<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 5/27/19 5:11 PM, Ian wrote:<br>
</div>
<blockquote type="cite"
cite="mid:859df47c-6c0d-0be4-4590-6b05ce0fd0a0@zestysoft.com">
<br>
On 5/27/19 12:08 PM, Ian wrote:
<br>
<blockquote type="cite">
<br>
Does apparmor have the same problem as selinux where there are
"security aware" programs that don't properly honor enforcement
settings, or is this an inheritance problem that I'm not
correctly addressing?
<br>
<br>
<br>
<br>
</blockquote>
Adding "attach_disconnected" to the flags parameter of the
init-systemd profile was required to get the system to fully
boot. I assume this was necessary because of the transition from
initramfs, however the "ALLOWED" audit log entries really threw me
there -- that and my ability to run lots of other commands without
issue in that "emergency" mode didn't make this an obvious fix.
<br>
<br>
This initramfs transition is a tricky bit of business -- I assume
I'll want to have a different profile for systemd for the chrooted
system and that when the apparmor service starts, the profile will
get replaced, however I thought that profile changes like this
aren't seen by currently executing processes -- one has to restart
the process for the change to take effect? Then there's the
timing of when journald and auditd starts. Ideally I'd like to
keep the full-permission profile I set up in inittamfs for
systemd, but then somehow deny any type of inheritance once the
AppArmor service starts.
<br>
<br>
Any advice on how to proceed? -- If it is true that all child
processes will, by default, inherit the permissions from the
init-systemd profile unless I add deny rules -- I'm back at square
one with a blacklist setup.
<br>
<br>
<br>
</blockquote>
<p>Sorry for not replying to one of your responses John. I didn't
receive the emails, but did read the responses from the web
archive.</p>
<p><br>
</p>
I've made a lot of progress, but am still not quite able to fully
boot into systemd's version of init 3.<br>
/var/log/audit/audit.log and journalctl -r doesn't show any new
"ALLOWED" entries.<br>
I did notice this in /var/log/syslog:<br>
<blockquote>
<p>May 30 10:46:51 1546-w-dev dbus-daemon[9496]: [system]
Activating systemd to hand-off: service
name='org.freedesktop.hostname1'
unit='dbus-org.freedesktop.hostname1.service' requested by
':1.21' (uid=0 pid=10058 comm="/usr/sbin/NetworkManager
--no-daemon " label="usr.sbin.NetworkManager (complain)"</p>
</blockquote>
<p>Running systemctl by itself shows no failed services, however
there are still two that never get out of "activating:"
</p>
<blockquote>
<p>NetworkManager.service
loaded activating start start Network
Manager
<br>
systemd-logind.service
loaded activating start start Login Service</p>
</blockquote>
<p>Here's how I've gotten to where I have:</p>
<p>Running a fresh copy of a minimal install of Ubuntu 18.04.2 LTS
with all the updates. It boots into a GUI, so this isn't as
minimal as CentOS's version... or I did something wrong when
installing it. :)</p>
<p>dpkg-query -W apparmor shows: 2.12-4ubuntu5.1<br>
</p>
<p>This is being ran in a vm, and I've attached minicom to the vm's
kernel "console" so that I can see everything that scrolls past
and do things like pause the output after disabling rate
limiting. :)<br>
</p>
In initramfs, I have this one profile:
<blockquote>
<p>profile init-systemd /lib/systemd/systemd flags=(complain
attach_disconnected) {<br>
network,<br>
signal,<br>
file,<br>
mount,<br>
pivot_root,<br>
ptrace,<br>
unix,<br>
dbus,<br>
umount,<br>
capability,<br>
<br>
}<br>
</p>
</blockquote>
<p>This is the version of that profile after the transition:</p>
