[apparmor] Apparmor netfiter support?
Jacek
wampir990 at gmail.com
Mon Jan 7 10:16:13 UTC 2019
Hi
Apparmor hasn't a Netfilter firewall support module.
Network rules is a good choice for applications that have AA-profiles,
but it does not protect unconfined processes for forbidden network
outgoing connections.
I mean the function of the Security netfiter tables for SElinux, but the
easy way similar to xt_gradm, part of the Grsecurity project:
https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch
Proposed solution (userspace):
NFtables (next Linux firewall):
nft insert rule ip filter output meta apparmor aapolicy unconfined drop
nft insert rule ip filter output meta apparmor aapolicy enforce accept
nft insert rule ip filter output meta apparmor aapolicy complain log accept
Iptables (current/old Linux firewall):
iptables -I OUTPUT ! -o lo -m apparmor --aapolicy unconfined -j DROP
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy enforce -j ACCEPT
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain -j LOG
--log-prefix "$PROFILE_NAME - complain: $APP_NAME"
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain -j ACCEPT
Example log from LSM Integrity IMA (Apparmor Variables - enforce)
/audit: type=1800 audit(1546855115.951:3766): pid=12211 uid=0 auid=1001
ses=4 subj==/bin/kmod (enforce) op=appraise_data
cause=IMA-signature-required comm="modprobe"
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0/
/where:/
Apparmor Profile name & policy:/ //subj==/bin/kmod (enforce) /
Real aplication name: /comm="modprobe" /
AA-variables - unconfined:
[ 1703.396288] audit: type=1800 audit(1546855383.896:3777): pid=12347
uid=0 auid=1001 ses=4 subj==unconfined op=appraise_data
cause=IMA-signature-required comm="modprobe"
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0
where:
AA-policy: subj==unconfined
aplication name: comm="modprobe"
AA-variables - complain:
audit: type=1800 audit(1546855552.256:3785): pid=12402 uid=0 auid=1001
ses=4 subj==/bin/kmod (complain) op=appraise_data
cause=IMA-signature-required comm="insmod"
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0
where:
AA - profile & policy: subj==/bin/kmod (complain)
App name: comm="insmod"
I'm not a programmer, is there any chance of adding a similar module in
Apparmor?
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190107/fc2e19b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190107/fc2e19b0/attachment.sig>
More information about the AppArmor
mailing list