As this person says in below link, most profiles are ubuntu based.
https://github.com/cryptofuture/apparmor-profiles
and ive read one should maybe only use firejail or apparmor, not both together.
]]>Is a laptop, not a server.
Having it enabled by default is IMHO a very stupid choice.
]]>Update: Having looked at some of these extra-profiles, they do seem very out of date: e.g. in the firefox profile I see references to the latest version - Firefox 4 b8 (2010-11); the location of the evolution files changed long ago from that in the profiles (local evolution moved from ~./evolution to ~./local/share/evolution); most of the last modified dates in the other profiles are no later than 2005-2014. Clearly they have not been maintained.
]]>If you do a default Beowulf install you get at default set of profiles that are known to work, or they may be provided with additional packages/programs you install. I've installed LibreOffice from backports and the Firejail package, that is explicitly provided to create a jail for Firefox. These profiles are the one you see in my previous Apparmor status reports.
Profiles that are more experimental that are not guaranteed to work are provided set to complain mode so they don't break anything but you can still use/test them and see what apparmor complains about in the logs.
The Debian package apparmor-profiles provides various experimental Apparmor profiles. It says do not expect them to work out-of-the-box. The package description says "These profiles are not mature enough to be shipped in enforce mode by default on Debian (and hence Devuan). They are shipped in complain mode so that users can test them, choose which are desired, and help improve them upstream if needed". Some even more experimental profiles are included in apparmor-profiles-extras.
Having now installed these optional profile packages the number applied in enforce or complain does not change because they are not being used. Some relate to programs I don't use on my PC (e.g pidgin), some are simply not being used at the moment (e.g. ping, avahi-daemon).
Not every program/process has an Apparmor profile. There is one for Thunderbird (as i don't use this I've moved it to /etc/apparmor.d/disable) but there isn't (to my knowledge) one for Evolution, a program I do use and is running at the moment. Also some programs (such as ping) may only run momentarily so you won't be able to see it enforced/complaining in a status report without opening a second xterm and timing it right.
Here's my apparmor status report with the two experimental profile packages installed:
$ sudo service apparmor status
[sudo] password for marjorie:
apparmor module is loaded.
46 profiles are loaded.
28 profiles are in enforce mode.
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/lib/cups/backend/cups-pdf
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/apt-cacher-ng
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
firejail-default
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
18 profiles are in complain mode.
/usr/bin/irssi
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
libreoffice-oopslash
libreoffice-soffice
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
5 processes have profiles defined.
5 processes are in enforce mode.
/usr/sbin/cups-browsed (2141)
/usr/sbin/cupsd (2109)
/usr/lib/cups/notifier/dbus (2110) /usr/sbin/cupsd
/usr/lib/cups/notifier/dbus (2111) /usr/sbin/cupsd
/usr/lib/cups/notifier/dbus (3262) /usr/sbin/cupsd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I think you haven't understood that profiles are only activated ('defined') for running processes.
I have understood it perfectly. A running basic install typically has over 20 processes in addition to the kernel threads. The fact that only 3 of them are confined is worrying.
Why is LO in complain and not enforce?
]]>If I start up Document Viewer (evince) as process /usr/bin/evince with PID 5440 then apparmor defines another process and in this case puts it in enforce mode. Only running programs that have profiles have defined/enforced/complain processes which are then shown with their PID.
Compare this status result with my previous one:
$ sudo service apparmor status
apparmor module is loaded.
23 profiles are loaded.
21 profiles are in enforce mode.
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/cups/backend/cups-pdf
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
firejail-default
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
5 processes have profiles defined.
5 processes are in enforce mode.
/usr/bin/evince (5440)
/usr/sbin/cups-browsed (2102)
/usr/sbin/cupsd (5368)
/usr/lib/cups/notifier/dbus (5371) /usr/sbin/cupsd
/usr/lib/cups/notifier/dbus (5372) /usr/sbin/cupsd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Note: I've shutdown/restarted overnight which is why the PIDs have all changed. If I close Evince and open LibreOffice Calc I get:
6 processes have profiles defined.
4 processes are in enforce mode.
/usr/sbin/cups-browsed (2102)
/usr/sbin/cupsd (5368)
/usr/lib/cups/notifier/dbus (5371) /usr/sbin/cupsd
/usr/lib/cups/notifier/dbus (5372) /usr/sbin/cupsd
2 processes are in complain mode.
/usr/lib/libreoffice/program/oosplash (7583) libreoffice-oopslash
/usr/lib/libreoffice/program/soffice.bin (7631) libreoffice-soffice
0 processes are unconfined but have a profile defined.