<blockquote>
<p>profile init-systemd /lib/systemd/** flags=(complain
attach_disconnected) {<br>
capability,<br>
network,<br>
dbus,<br>
mount,<br>
umount,<br>
signal,<br>
ptrace,<br>
pivot_root,<br>
unix,<br>
/** mrwlk,<br>
/** Px,<br>
<br>
}<br>
</p>
</blockquote>
<p>My goal with this is to get the system into a state where I can
then start to whitelist the executables -- to that end I'm hoping
this allows everything except executing things -- to execute a
separate profile must exist. With this said, I created this file:</p>
<p>local/whitelist</p>
<blockquote>
<p> network,<br>
signal,<br>
file,<br>
mount,<br>
pivot_root,<br>
ptrace,<br>
unix,<br>
dbus,<br>
umount,<br>
capability,<br>
</p>
</blockquote>
<p>and then wrote this little perl script to create stub files for
all the currently-existing executables:</p>
<blockquote>
<p>#!/usr/bin/perl<br>
<br>
use strict;<br>
use warnings;<br>
<br>
my @markedAsExecutable = `/usr/bin/find /usr/bin/ -executable
-type f`;<br>
my @applications;<br>
<br>
foreach my $potentialExecutable (@markedAsExecutable)<br>
{<br>
chop($potentialExecutable);<br>
my $isApplicationResult = `/usr/bin/file -i
'$potentialExecutable'`;<br>
if ($isApplicationResult =~ m/\/x-/)<br>
{<br>
push(@applications, $potentialExecutable);<br>
#print $isApplicationResult . "\n";<br>
}<br>
}<br>
<br>
foreach my $application (@applications)<br>
{<br>
my $wlFileName = $application;<br>
# replace slashes with periods<br>
$wlFileName =~ s/\//./g;<br>
# drop leading period if one exists<br>
$wlFileName =~ s/^\.//;<br>
# replace special chars with underscores for apparmor
profile names<br>
$wlFileName =~ s/[^0-9A-z.]/_/g;<br>
#print $wlFileName . "\n";<br>
if (! -f "/etc/apparmor.d/" . $wlFileName)<br>
{<br>
open FILE, ">/etc/apparmor.d/" . $wlFileName;<br>
print FILE "profile " . $wlFileName . " \"" .
$application . "\" flags=(complain) {\n";<br>
print FILE "\t#include <local/whitelist>\n";<br>
print FILE "}";<br>
close FILE;<br>
}<br>
}<br>
</p>
</blockquote>
Ran as root, this gets me almost all of the way there. There are
binaries that have a '[' in the filename and since that's a reserved
character inside apparmor's profiles, I had to manually edit some of
those profiles. It's likely there are other binaries out there with
additional special character issues -- not sure how I can make this
code deal with those automatically yet, but I could run
apparmor_parser -Q against each of these newly created files and
notify the user about any problems found.<br>
<p>Fun fact, Ubuntu likes to mark files like .png with the
executable file flag.</p>
Fun fact #2, In line 1 of /usr/bin/networkd-dispatcher, there is a
space between the shebang and /usr/bin/python3. This is enough to
fool "file" into thinking that it's a plain text file even though it
still executes. There may be other files like this.<br>
<p>After a number of reboots and log parsing (thank you vmware
snapshots!), I had to edit these files to add
"attach_disconnected" to their flags lists:</p>
<blockquote>lib.systemd.systemd<br>
lib.systemd.systemd_hostnamed<br>
sbin.apparmor_parser<br>
sbin.dhclient<br>
sbin.hdparm<br>
sbin.lvm<br>
sbin.u_d_c_print_pci_ids<br>
usr.bin.unshare<br>
usr.sbin.cups-browsed<br>
usr.sbin.cupsd<br>
usr.sbin.gdm3<br>
usr.sbin.NetworkManager<br>
usr.share.apport.apport<br>
usr.share.gdm.generate_config<br>
</blockquote>
<p>I also disabled some services since they were having trouble and
I didn't need them:</p>
<p>avahi-daemon<br>
wpa_supplicant<br>
ModemManager<br>
thermald<br>
cups-browsed<br>
<br>
</p>
<p>This gets me to a login prompt and I can ssh in.<br>
</p>
</body>
</html>