AppArmor Profile: Deny internet access

I want to deny the internet permission for some applications. Therefore, I tried first to deny the internet permission for ping, but it doesn’t work.
Here is the profile of

/etc/apparmor.d/bin.ping
/{usr/,}bin/ping {
  #include <abstractions/base>
    # block ipv4 acces
    deny network inet,
    # ipv6 
    deny network inet6,
    # raw socket
    deny network raw,
}

But the pinging still happens after restarting apparmor with


/etc/init.d/boot.apparmor restart
 ping google.de
PING google.de (64.15.112.99) 56(84) bytes of data.
64 bytes from cache.google.com (64.15.112.99): icmp_seq=1 ttl=57 time=11.8 ms
64 bytes from cache.google.com (64.15.112.99): icmp_seq=2 ttl=57 time=15.3 ms

How can I easily block certain apps from accessing the internet?

thanks for your help in advance!

As you prefer to keep it a secret which version of openSUSE you use, this is just a try based on openSUSE 13.1

henk@boven:~> which ping
/usr/bin/ping

Now I do not know much about AppArmor, but when you use bin/ping in any configuration file, I guess that it will not do anything to /usr/bin/ping. Is AppArmor an exception?

My two cents.

Sorry that I forgot the mentioned the version I’m using, but it is 13.1.
I think the brackets {} are making it apply to /usr/bin/ping and /bin/ping. But since I’m not sure about it I gave the following a try but it didn’t work as well:


/usr/bin/ping {
  #include <abstractions/base>
    # block ipv4 acces
    deny network inet,
    # ipv6 
    deny network inet6,
    # raw socket
    deny network raw,
}


I restarted apparmor as mentioned in the first post and pinging google still works.

As said, I am not an AppArmor user, but imho it was worth a try. After all one is a symlink to the other and I would always use the real one, not the symlink (when a symlink would be able to circumvent the blocking that would nullify all).

On 2014-06-14 22:16, hcvv wrote:

> /usr/bin/ping. Is AppArmor an exception?

Somewhat yes :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-06-15 08:26, booo123 wrote:

> Code:
> --------------------
>
> /usr/bin/ping {
> #include <abstractions/base>
> # block ipv4 acces
> deny network inet,
> # ipv6
> deny network inet6,
> # raw socket
> deny network raw,
> }
>
>
> --------------------
>
> I restarted apparmor as mentioned in the first post and pinging google
> still works.

Ask it for status, it should list that profile.

>
>

Your profile departs a bit from the default one:


#include <tunables/global>
/{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>

capability net_raw,
capability setuid,
network inet raw,

/bin/ping mixr,
/etc/modules.conf r,

# Site-specific additions and overrides. See local/README for details.
#include <local/bin.ping>
}

But I have not played with what you want to achieve. I have blocked
internet access to applications by using the firewall, though.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

That’s correct.

But since I’m not sure about it I gave the following a try but it didn’t work as well:

/usr/bin/ping {
#include <abstractions/base>
# block ipv4 acces
deny network inet,
# ipv6
deny network inet6,
# raw socket
deny network raw,
}

I restarted apparmor as mentioned in the first post and pinging google still works.

Well, I’m not really experienced with AppArmor either, but the default /etc/apparmor.d/bin.ping looks like this:

# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
/{usr/,}bin/ping {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,

  /bin/ping mixr,
  /etc/modules.conf r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/bin.ping>
}

Yours is much more trimmed down, maybe that’s why it’s not working?
You shouldn’t change it anyway, but add your own stuff to /etc/apparmor.d/local/bin.ping.
And I just tried, adding this to /etc/apparmor.d/local/bin.ping prevents ping from working at all here:

    # block ipv4 acces
    deny network inet,
    # ipv6 
    deny network inet6,
    # raw socket
    deny network raw,

I played a bit more with it, and apparently you just seem to be missing the “#include <tunables/global>” line.
/etc/apparmor.d/bin.ping with this content works here, i.e. forbids ping:

#include <tunables/global>
/{usr/,}bin/ping {
  #include <abstractions/base>
    # block ipv4 acces
    deny network inet,
    # ipv6 
    deny network inet6,
    # raw socket
    deny network raw,
}

HTH.

PS: with your bin.ping I see the following in /var/log/messages:

2014-06-15T14:20:10.964327+02:00 linux-lf90 systemd[1]: Starting LSB: AppArmor initialization...

2014-06-15T14:20:11.025891+02:00 linux-lf90 boot.apparmor[11784]: Starting AppArmor Found reference to variable HOMEDIRS, but is never declared

2014-06-15T14:20:11.027006+02:00 linux-lf90 boot.apparmor[11784]: /etc/apparmor.d/bin.ping failed to load..failed

2014-06-15T14:20:11.487258+02:00 linux-lf90 boot.apparmor[11784]: ..done

This should explain why it is not working… :wink:

To be precise,<abstractions/base> uses some variables that are declared by the stuff included from <tunables/global>.
If you would remove " #include <abstractions/base>" from your profile, it would work as well:


/{usr/,}bin/ping {
    # block ipv4 acces
    deny network inet,
    # ipv6 
    deny network inet6,
    # raw socket
    deny network raw,
}

But then ping wouid not even start because it couldn’t load the shared libraries it needs:

# ping opensuse.org
ping: error while loading shared libraries: libcap.so.2: cannot open shared object file: Permission denied

@wolfi323 thank you very much! with “#include <tunables/global>” it is working! But how did you find out that this one is missing?
@robin_listas which firewall are you using for application specific blocking?

