Fórum Ubuntu CZ/SK
Ostatní => Tipy a triky pro Linux => Téma založeno: arrange 17 Září 2010, 09:59:43
-
Rád bych otevřel vlákno, kde by mohl každý přispět nějakým zajímavým AA profilem. Důvodem je, že je jich v Ubuntu zoufale málo, a i když existují repozitáře s AA profily (openSUSE), nejsou v Ubuntu přímo použitelné.
Níže uvádím pár profilů, které používám a mám vyzkoušené. Nezaručuji ale ani funkčnost, ani zvýšení bezpečnosti vašeho systému ;) Berte je spíše jako odrazový můstek pro vytváření vlastních.
Všechny profily mají striktně nastavený přístup k souborům v home adresáři - v podstatě je možné se dostat jen ke skrytému adresáři dané aplikace + na plochu (prohlížení obsahu adresářů je ale povoleno).
passwd
# vim:syntax=apparmor
# Last Modified: Sat Jan 6 09:35:33 2007
# ------------------------------------------------------------------
#
# Copyright (C) 2006 Volker Kuhlmann
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# edited
#include <tunables/global>
/usr/bin/passwd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability chown,
capability sys_resource,
capability fsetid,
capability setuid,
/etc/.pwd.lock wk,
/etc/pwdutils/logging r,
/etc/shadow rwl,
/etc/shadow.old rwl,
/etc/shadow.????? rwl,
/usr/bin/passwd mrk,
/usr/lib/pwdutils/lib*.so* mr,
/usr/lib64/pwdutils/lib*.so* mr,
/usr/share/cracklib/pw_dict.hwm r,
/usr/share/cracklib/pw_dict.pwd r,
/usr/share/cracklib/pw_dict.pwi r,
@{PROC}/filesystems r,
/var/run/utmp rk,
/etc/passwd k,
/etc/nshadow rwk,
}
skype
# Last Modified: Mon Oct 26 13:29:13 2009
# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
# Additional profiling based on work by Андрей Калинин, LP: #226624
# edited
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/X>
#include <abstractions/dbus>
# povolíme čtení adresářů (vždy končí na lomítko!)
# ale ne souborů
/ r,
/**/ r,
# pokud chceme použít videokameru
# potřebujeme přístup k /dev/video*
/dev/video* mrw,
# Skype musí být schopen číst, spouštět a zamykat z vlastních adresářů
/usr/bin/skype mr,
/usr/share/skype/** krm,
/usr/share/skype/sounds/*.wav kr,
# totéž platí pro nastavení v domovském adresáři
@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
@{HOME}/.config/* kr,
# povolit přístup do Downloads, pokud by mi někdo poslal soubor
@{HOME}/Downloads/ rw,
@{HOME}/Downloads/** rw,
/usr/lib/libv4l/v4l1compat.so rm,
@{PROC}/[0-9]*/net/route r,
@{PROC}/filesystems r,
/sys/devices/** r,
deny @{HOME}/.mozilla/** r,
deny /etc/passwd m,
deny /dev/shm/pulse-shm-[0-9]* m,
deny /usr/share/fonts/** m,
}
transmission
# Bodhi.Zazen's current transmission profile
# Please note this for :
# Ubuntu 10.04
# edited
#include <tunables/global>
/usr/bin/transmission {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/gnome>
# network inet,
#include <abstractions/private-files>
audit deny @{HOME}/.ssh/ mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/ mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
# comment this out if using gpg plugin/addons
audit deny @{HOME}/.gnupg/ mrwkl,
audit deny @{HOME}/.gnupg/** mrwkl,
owner @{HOME}/ r,
owner @{HOME}/.config/gtk-2.0/** rw,
owner @{HOME}/.config/gtk-2.0/** rw,
owner @{HOME}/.config/transmission/ rw,
owner @{HOME}/.config/transmission/lock rwk,
owner @{HOME}/.config/transmission/** rw,
owner @{HOME}/.recently-used** krw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
owner @{HOME}/Desktop/** rw,
owner @{HOME}/Desktop/ rw,
owner @{HOME}/.local/share/mime/* r,
@{PROC}/filesystems r,
@{PROC}/*/maps r,
@{PROC}/*/mounts r,
@{PROC}/*/net/route r,
@{PROC}/[0-9]*/fd/ r,
/usr/bin/transmission rix,
/usr/lib/ r,
/usr/local/share/** r,
/usr/share/ r,
/usr/share/** r,
}
thunderbird
# by arrange
#include <tunables/global>
/usr/lib/thunderbird-3.0.5/thunderbird-*bin {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/X>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/filesystems r,
/etc/mtab r,
/etc/mime.types r,
/etc/mailcap r,
#include <abstractions/private-files>
# so browsing directories works
/ r,
/**/ r,
owner @{HOME}/.thunderbird/** rw,
owner @{HOME}/.thunderbird/*/.parentlock k,
owner @{HOME}/.thunderbird/**/*.sqlite* k,
@{HOME}/** r,
owner @{HOME}/Desktop/** w,
/usr/lib/thunderbird-3.0.5/** r,
/usr/lib/thunderbird-3.0.5/* w,
/etc/thunderbird/** r,
/usr/lib/thunderbird-3.0.5/components/** w,
/usr/lib/gamin/** rix,
/usr/share/applications/** r,
/usr/share/mozilla/extensions/** r,
/usr/lib/mozilla/extensions/** r,
/usr/share/myspell/** rw,
/usr/share/hunspell/** rw,
deny /usr/share/mozilla/extensions/** w,
deny /usr/lib/mozilla/extensions/** w,
# for PDFs
/usr/bin/evince PUxr,
# Openoffice.org
/usr/bin/ooffice Uxr,
/usr/bin/oocalc Uxr,
/usr/bin/oodraw Uxr,
/usr/bin/ooimpress Uxr,
/usr/bin/oowriter Uxr,
/usr/lib/openoffice/program/soffice Uxr,
# Multimedia
#include <abstractions/ubuntu-media-players>
# Archivers
/usr/bin/file-roller Uxr,
# Text editors
/usr/bin/gedit Uxr,
# image viewer
/usr/bin/viewnior Uxr,
}
Další info:
http://wiki.ubuntu.cz/AppArmor
http://forum.ubuntu.cz/index.php?topic=49293.0
-
Díky moc Arrangere :)
Pomohlo v dalším zabezpečením, značím si a snad nějakými v budoucnu přispěji.