I have to check what the situation is with Fedora/SELinux.
]]>Anyway this is my status report in Beowulf. It says there are no processes unconfined that have a profile defined.
$ sudo service apparmor status
apparmor module is loaded.
23 profiles are loaded.
21 profiles are in enforce mode.
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/cups/backend/cups-pdf
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
firejail-default
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (2095)
/usr/sbin/cupsd (2065)
/usr/lib/cups/notifier/dbus (3187) /usr/sbin/cupsd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I never bothered with apparmor in Ascii but it 'works out of the box' in Beowulf (well almost I had to add a a line to/etc/apparmor/ usr.sbin.cupsd for /etc/dnscrypt-proxy/resolv.conf when I symlinked /etc/resolv.conf to it as then started to complain).
However I can confirm that in Beowulf /etc/rcS.d/S12apparmor does start before /etc/rcS.d/S13networking as one can can see by looking at /var/log/boot. I doubt if moving it any earlier (before file systems are mounted) would help.
Upgrading to beowulf will be the best, then. Are there any unconfined processes left?
]]>However I can confirm that in Beowulf /etc/rcS.d/S12apparmor does start before /etc/rcS.d/S13networking as one can can see by looking at /var/log/boot. I doubt if moving it any earlier (before file systems are mounted) would help.
]]>TARGETS = mountkernfs.sh eudev keyboard-setup.sh mountdevsubfs.sh brltty bootlogd urandom mountall.sh mountall-bootclean.sh hwclock.sh mountnfs.sh mountnfs-bootclean.sh alsa-utils networking checkroot.sh hostname.sh procps checkfs.sh checkroot-bootclean.sh bootmisc.sh kmod espeakup screen-cleanup x11-common stop-bootlogd-single apparmor
How do I make apparmor start first? Apparently that init script is responsible for loading profiles into the kernel and must run before anything else.
I have tried moving S12apparmor symlink to S00apparmor in /etc/rcS.d/ to no avail.
profile dhclient /{usr/,}sbin/dhclient
to
profile /sbin/dhclient
Which results in progress:
0 profiles are in complain mode.
2 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/nscd (1899)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/sbin/dhclient (880)
Glad you managed to get it to work.
See?
Wasn't that hard.
Lack of designed maintainer and all.Cheers,
A.
"work" is too strong of a word given the state of AppArmor on this test VM.
Every package I install, every README and man-page I read, every command I execute and ultimately, every post I add to this thread is a further nail to AppArmor-on-Devuan's coffin.
/usr/share/doc/apparmor-profiles/extras/README contains example commands of which: 2/7 do not exist, 4/7 use invocations of aa-enforce/aa-complain that are not documented in their man pages (but actually do something) and the remaining one is useless to me.
I have dhclient running, and there is a dhclient profile in /usr/share/doc/apparmor-profiles/extras/sbin.dhclient. So I followed instructions in the README by copying (which is bad from a maintenance perspective, not to mention that the profile should probably be part of the isc-whatever-dhclient package in the first place) that profile to /etc/apparmor.d. Then I ran
aa-enforce /etc/apparmor.d/sbin.dhclient
which resulted in
Setting /etc/apparmor.d/sbin.dhclient to enforce mode.
Yay, right? Nope: aa-status now says:
44 profiles are in enforce mode.
/usr/bin/irssi
...
dhclient
..
Notice how dhclient has no /sbin in front of it? The heck?
After n+1th reboot, dhclient is still not confined.
This is also funny:
# aa-enforce /sbin/dhclient
Setting /sbin/dhclient to enforce mode.
ERROR: /etc/apparmor.d/sbin.dhclient contains no profile
(Yes, I've checked: /etc/apparmor.d/sbin.dhclient does define a profile)
]]>... both apparmor-utils and dh-apparmor.
Right.
... install NSCD and what do you know:
apparmor started to work.
43 profiles are loaded. 43 profiles are in enforce mode. ... 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/nscd (3725) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
The "0 processes are unconfined ...
... suggests that everything other than nscd does not have a profile at all.
So the problem was not in apparmor but in how you have to configure it.
Right?
Glad you managed to get it to work.
See?
Wasn't that hard.
Lack of designed maintainer and all.
Cheers,
A.
]]>What I just did was install NSCD and what do you know:
43 profiles are loaded.
43 profiles are in enforce mode.
...
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/nscd (3725)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I also just did dpkg-reconfigure apparmor.
The "0 processes are unconfined but have a profile defined." line suggests that everything other than nscd does not have a profile at all. Which means I need to get more profiles somewhere.
And indeed, a short excursion into /etc/apparmor.d reveals that there aren't many profiles present.
]]>