Begin profiling application behavior either by creating a new profile or modifying an existing one. Let's suppose that an organization wants to implement a policy that restricts the Firefox Web browser's access to a set of known actions. If you create a new profile, AppArmor can be put into learning mode wherein it will collect information about application behaviors and later create a formalized policy later (which can be further improved upon manually).
Start by navigating to the Novell AppArmor entry in the YaST Control Center. Click on "Add Profile Wizard." The first prompt will have an input field for the following information:
Enter the target file name, complete with directory path (/usr/lib/firefox/firefox-bin in this example) and then create a new profile.
Be sure to use /usr/lib/firefox/firefox-bin and verify the binary application target is specified, not the shell script. Although the shell script can also be profiled through AppArmor, it is not the objective
Next, begin exercising Firefox in a typical fashion: open files, play content and so on, then quit. Be sure to give AppArmor application events to observe. Simple actions will do, and only a few of them are sufficient to provide AppArmor with enough activity to make a profile.
Go back in AppArmor and choose the option to scan the system log for AppArmor events. Let AppArmor draw upon the event log to glean insight into Firefox application behavior. In this case, AppArmor identifies access to a few binaries like /usr/bin/aoss and /usr/bin/file is ready for profiling.
Then, for each file or path accessed, a prompt furnishes access rights to be assigned or revoked.
Typical access modes include the following:
- r -- read access
- w -- write access
- px -- discrete profile execution
- ux -- unconfined execution
- ix -- inherit execution
- l -- link access
For each inheritance, configure additional permissions such as access to /dev/tty for /usr/bin/aoss. Editing the profile provides a greater variety of options.
These MAC permissions can be supplemented later with more (or fewer) restrictions, capabilities and inclusions through the Edit Profile Wizard. Three shared libraries and the Firefox binary itself are identified along with their default permissions (r for read access). Files, directories, capabilities, profile includes and even hats -- subprofiles derived from other profiles (see: man changehat) -- can be added, removed and fine-tuned to taste.
In all, the process takes a few minutes from start to finish, which means administrators can quickly return to other tasks. Since AppArmor can also load externally created profiles, profiles need only be created once and may then be copied over to each applicable workstation thereafter.
Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment, and they write regularly about Linux for various TomsHardware sites.
This was first published in August 2006