[apparmor] Default policy issue

Pierre Zurek pierre.zurek at parrot.com
Mon Oct 24 12:11:49 UTC 2016 

Hi,

We would like to change the AppArmor profile management we have in 
https://github.com/Parrot-Developers/firmwared and switch to a whitelist 
strategy, however we encounter some issues.

The attached C program (based on 
https://github.com/Parrot-Developers/firmwared/blob/master/src/folders/instances.c) 
shows one of those issues. This program can be compiled using the 
attached Makefile by simply typing "make".

# Usage :

Suppose you have compiled busybox statically :
git://busybox.net/busybox.git
make menuconfig
LDFLAGS="--static" make

And you put it in the /tmp/aa-chroot/ folder like so :
/tmp/aa-chroot/bin/busybox
/tmp/aa-chroot/sbin/busybox

Now load the provided aa-chroot profile using the following command :
/sbin/apparmor_parser --replace < aa-chroot.profile

Then, as root, run the aa-chroot program :
./aa-chroot /tmp/aa-chroot /sbin/busybox sh

# Issue

What I don't understand is that the profile seems to have a default 
allow policy although I thought deny was the default policy in AppArmor.
Indeed, the /bin/busybox sh call gets correctly denied because of the 
explicit "audit deny /bin/* lrwxk" rule, however the "/sbin/busybox sh" 
call is successful.

Could you explain to me why the default policy is allow instead of deny 
and how can I change this ?

If that can be of any use, please note that I am on Ubuntu Xenial.

Any help would be greatly appreciated.

Thanks in advance,

Pierre Zurek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: aa-chroot.c
Type: text/x-csrc
Size: 3970 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161024/231c8809/attachment.c>
-------------- next part --------------
profile aa-chroot flags=(attach_disconnected,chroot_relative) {

#{
# flags=(attach_disconnected,mediate_deleted) {
# firmwared will load it, with "=%S1%\nprofile %S2% %S3% " prepended,
# with :
#   S1: the base workspace directory for the instance, containing the ro, rw,
#       union and workdir directories / mountpoints
#   S2: the instance unique name
#   S3: the content of this very file




  signal,
  mount,
  network,
  #capability,

   capability sys_chroot,
   capability sys_admin,
   capability chown,
   capability dac_override,
   capability dac_read_search,
   capability fowner,
   capability fsetid,
   capability kill,
   capability setgid,
   capability setuid,
   capability setpcap,
   capability linux_immutable,
   capability net_bind_service,
   capability net_broadcast,
   capability net_admin,
   capability net_raw,
   capability ipc_lock,
   capability ipc_owner,
   capability sys_module,
   capability sys_rawio,
   capability sys_chroot,
   capability sys_ptrace,
   capability sys_pacct,
   capability sys_admin,
   capability sys_boot,
   capability sys_nice,
   capability sys_resource,
   capability sys_tty_config,
   capability mknod,
   capability lease,
   capability audit_write,
   capability audit_control,
   capability setfcap,
   capability mac_override,
   capability mac_admin,
   capability syslog,


  file,
  #umount,

   audit deny /bin/* lrwxk,
}
-------------- next part --------------
all: aa-chroot

aa-chroot: aa-chroot.c
	gcc -o aa-chroot aa-chroot.c -lapparmor

More information about the AppArmor mailing list