AppArmor crash course Christian Boltz openSUSE AppArmor maintainer AppArmor (utils) developer [email protected] About me (from #apparmor) <jjohansen! you are a devs #alking nightmare %) <sarnold! cboltz% step away from the computer <sarnold! cboltz% you've created enough work &or this #ee$ ( ohansen cries <jjohansen! cboltz% can you please stop breaking things <cboltz> jjohansen% )'m just looking at "our updated patch for --jobs <jjohansen! cboltz% #hat did I do no#+ %) <sarnold! that in itsel& is actuall" intersting <sarnold! cboltz touches something and it -doesn't* break What does AppArmor do? ,he ans#er is simple ;-) ● allow applications to do onl" what the" are supposed to do ● den" ever"thing else AppArmor profiles are a whitelist. Why AppArmor? ● Bug-free and secure soft#are would be ideal... Why AppArmor? ● Bug-free and secure soft#are would be ideal... ● /rogrammers can't per&orm magic... Why AppArmor? ● Bug-free and secure soft#are would be ideal... ● /rogrammers can't per&orm magic... ● so better $eep an e"e on what the" are doing! - AppArmor monitors applications at the kernel level Why AppArmor? CVE-2345*5676 (“SambaCr"”) :emote code e;ecution from a writable share. All versions of Samba from 3.5.0 on#ards are vulnerable to a remote code e;ecution vulnerability, allowing a malicious client to upload a shared librar" to a writable share, and then cause the server to load and e;ecute it. Why AppArmor? ?security-announce@ Heads up: todays Samba update Brom% Carcus Meissner <[email protected]! Date% 26.3=.2345 1E%67 Fe have released Samba updates for all supported Enterprise and openSUSE versions> fi;ing a remote code e;ecution possibility for authenticated users. G ,here is a wor$around in the con&iguration listed, also some impact can be avoided i& the writeable share is Hnoe;ecH mounted andIor protected using the generated AppArmor share pro&iles on ne#er products. Why AppArmor? ?security-announce@ Heads up: todays Samba update Brom% Carcus Meissner <[email protected]! Date% 26.3=.2345 1E%67 Fe have released Samba updates for all supported Enterprise and openSUSE versions> fi;ing a remote code e;ecution possibility for authenticated users. G also in ,here is a wor$around in the con&iguration listed, also Debian Buster * some impact can be avoided i& the writeable share is Hnoe;ecH mounted andIor protected using the generated AppArmor share pro&iles on ne#er products. ( it only too$ 8 years ;*) Hands up! ;-) ● Fho is using AppArmor+ ● Fho alread" created or updated a pro&ile with the aa-* tools+ ● Fho alread" edited a profile #ith vi I KED),L:+ ● Cross*chec$: Fho did not use AppArmor yet+ Hands up! ;-) ● Fho is using AppArmor+ ● Fho alread" created or updated a pro&ile with the aa-* tools+ ● Fho alread" edited a profile #ith vi I KED),L:+ ● Cross*chec$: Fho did not use AppArmor yet+ ● Fho did disable AppArmor+ Hello world! ● ,he unavoidable Hello Forld... #!/bin/bash echo "Hello World!" > /tmp/hello.txt cat /tmp/hello.txt rm /tmp/hello.txt ● no# I'll create an AppArmor pro&ile for it... Hello world! ● ,he unavoidable Hello Forld... #!/bin/bash echo "Hello World!" > /tmp/hello.txt cat /tmp/hello.txt rm /tmp/hello.txt ● Caution * hac$er0 What does AppArmor do? Conitor and restrict ● file access ● net#ork access ● capabilities (chown, mknod, setuid, ...) * man 7 capabilities ● rlimit (aka ulimit) ● ... ● in general: restrict permissions http://turnoff.us/image/en/depressed-developer-54.png CC-by-nc-sa 4.0 What DOE !"# AppArmor do? ● replace traditional file permissions * “chmod -: 755 /” is not a good idea ● replace user permissions * run as little as possible as root &or #ebservers% ● restrict M"SMN database permissions * one M"SMN user per hosting and tas$ ● validate andIor escape user input Is my ser%er secure now? ● Securit" consists of lots o& small parts ● AppArmor protects you from lots of (but not all) e;ploits ● ,he server is definitel" more secure than without AppArmor ;-) 'a #( AppArmor module aa-)tab*)tab*+ The AppArmor tools aa-status overview of loaded pro&iles and their usage aa-unconfined overview of protectedIconfined applications aa-notif" - desktop notifications - log summaries aa-)tab*)tab*+ The AppArmor tools aa-complain switch pro&ile to complain (learning) mode (allow ever"thing, log what #ould be denied) aa-en&orce switch pro&ile to en&orce mode (den" ever"thing not e;plicitel" allo#ed and log denials) aa-disable disable and unload profile aa-)tab*)tab*+ The AppArmor tools aa-audit set or remove audit flag for a pro&ile (log ever"thing) aa-e;ec e;ecute a binar" with the specified profile aa-decode translate log entries for filenames #ith special chars to human*readable aa-)tab*)tab*+ The AppArmor tools aa-logprof update existing profiles based on logfile aa-genpro& create a new pro&ile aa-autodep create a ver" basic new profile (better use aa-genpro&0) aa-)tab*)tab*+ The AppArmor tools aa-mergeprof merge t#o pro&iles into one aa-cleanpro& cleanup