Debian 12 bookworm
Sponsored Link

AppArmor : Create Profiles : aa-genprof2023/07/13

 
Create a profile for a program with [aa-genprof] command.
[1]
Install Auditd or Rsyslog first.
[2] For example, create a test script and also create a profile for it to run normally.
# create a test script

root@dlp:~# cat > /usr/local/bin/nodejs_test.js <<'EOF' 
var http = require('http');
var server = http.createServer(function(req, res) {
  res.write("Hello, This is the Node.js Simple Web Server!\n");
  res.end();
}).listen(8080);
EOF 
root@dlp:~#
node /usr/local/bin/nodejs_test.js &

[1] 834
root@dlp:~#
curl localhost:8080

Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 834

# create a profile for it above

root@dlp:~#
aa-genprof /usr/bin/node

Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/node.
Setting /usr/bin/node to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/bin/node

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
Setting /usr/bin/node to enforce mode.
# stdout stops here
# it needs to operate all required operations for the target application on another terminal
# to log required operations in a logfile, 
# after finishing all required operations, push [f(F)] key to finish,
# then [aa-genprof] finishes

Reloaded AppArmor profiles in enforce mode.

Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Finished generating profile for /usr/bin/node.

# for the case with [aa-genprof], target app will be entered in [enforce] mode control

root@dlp:~#
aa-status

apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
   /usr/bin/man
   /usr/bin/node
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
.....
.....

# created profile

root@dlp:~#
cat /etc/apparmor.d/usr.bin.node

# Last Modified: Fri Dec 16 13:37:55 2022
abi <abi/3.0>,

include <tunables/global>

/usr/bin/node {
  include <abstractions/base>

  /usr/bin/node mr,

}

# start the application
# * if all required operations are not learned by logs, some errors occur

root@dlp:~#
node /usr/local/bin/nodejs_test.js

Cannot load externalized builtin: "internal/deps/cjs-module-lexer/lexer:/usr/share/nodejs/cjs-module-lexer/lexer.js".
 1: 0x7ff733bf4a98 node::Abort() [/lib/x86_64-linux-gnu/libnode.so.108]
 2: 0x7ff733bd54eb  [/lib/x86_64-linux-gnu/libnode.so.108]
.....
.....

# if target app does not run normally, change it to [complain] mode and operate it again to learn all

root@dlp:~#
aa-complain /usr/bin/node

Setting /usr/bin/node to complain mode.
root@dlp:~#
node /usr/local/bin/nodejs_test.js &

[1] 1165
root@dlp:~#
curl localhost:8080

Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1165
# read unauthorized actions in logs
# logs are recorded in [/var/log/audit/audit.log] if Auditd is running
# if Auditd is not installed, logs are recorded in [/var/log/syslog]

root@dlp:~#
aa-logprof

Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Complain-mode changes:

Profile:    /usr/bin/node
Capability: dac_override
Severity:   9

 [1 - capability dac_override,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
# set policy to the unauthorized action
Adding capability dac_override, to profile.

Profile:  /usr/bin/node
Path:     /usr/share/nodejs/cjs-module-lexer/lexer.js
New Mode: owner r
Severity: unknown

 [1 - owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
# select all in the same way below
Adding owner /usr/share/nodejs/cjs-module-lexer/lexer.js r, to profile.

Profile:  /usr/bin/node
Path:     /usr/share/nodejs/cjs-module-lexer/dist/lexer.js
New Mode: owner r
Severity: unknown

 [1 - owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r, to profile.

.....
.....

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/bin/node]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for /usr/bin/node.

# back to the [enforce] mode and verify target app runs normally

root@dlp:~#
aa-enforce /usr/bin/node

root@dlp:~#
node /usr/local/bin/nodejs_test.js &

[1] 1185
root@dlp:~#
curl localhost:8080

Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1185
# completed profile for the app

root@dlp:~#
cat /etc/apparmor.d/usr.bin.node

# Last Modified: Wed Jul 12 22:46:46 2023
abi <abi/3.0>,

include <tunables/global>

/usr/bin/node {
  include <abstractions/apache2-common>
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/openssl>

  capability dac_override,

  /usr/bin/node mr,
  owner /dev/ttyS0 rw,
  owner /usr/local/bin/nodejs_test.js r,
  owner /usr/share/nodejs/acorn-walk/dist/walk.js r,
  owner /usr/share/nodejs/acorn/dist/acorn.js r,
  owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,
  owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,
  owner /usr/share/nodejs/undici/undici-fetch.js r,

}
Matched Content