All of lore.kernel.org
 help / color / mirror / Atom feed
* Apparmor netfiter support?
@ 2019-01-07 10:16 Jacek
       [not found] ` <91b5b9f7-bb9a-29d9-bc72-b0077b885726-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Jacek @ 2019-01-07 10:16 UTC (permalink / raw)
  To: netfilter-devel-u79uwXL29TY76Z2rM5mHXA; +Cc: apparmor-nLRlyDuq1AZFpShjVBNYrg


[-- Attachment #1.1.1.1: Type: text/plain, Size: 2434 bytes --]

Hi

Apparmor hasn't a Netfilter firewall support module.

Network rules is a good choice for applications that have AA-profiles,
but it does not protect unconfined processes for forbidden network
outgoing connections.

I mean the function of the Security netfiter tables for SElinux, but the
easy way similar to xt_gradm, part of the Grsecurity project:
https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch

Proposed solution (userspace):
NFtables (next Linux firewall):

nft insert rule ip filter output meta apparmor aapolicy unconfined drop
nft insert rule ip filter output meta apparmor aapolicy enforce accept
nft insert rule ip filter output meta apparmor aapolicy complain log accept

Iptables (current/old Linux firewall):
iptables -I OUTPUT ! -o lo -m apparmor --aapolicy unconfined -j DROP
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy enforce  -j ACCEPT
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain  -j LOG
--log-prefix "$PROFILE_NAME - complain: $APP_NAME"
iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain  -j ACCEPT



Example log from LSM Integrity IMA (Apparmor Variables - enforce)

/audit: type=1800 audit(1546855115.951:3766): pid=12211 uid=0 auid=1001
ses=4 subj==/bin/kmod (enforce) op=appraise_data
cause=IMA-signature-required comm="modprobe"
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0/

/where:/

Apparmor Profile name & policy:/   //subj==/bin/kmod (enforce) /
Real aplication name:  /comm="modprobe" /

AA-variables - unconfined:

[ 1703.396288] audit: type=1800 audit(1546855383.896:3777): pid=12347
uid=0 auid=1001 ses=4 subj==unconfined op=appraise_data
cause=IMA-signature-required comm="modprobe"
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0

where:

AA-policy: subj==unconfined

aplication name:    comm="modprobe"

AA-variables - complain:

audit: type=1800 audit(1546855552.256:3785): pid=12402 uid=0 auid=1001
ses=4 subj==/bin/kmod (complain) op=appraise_data
cause=IMA-signature-required comm="insmod" 
name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko"
dev="sdb1" ino=1334797 res=0

where:

AA - profile & policy:  subj==/bin/kmod (complain)

App name: comm="insmod"

I'm not a programmer, is there any chance of adding a similar module in
Apparmor?

Cheers





[-- Attachment #1.1.1.2: Type: text/html, Size: 3349 bytes --]

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Apparmor netfiter support?
       [not found] ` <91b5b9f7-bb9a-29d9-bc72-b0077b885726-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2019-01-07 16:51   ` John Johansen
  0 siblings, 0 replies; 2+ messages in thread
From: John Johansen @ 2019-01-07 16:51 UTC (permalink / raw)
  To: Jacek, netfilter-devel-u79uwXL29TY76Z2rM5mHXA
  Cc: apparmor-nLRlyDuq1AZFpShjVBNYrg

On 1/7/19 2:16 AM, Jacek wrote:
> Hi
> 
> Apparmor hasn't a Netfilter firewall support module.
> 
> Network rules is a good choice for applications that have AA-profiles,
> but it does not protect unconfined processes for forbidden network
> outgoing connections.
> 
> I mean the function of the Security netfiter tables for SElinux, but the
> easy way similar to xt_gradm, part of the Grsecurity project:
> https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch
> 
there is work in progress to support secmark (the same mechanism used
by selinux) to apparmor. The base of this work landed in 4.20 and it
is possible to play with it today but it has some limitations.

Currently their is no integration with apparmor policy which means
the label set with the secmark is limited to the label of the task
that created the socket. This works for a lot of applications but
is insufficient for others.

It will also have issues when policy stacking is used in conjunction
with network namespaces (lxd style containers). There are also
problems with LSM stacking which is still in development.

In addition integration into iptables, nftables etc will need some
work.

Long term the goal is to support both secmark and policy based
networking rules. The policy based rules are necessary to be able
to provide customized labels and also to support certain features
not possible through the secmark.


> Proposed solution (userspace):
> NFtables (next Linux firewall):
> 
> nft insert rule ip filter output meta apparmor aapolicy unconfined drop
> nft insert rule ip filter output meta apparmor aapolicy enforce accept
> nft insert rule ip filter output meta apparmor aapolicy complain log accept
> 
> Iptables (current/old Linux firewall):
> iptables -I OUTPUT ! -o lo -m apparmor --aapolicy unconfined -j DROP
> iptables -A OUTPUT ! -o lo -m apparmor --aapolicy enforce  -j ACCEPT
> iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain  -j LOG
> --log-prefix "$PROFILE_NAME - complain: $APP_NAME"
> iptables -A OUTPUT ! -o lo -m apparmor --aapolicy complain  -j ACCEPT
> 
> 
> 
> Example log from LSM Integrity IMA (Apparmor Variables - enforce)
> 
> /audit: type=1800 audit(1546855115.951:3766): pid=12211 uid=0 auid=1001 ses=4 subj==/bin/kmod (enforce) op=appraise_data cause=IMA-signature-required comm="modprobe" name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko" dev="sdb1" ino=1334797 res=0/
> 
> /where:/
> 
> Apparmor Profile name & policy:/   //subj==/bin/kmod (enforce) /
> Real aplication name:  /comm="modprobe" /
> 
> AA-variables - unconfined:
> 
> [ 1703.396288] audit: type=1800 audit(1546855383.896:3777): pid=12347 uid=0 auid=1001 ses=4 subj==unconfined op=appraise_data cause=IMA-signature-required comm="modprobe" name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko" dev="sdb1" ino=1334797 res=0
> 
> where:
> 
> AA-policy: subj==unconfined
> 
> aplication name:    comm="modprobe"
> 
> AA-variables - complain:
> 
> audit: type=1800 audit(1546855552.256:3785): pid=12402 uid=0 auid=1001 ses=4 subj==/bin/kmod (complain) op=appraise_data cause=IMA-signature-required comm="insmod"  name="/lib64/modules/4.19.13-gt5/kernel/net/sched/sch_codel.ko" dev="sdb1" ino=1334797 res=0
> 
> where:
> 
> AA - profile & policy:  subj==/bin/kmod (complain)
> 
> App name: comm="insmod"
> 
> I'm not a programmer, is there any chance of adding a similar module in
> Apparmor?
> 

Currently it is not a module, its a build time configuration so that if the kernel being built supports it and if it is enabled in apparmor's config it is built in to the kernel as part of apparmor.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-07 16:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-07 10:16 Apparmor netfiter support? Jacek
     [not found] ` <91b5b9f7-bb9a-29d9-bc72-b0077b885726-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2019-01-07 16:51   ` John Johansen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.