On 2014-06-15 15:36, booo123 wrote:

> @robin_listas which firewall are you using for application specific
> blocking?

SuSEfirewall with a trick.

I change the application permissions, to be Group SUID, which means that
it runs as that group id. A custom rule in the firewall blocks packages
coming from that group.

I’ll post later the details, I have something else to do. Just ping here
if I forget.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

TBH, by trying to add the lines from the original file one by one. Luckily, the first line helped already… :wink:

Afterwards I spotted that error in /var/log/messages and had a look at the files themselves.

Please take this as a kind reminder :wink: thanks!

please take this as a kind reminder;-) thanks!

On 2014-06-17 18:46, booo123 wrote:

>> SuSEfirewall with a trick.
>>
>> I change the application permissions, to be Group SUID, which means that
>> it runs as that group id. A custom rule in the firewall blocks packages
>> coming from that group.
>>
>> I’ll post later the details, I have something else to do. Just ping here
>> if I forget.

> please take this as a kind reminder;-) thanks!

Ah! Right, I forgot.

In “/etc/sysconfig/SuSEfirewall2” activate this line:


FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

In that file I have:


fw_custom_after_chain_creation() {
iptables -A OUTPUT -m owner --gid-owner talker -j LOG --log-prefix 'Do not talk home: '
iptables -A OUTPUT -m owner --gid-owner talker -j REJECT

true
}

(I’m unsure if that’s the best function to place those rules, though).

And in “/etc/permissions.local”, this line:


/usr/lib/Adobe/Reader9/bin/acroread            root:talker     2755

which after running “chkstat --system --set” results in:


-rwxr-sr-x 1 root talker 20137 Dec 27 17:14 /usr/lib/Adobe/Reader9/bin/acroread*

Although it should be “/usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread”, in my case; and if i do, acroread fails to run:


cer@Telcontar:~> acroread
/usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread: error while loading shared libraries: libBIB.so: cannot open shared object file: No such file or directory
cer@Telcontar:~>

which I have not yet investigated, it is a new problem. It is not apparmor. :-?
It worked some time ago, I used it.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Sat, 14 Jun 2014 19:16:01 GMT, booo123
<booo123@no-mx.forums.opensuse.org> wrote:

>
>I want to deny the internet permission for some applications.
>Therefore, I tried first to deny the internet permission for ping, but
>it doesn’t work.
>Here is the profile of
>Code:
>--------------------
> /etc/apparmor.d/bin.ping
>--------------------
>
>
>Code:
>--------------------
> /{usr/,}bin/ping {
> #include <abstractions/base>
> # block ipv4 acces
> deny network inet,
> # ipv6
> deny network inet6,
> # raw socket
> deny network raw,
> }
>--------------------
>
>
>But the pinging still happens after restarting apparmor with
>
>Code:
>--------------------
>
> /etc/init.d/boot.apparmor restart
> ping google.de
> PING google.de (64.15.112.99) 56(84) bytes of data.
> 64 bytes from cache.google.com (64.15.112.99): icmp_seq=1 ttl=57 time=11.8 ms
> 64 bytes from cache.google.com (64.15.112.99): icmp_seq=2 ttl=57 time=15.3 ms
>--------------------
>
>
>How can I easily block certain apps from accessing the internet?
>
>thanks for your help in advance!

Just a wild guess on my part but i think that PolicyKit is the correct
tool to use for this. AppArmor is more about protecting applications from
processes gone rouge and rootkits.

BTW wouldn’t just renaming ping solve the “problem” for ping. (ICMP echo
request)

?-)

No, I don’t think so.
ping (or whatever program you want to restrict) would have to explicitely support PolicyKit (or polkit, as it is called now) for that.

I think you rather mean /etc/permissions?
This does contain a rule for ping, but normally ping gets the necessary privileges via capabilities anyway so that it doesn’t have to be suid root (see “man capabilities”).

But this might not help with normal internet access, as a normal user is of course allowed to do that, whereas for ICMP (ping f.e.) you need root privileges.
You wouldn’t want to remove execute permissions from all applications that could access the internet, right?

And AIUI the original question here was meant more generally, “ping” was just a simple example to get the basics to work.

Interesting thread. I had thought of doing this myself, but haven’t tried it yet. I thought that maybe you could write a script (say “nonet”) that had its own apparmor profile to forbid internet access, so you could invoke programs like:

nonet someprogram arg1 arg2

and the program would then be blocked from the internet. You can transfer apparmor profiles to new processes through an exec(), so I think this should be possible.

Just an idea.