Let's create AppArmor applications project

I began securing my 11.1 box and started thinking if maybe it would be a good idea to create an AppArmor project in which we could all participate in securing our beloved openSUSE.

I’d start with creating the wiki on openSUSE, how to contribute and i’d ask for a mailing list. Anyone got thoughts about that?

I wondered the other day about “harden the box”. Actually the problem is if we want to go on with AppArmour or if there are alternatives that are more attractive. SE Linux is very difficult to configure as policy and there is no default policy delivered yet. One could set-up an official policy. Then there is “Tomoyo” that seems maybe a good compromise. Others criticizes that project (saying it is anyway inferior to SE). Or do we go on with AppArmour? Has it still a future after having been substantially “buried” by Novel? (They still use it but they do not invest in it anymore). Do you feel comfortable with it?

Well to be honest, as long as it is included in openSUSE and is enabled by default then i’m quite comfortable with that (also consider it has to be easy to enable to new users). They shouldn’t fiddle with kernel etc. just to get SELinux working. Right now i hardened firefox, ktorrent, thunderbird 3, akregator :slight_smile: More to come to have a completely safe box :slight_smile: Now to override this they need to hack my AppArmor module ;D

Having information on how and why in a Wiki page would be great.

There already is wiki on HOW to do it, i was thinking about a group of people that would discuss how to harden certain applications and what would be the best way etc.

If linux will gain a bit more popularity then we’ll also see more threats so we need to be prepared.

Hmmm I went through the how-to but in the end by doing it i.e. for firefox, I have the impression every time you think you need not to allow anything any more it blocks something else. If the very owners of the programs are not giving clear indications on what they are doing and why, and about the permissions they need, it will be a hard task with AppArmour. SE linux is in the kernel and I would expect Novel to activate it in the next editions. Although it may be they spare it to be integrated in their commercial version.

I find AppArmour configuration particular castrating with new websites that call functions like vlc and flash and are hard to figure out without being on the other hand too permissive. Ever tried to set up AppArmour with a chat website that has also flash and webcam? Left me a bit … perplex. But you are right, in the moment I feel a bit…abandoned on the unsafe side.:’(
Maybe a group for AppArmour settings would be nice. With a sticky topic, on where to copy from the delivered profiles.

(Still in all honesty I would have expected that if they deliver profiles, like they do, they shall be complete and work).
Maybe I am romantic…lol!

It’s simple to harden Your application. You add it to a profile and keep YaST opened with the AppArmor section opened. When you start for example firefox and it doesn’t work then You click update profile wizard and you do it till everything works as it’s supposed to. I have no problems at all right now using firefox. And i am quite sure that even if there’s something malicious outside it will only hit my firefox since it’s sandboxed :slight_smile:

The application you create a profile, you just try everything, try changing options, saving files with it, exporting, opening etc.

Yes I know. But I ask myself which of the functions proposed by AppArmour with this method are false positive and/or false negative. Because the program even if it proposes “accept” or “reject” some functions is far from reliable. Some of the rejection will actually make your firefox stuble.

You accept everything, we consider the system not compromised right? You accept it but don’t allow it too much. Never allow for a /** instead use for example /home//.mozilla/.default etc.
There will be more fiddling but you’ll be sure it’s a lot safer than without it. If AppArmor gives you choice to use abstraction then use it. Make an extensive use of * but never too much. Consider some things changeable and if they are then give there a * mark (but only for that folder/file) like when you have profiles created like a random dfdsdfs.default you give instead *.default to make it “portable” for everyone else. Or you can use my profile, it’s made to be portable. Bender.apparmor profile on the AppArmor repository. (beware i hardened 3.5 version but it should work, also i restricted it to save files to two places, Desktop and Downloads folders)