pro&ile> sort rules> remove superfluous rules aa-)tab*)tab*+ The AppArmor tools aa-remove-unknown unload profiles that donOt exist in /etcIapparmor.d - also unloads autogenerated doc$er/l;c/... profiles aa*teardown unload all pro&iles - <insert rant about 8systemctl restart” here> Both will remove confinement from running processes! aa-un&onfined: che&- the status # aa-unconfined 1552 /usr/lib/postfix/smtpd confined by '/usr/lib/postfix/smtpd (enforce)' 2955 /usr/sbin/clamd confined by '/usr/sbin/clamd (enforce)' 3541 /usr/bin/perl (amavisd (master)) confined by '/usr/sbin/amavisd (complain)' 3839 /usr/sbin/vsftpd not confined aa-un&onfined: che&- the status General rule of thumb: all daemons that are accessible from the internet should be protected 3839 /usr/sbin/vsftpd not confined It's time to fix this! aa-.enprof: create a profile Use t#o ;terms: ● &irst xterm% aa-genpro& /usr/sbin/vsftpd ● second xterm: use the application ,actics &or creating the pro&ile% ● rcvsftpd start / stop * gets the basics and keeps the log small ● use the application ● #hen finished, "ou might #ant to run the pro&ile in complain mode &or some time * especially #hen it comes to comple; applications * use aa-logpro& to update the pro&ile /,le permissions r – read w – write a – append l - lin$ $ - loc$ m – mmap (for libraries), typicall" also reQuires r i;, /;, C;, U;, ... - e;ecute Ietc/vs.pd.conf r> IsrvI###/** r#$> E0ecute options+ ,0 inherit (ix) ● run program with the same pro&ile ● &or helper applications and shells (cat, grep, rm, bash) ● also use&ul &or rbac st"le confinement /binIgrep i;> E0ecute options+ 10 child (C;) ● used for 8&oo called b" bar9 ● doesn't con&ine standalone calls o& foo ● &or helpers that need more or less permissions than the main application /binIbash C;> E0ecute options+ 20 profile (Px) ● separate pro&ile for helpers ● also used if the helper is called standalone ● not a good idea &or /bin/bash ;-) Iusr/bin/mail /;> E0ecute options+ 30 uncon&ined (U;) ● e;ecute helper applications without AppArmor protection ● e;ample% protect sshd> unrestricted shell after login /binIbash U;> E0ecute options Ballbac$ rules if a profile doesn't exist ● /ix ● /Ux ● Cix ● Cu; ? /usr/bin/mail /U;> E0ecute options ● Cx -! … ● /x -! … ● allo#s specifying the target profile ● multiple helper applications can use a shared profile /bin/ping Px -! ping, IusrIbinI( Cx -! helpers> E0ecute options Cleanup the environment+ ● )n general: "es Rules: C;, P;, U; (uppercase) ● )n e;ceptional cases $eep all environment variables Rules: c;> p;, ux (lowercase) Other rules ● link (see also% 8l9 in file rules) ● set rlimit ● capabilit" P see capabilities(7) upstream in Kernel ● ptrace 6.4< ● mount 6.46 Ubuntu includes all $ernel patches since "ears. ● signal 6.46 openSUSE supports net#ork rules since "ears ● pivot_root 6.46 (even with 2.; userspace). ● net#or$ 6.45 T <.3 userspace ● dbus =.6 (+) T <.3 userspace ● unix =.6 (+) T <.3 userspace Details% apparmor.d(5) ptra&e ● Allo#s a process to trace or being traced by another process ● Must be allo#ed from both sides ptrace trace peer=libvirt*(> s,.nal ● Allo#s a process to send or receive signals (8$ill9) ● Must be allo#ed &rom both sides signal send set=(term, $ill) peerUIbinI&oo> Named profiles /{usr/,}bin/ping V vs. profile ping I{usr/,}bin/ping { ● named profiles ma$e ps Xau;, audit.log, ... easier to read ● allows additional attachments without changing peer profiles audit.lo. type=AVC msg=audit(1438886688.987:169160): apparmor=" !"#! " $%& ● add Ivar/logIauditIaudit.log to logdigest (or let cron mail "ou the aa*notify summary) ● 8translate9 the timestamp% date -d (1438886688.987 ● DEN)ED P (bloc$ed) violations o& pro&iles in en&orce mode ● AUD), P logging of audit rules ● ANNLFED P profiles in complain mode audit.lo. type=AVC msg=audit(1438886688.987:169160): apparmor="ALLOWED" operation="mknod" profile="/home/cb/apparmor/scripts/hello" name="/tmp/hello.txt" pid=13940 comm="hello" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ● One o& the events from the “hello world9 script ● m$nod → create &ile ● deniedSmask=9c9 (create) → 8#9 permission needed ● &suid =U ouid → o#ner restriction can be used for additional securit" systemd [Service] AppArmorProfile=something )nstantiated Services + Apparmor $ systemctl edit [email protected] [Service] AppArmorProfile=whatever.%i profile whatever.instancename { Apache mod_apparmor ● global con&iguration: AADefaultHatName default_vhost * other#ise AppArmor proposes a hat per file (0) ● per 1irtualHost% <VirtualHost 1.2.3.4> AADefaultHatName vhost_someone * restricts each virtual host to itsel& ● &or speci&ic directories: <Directory /some/where> AAHatName something * recommended when using di[erent so.#are (CCS, Forum> G) in a virtual host Hats? ● Aats are similar to subprofiles ● An application can switch between them (change_hat) ● C" typical usecase: Apache with a hat per virtual host ● Syntax inside a pro&ile% ^hatname { ..