apparmor network rule

Hi,

It seems that network rule hasn’t any impact. I am trying to deny tcp networking for wget in order to test how does it work:


/usr/bin/wget {
  /usr/lib** mr,
  /lib** mr,

  network irda , # i tried different combination here
}


But it doesn’t work at all. Anyway wget downloads the pages successfully.

openSUSE 11.2,
apparmor 2.3

matwey wrote:
> It seems that network rule hasn’t any impact.

i don’t know much about it, but isn’t that to keep uninvited folks OUT
of your machine, and not to stop you from asking for and receiving stuff?

or, were you trying to set it up so that some/all users couldn’t wget
anything?


palladium

Unfortunately, there aren’t any uninvited folks. There is only broken apparmor. :wink: It doesn’t work as it described in guides and manuals.

matwey wrote:
> There is only broken apparmor. :wink: It doesn’t work as it described
> in guides and manuals.

so you logged a bug? http://en.opensuse.org/Submitting_Bug_Reports

or just complain?

or, maybe you want to explain what it is you try to do:

-deny wget to some/all local users
-deny ftp fetch to all/some local users
-deny http fetch to all/some local users
-deny https fetch to some/all local users
-or what?


palladium

I see that you confused by application that I choose for testing. I want somebody to explain me how to activate network restrictions with my AppArmor.

Seems to me that selinux is more what you are looking for. I could be wrong but I thought that AppArmor was more aimed at defining and preventing system changes then in restricting access.

matwey wrote:

>
> I see that you confused by application that I choose for testing. I want
> somebody to explain me how to activate network restrictions with my
> AppArmor.
>
>
can you check as root with

aa-status

if your profile is really loaded and enforced?

Yes, the profile is loaded and enforced. Moreover wget can’t write downloaded file to filesystem because of apparmor write restrictions. I am little confused by absence of ‘socket_create’ messages in my /var/log/audit/audit.log

matwey wrote:

>
> Yes, the profile is loaded and enforced. Moreover wget can’t write
> downloaded file to filesystem because of apparmor write restrictions. I
> am little confused by absence of ‘socket_create’ messages in my
> /var/log/audit/audit.log
>
>
Ok, I have to say I never tried to use the network access/deny features of
apparmor (only file related things). So this is also new to me and I have to
check in baby steps how it works, it is something I am also interested in.

Just to be sure that the network access restrictions work at all I took the
bin.ping profile from /etc/apparmor.d and edited it so that network is
disabled


#include <tunables/global>

/bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>

#capability net_raw,
capability setuid,

#network inet raw,

/bin/ping mrix,
/etc/modules.conf r,

}

(I commented out “capability net_raw” and “network inet raw”, to disable
network access at all)

after “rcapparmor restart” to reload the profiles ping fails as it should
be.

martinh@sirius:/etc/apparmor.d> ping 192.168.178.1
ping: icmp open socket: Operation not permitted

So we know now that in principle it should work. There seems to be something
wrong with your profile, but I am not sure what.

See what operation was blocked by apparmor in your audit.log then uncomment “capability net_raw” and try again.

matwey wrote:

>
> See what operation was blocked by apparmor in your audit.log then
> uncomment “capability net_raw” and try again.
>
>
I see

type=APPARMOR_DENIED msg=audit(1268079515.931:228): operation=“capable”
pid=19787 parent=18958 profile="/bin/ping" name=“net_raw”

but with the capability enabled the “network” line has no effect at all
(independent what I write behind it)
:frowning:

As far as I understand from kernel source, we should see operation=“socket_create” when ‘network’ is active.

matwey wrote:

>
> As far as I understand from kernel source, we should see
> operation=“socket_create” when ‘network’ is active.
>
>
Basically I would expect to see something like this, but ping is raw no
packets or socket so I am unsure.

At this point I think I have to read the docs for the network access control
via apparmor again. I cannot interpret the behaviour I see and this means I
did not really understand how it is supposed to work. Maybe I missed
something obvious.

Google also does not give me that much useful information about it.

Martin Helm wrote:

> Basically I would expect to see something like this, but ping is raw no
> packets or socket so I am unsure.
>
Sorry typo, of course packets but should have been: no protocoll

matwey wrote:
> As far as I understand from kernel source, we should see
> operation=“socket_create” when ‘network’ is active.

you probably know apparmor is a Novell project…maybe it would be useful to look into their
apparmor forum <http://forums.novell.com/novell-product-support-forums/apparmor/>

maybe some searching/reading over there could be clarifying/helpful…maybe a search or two
including a site specifier might be useful…try

site:forums.novell.com apparmor [network|socket|whatever]

i really do not know how much they will help you as (i guess) that forum is aimed at supporting
paying customers (using SLED/S) but, perhaps if you lay out your question clearly, and ‘forget’ to
mention “openSUSE 11.2” you will have your answer before they ask (if they ever do)…i mean, they
may want to know that the Russian documentation is unclear…

actually, i do not know–maybe they welcome you with open arms…paid support or not…

i do know your login credentials here will get you into their fora also…

OH!!! the SLES/SLED free download includes “free updates and maintenance for 60 days”
<http://www.novell.com/linux/download_linux.html> you might consider installing it in a sandbox and
set it up for your apparmor questions…

who knows you might like it so much you buy the support/update package (at least it wont go
unsupported in May 2011 as the openSUSE 11.2 will)

-=удача=- sorry i couldn’t help more…


palladium

AppArmor: ‘network’ rule - NOVELL FORUMS

I think I should fill a bug in bugzilla. But maybe there is explanation. Let’s wait a little.

matwey wrote:
> I think I should fill a bug in bugzilla. But maybe there is
> explanation. Let’s wait a little.

understand, and can’t disagree…i was thinking that maybe if you post
to the novell forum you might catch a apparmor guru there (not that
Martin is not)…

also, since this forum is populated mostly by folks with needs a lot
less technical than yours :wink: [mostly n00bs jumping off the Redmond
ship] you might find more help/info in a mail list, see:
http://en.opensuse.org/Communicate/Mailinglists

maybe opensuse@opensuse.org or one of the ru lists…or security…


palladium

matwey wrote:
> ‘AppArmor: ‘network’ rule - NOVELL FORUMS’
> (http://tinyurl.com/yah52gg)
>
> I think I should fill a bug in bugzilla. But maybe there is
> explanation. Let’s wait a little.
>
After reading the official documentation on apparmor again, I cannot find
what’s wrong. In my understanding it should work as you tried it.
So I am also interested in the answer you receive at the novell forum.

I’ve filled the report:

https://bugzilla.novell.com/show_bug.cgi?id=588185