[apparmor] Using apparmor to enforce the network port

John Johansen john.johansen at canonical.com
Thu Sep 15 06:42:34 UTC 2011


On 09/14/2011 10:22 PM, Sherman Boyd wrote:
> Hi,
> 
> I'd like to use apparmor to do some sandboxing for node.js apps.  We want to control what files the app has, make sure the app can't access memory that it shouldn't and make sure the app is running on a specified network port.
> 
> The filesystem stuff seems pretty straitforward.


>  I think the memory level stuff is already taken care of right?
Well that depends what you mean by memory level.  The mmaping of files is handled by file rules and per process memory limits can be enforced with rlimits.  There are some memory controls that are currently missing.

- The ability to control wx anonymous mappings.  That is enforcing whether an application can even allocate memory that has both write and execute permissions on it similataneously
- The ability to control group memory at the profile and namespace level.  That is that a team of profiles can only use X memory
  - This can be approximated with rlimits by setting a process limit and memory limit but its not as flexible

both of these will come but are not available yet.

>  But I haven't been able to find any thing on the network level restrictions.  Is this even something I can do with apparmor? 
> 
Unfortunately the network restriction are in sad shape at the moment.  There are no network restrictions in the upstream linux kernel version of apparmor.  There is a separate patchset carried by Ubuntu, SUSE, and some of the other distros that provides rudimentary networking.  The networking patch is being rewritten to extend and improve it, and the rewritten version will be upstreamed.

Unfortunately current network rules can not control to the port level, it is designed to be extended so it can, but this is something coming in the rewrite.  The network rules have the basic form of

  [audit] [deny] network [<domain>] [<type>],

where [] indicates something that is optional.  If <domain> or <type> are not specified all domains/types are allowed.

<domain> will vary by kernel version but the list is roughly
              'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc" |
              'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
              'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth'
<type> 'stream' | 'dgram' | 'seqpacket' | 'packet' | 'rdm' | 'raw'

so
  network,   # allow all networking

  network inet,  # allow all inetv4 

  network inet6,  # allow all inetv6

  network inet stream,   #allow inet v4 streams (tcp)

  deny inet dgram,   # don't allow inet udp  (can combine with a broader rule)

the tcp and udp keywords are also accepted

  network inet tcp,  #equiv to (network inet stream,)
  network tcp,  # equiv to (network inet stream, network inet6 stream,)


> BTW I tried dropping by the IRC channel ... is it defunct?
> 
No its not defunct but it isn't super active either and it may take some time for someone to notice (yes it can be hours) and there are times when people just aren't around.  If you post a question I would recommend hanging out in the channel for at least a couple of hours to give people a chance to notice and respond.

> 
> Best regards,
> 
> 
> *Sherman Boyd*
> 
> Executor, Armored Infrastructure
> 
>    email: sherman.boyd at armored.io <mailto:sherman.boyd at armored.io>
> 
>     www: armored.io <http://armored.io>
> toll free: +1 (855) 711-7337
>       fax: +1 (855) 712-7337
>   skype: sherman.boyd
>  twitter: @shermanboyd <http://twitter.com/#!/shermanboyd>
> 
> 
> 
> 
> 




More information about the AppArmor mailing list