K +
Edit:
Tady jsem našel pár užitečných profilů:
http://bodhizazen.net/aa-profiles/bodhizazen/ (http://bodhizazen.net/aa-profiles/bodhizazen/)
http://bodhizazen.net/aa-profiles/jdong/ (http://bodhizazen.net/aa-profiles/jdong/)
http://bodhizazen.net/aa-profiles/jgoguen/ (http://bodhizazen.net/aa-profiles/jgoguen/)
http://bodhizazen.net/aa-profiles/movieman/ (http://bodhizazen.net/aa-profiles/movieman/)
Mnou upravený profil pro chromuim-browser:
usr.lib.chromium-browser.chromium-browser
# Should apply to chromium with minimal modifications
#include <tunables/global>
/usr/lib/chromium-browser/chromium-browser {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/cups-client>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/private-files>
#include <abstractions/user-tmp>
#include <abstractions/X>
# Capabilities
capability chown,
capability dac_override,
capability fsetid,
capability net_raw,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
# sounds
/etc/sound/ r,
/etc/sound/** r,
/etc/wildmidi/wildmidi.cfg r,
# System files
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/mktemp rix,
/bin/mv rix,
/bin/ps rix,
/bin/readlink rix,
/bin/sed rix,
/bin/touch rix,
/bin/which rix,
/bin/uname rix,
/etc/chromium-browser/** r,
/etc/passwd rm,
/etc/firefox/** r,
/etc/xdg/** r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/shmmax r,
@{PROC}/filesystems r,
@{PROC}/uptime r,
@{PROC}/ r,
@{PROC}/tty/drivers r,
@{PROC}/version r,
@{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/environ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/oom_adj rw,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
/usr/bin/basename rix,
/usr/bin/gconftool-2 rix,
/usr/bin/cut rix,
/usr/bin/setarch rix,
/usr/bin/wc rix,
/usr/bin/xprop rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open rix,
/usr/lib/nspluginwrapper/i386/linux/npviewer* rix,
/usr/share/applications/** r,
/usr/share/fonts/ rm,
/usr/share/fonts/** rm,
/usr/share/icons/** rm,
/usr/share/locale-langpack/** rm,
/usr/share/mime/** rm,
/var/cache/fontconfig/ rw,
/var/cache/fontconfig/** rw,
/var/lib/dbus/machine-id r,
/var/lib/flashplugin-installer/*.so rm,
/var/tmp/ rw,
/var/tmp/* rwm,
# Chromium specific
/usr/lib/chromium-browser/ r,
/usr/lib/chromium-browser/** rwkix,
/dev/shm/ rw,
/dev/shm/** rwmk,
# User's home
owner @{HOME}/ r,
owner @{HOME}/.adobe/ rw,
owner @{HOME}/.adobe/** rw,
owner @{HOME}/.cache/chromium/ rw,
owner @{HOME}/.cache/chromium/** rwmk,
owner @{HOME}/.config/chromium/ rw,
owner @{HOME}/.config/chromium/** rwmk,
owner @{HOME}/.config/xfce4/* rw,
owner @{HOME}/.fontconfig/ rw,
owner @{HOME}/.fontconfig/** rwm,
owner @{HOME}/.local/ r,
owner @{HOME}/.local/** r,
owner @{HOME}/.local/share/** rw,
owner @{HOME}/.macromedia/ rw,
owner @{HOME}/.macromedia/Flash_Player/ rw,
owner @{HOME}/.macromedia/Flash_Player/** rw,
owner @{HOME}/.mozilla/ r,
owner @{HOME}/.mozilla/** r,
owner @{HOME}/.mozilla/firefox/*/** rwk,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/** rwk,
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
audit deny @{HOME}/.gnupg/** mrwkl,
}