[apparmor] deny and selectively allow in AppArmor?

Thu Aug 6 11:19:18 UTC 2020

Hello,

Am Donnerstag, 6. August 2020 schrieb Jonas Große Sundrup:
> I would like to generally disallow acces to the owner's
> home-directory, but then selectively allow certain paths in it, for
> example firefox may rmwx ~/.mozilla and subfiles/folders and write
> things into my downloads-folder, but should not have
> access to anything else.
> 
> So I'd like to do something like
> 
>     deny owner @{HOME},
>     owner @{HOME}/.mozilla rwmx,
>     # ... other selective whitelistings
> 
> Unfortunately, this doesn't work, because (if I remember
> the documentation correctly) deny-directives are subtracted from the
> allowed set after everything else was applied, so the deny-directive
> above would effectively overwrite the allow-directive.

Correct.

Let me start with a simple question - do you have any rule in your 
profile that _allows_ access to the home directory?
If not, you can simply drop the deny rule, because AppArmor denies 
everything that isn't explicitely allowed.

> A solution is to explicitly list any paths besides ~/.mozilla for
> deny, but that is quite cumbersome and error-prone if one would like
> to achieve a tight security net as well as creating a very extensive
> profile directory, as every file and directory not allowed has to be
> listed explicitly.

You could do some trickery with regexes. Annoying, but still better than 
having to deny each and every file separately. Something like this:

deny owner @{HOME}/,  # deny directory listing of the home directory
deny owner @{HOME}/[^.]**,
deny owner @{HOME}/[^.][^m]**,
deny owner @{HOME}/[^.][^m][^o]**,
deny owner @{HOME}/[^.][^m][^o][^z]**,
deny owner @{HOME}/[^.][^m][^o][^z][^i]**,
deny owner @{HOME}/[^.][^m][^o][^z][^i][^l]**,
deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l]**,
deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l][^a]**,

This will become terribly scary and unreadable if you need to handle 
more than one exception.

Needless to say that the recommended way is to write your profile in a 
way that you don't need deny rules ;-)

As a sidenote - instead of "deny owner" consider to use a plain "deny" - 
when denying something, not using "owner" makes the profile more 
restrictive.

Regards,

Christian Boltz
-- 
P.S.: In der kommenden Version sollen die besten Eigenschaften von
Windows CE, Me und NT vereinigt werden zu "Windows CEMENT". Wenn das
mal nicht'n stabiles OS wird. ;-))))) [Ratti in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200806/7da7e59e/attachment.sig>