall settings and there's a bug with your custom Novell AppArmor profile for both Pidgin and X-Chat. Can you take a look at it and fix it? Thanks.

    ReplyDelete
  2. xchat profile seems to work fine for hexchat too, (renamed all instances of xchat to hexchat and added config directory .config/hexchat/** rw,

    ReplyDelete