Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen [email protected] www.canonical.com October 2018 1 Now hosted on gitlab 2 CII Best Practices 3 Overview 4 What is AppArmor A Modified Domain Type Enforcement (DTE) 5 What is AppArmor A Modified Domain Type Enforcement (DTE) + Capability System* 6 AppArmor Design ● Start with a target policy ● Make it easy to confine applications ● Controlled sharing ● Allow sandboxes to be built on top ● Allow confining more than just applications ● The user is the biggest problem ● Try to make it easy to use ● Let tooling do the work ● Get out of the way of admin or any improvements will get turned off ● Unconfined ● Work towards supporting strict confinement 7 Profile include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 8 Profile - preamble include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 9 Profile - name include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 10 Profile – attachment specification include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 11 Profile – flags that modify behavior include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 12 Profile – rule block include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 13 Profile - abstractions include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 14 Profile – class rules include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, allow dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 15 Profile – domain transition include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename, dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ... } 16 Policy profile ping /{usr/,}bin/ping { /sbin/dhclient { profile syslogd /{usr/,}sbin/syslogd { #include <abstractions/base> #include <abstractions/base> #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/nameservice> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/consoles> capability net_raw, capability net_bind_service, capability sys_tty_config, capability setuid, capability net_raw, capability dac_override, network inet raw, capability dac_override, capability dac_read_search, network inet6 raw, capability net_admin, capability setuid, capability setgid, /{,usr/}bin/ping mixr, network packet, capability syslog, /etc/modules.conf r, network raw, /dev/log wl, ... @{PROC}/[0-9]*/net/ r, /var/lib/*/dev/log wl, @{PROC}/[0-9]*/net/** r, /sbin/dhclient mr, ... ... 17 Handling Pattern matching / A B C c] b a [^ /**a** r, /**b** w, /**c** mr, a c ] ] b [ c c ^a b a b [^ [^ ] [^a] rA wB mCrC ? c a / a b b rA a c rAmC wBmC rAwB rC rC [^c] [^b] b ? [^c] [^a] c a / c mC rAwB rC mCrC ? 18 Basic Policy Summary Active obj Application Policy Audit label context Trusted unconfined Subsystem context context Trusted Policy Application Application Helper Compiler profile Backend { allow file rw allow ipc Intermediary bind service address … } profile Application { allow ipc intermediary ent=foo rw, … } 19 Policy Namespaces 20 Policy Namespaces Namespace 1 Namespace 2 /usr/sbin/libvirtd (enforce) /usr/sbin/libvirtd (enforce) /usr/sbin/mdnsd (complain) /usr/sbin/mdnsd (complain) /usr/sbin/ippusbxd (enforce) /usr/sbin/identd (complain) /usr/sbin/dovecot (complain) /usr/sbin/cupsd (enforce) /usr/lib/snapd/snap-confine (enforce) firefox (enforce) /usr/lib/telepathy/telepathy-ofono (enforce) firefox//sanitized_helper (enforce) /usr/lib/telepathy/telepathy-* (enforce) firefox//lsb_release (enforce) /usr/lib/telepathy/mission-control-5 (enforce) firefox//browser_openjdk (enforce) /usr/sbin/identd (complain) firefox//browser_java (enforce) /usr/sbin/cupsd (enforce) 21 Policy Namespaces :ns:profile :ns://profile 22 Policy Namespaces - Hierarchical System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 23 Policy Namespace - View System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 24 Policy Namespaces – Child NS View System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 25 Policy Namespaces – Grand Child NS View System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 26 Policy Stacking & Dynamic Policy 27 Stacking - System View Task System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 28 Stacking Across Policy NS can Reduce View System nscd dnsmasq Task :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 29 Stacking – Further Reduced View System nscd dnsmasq Task :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 30 Policy NS & Stacking – Scope & View System ● nscd View dnsmasq ● Scope Task ● :ns1: :ns2: :ns3: Admin nscd dnsmasq :ns4: :ns5: 31 Policy NS & Stacking – Scope & View* - NOT yet available System ● nscd View dnsmasq ● Scope Task ● :ns1: :ns2: :ns3: Admin nscd dnsmasq nscd :ns4: :ns5: nscd User sees: nscd :ns5:nscd 32 Application and User Defined Policy* - NOT yet available System nscd dnsmasq Task :ns1: :ns2: :role: nscd user dnsmasq admin :ns4: :user_jj: chrome :chrome: sandbox 33 Stacking – not just across namespaces Task System nscd dnsmasq :ns1: :ns2: :ns3: nscd dnsmasq :ns4: :ns5: 34 Delegation of Authority* - NOT yet available Delegated Authority Targeted Task Profile Profile Delegated Rules rmPx /usr/bin/evince, file r /etc/firefox*/, file rw /**, px /usr/bin/bug-buddy, file r /etc/firefox*/**, ... ... + ... & 35 Stacking – Domain Label firefox//&evince 36 Recent Developments 37 Upstreaming Everything except af_unix 38 Upstreaming cont. ● Secids – 4.18 ● audit rule filtering (SUBJ_ROLE) – 4.18 ● socket mediation – 4.17 ● Profile attachment – 4.17 ● EVM ● Improved overlapping exec attachment resolution ● nnp subset test 39 Policy tagged with ABI info profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, network inet6 raw, file mixr /{,usr/}bin/ping, file r /etc/modules.conf, 40 Policy tagged with ABI info abi=<features/upstream-4.18> profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, network inet6 raw, file mixr /{,usr/}bin/ping, file r /etc/modules.conf,