AppArmor : Create Profiles : aa-genprof2023/07/13 |
|
Create a profile for a program with [aa-genprof] command.
|
|
| [1] | |
| [2] | For example, create a test script and also create a profile for it to run normally. |
|
# create a test script
root@dlp:~# cat > /usr/local/bin/nodejs_test.js <<'EOF'
var http = require('http');
var server = http.createServer(function(req, res) {
res.write("Hello, This is the Node.js Simple Web Server!\n");
res.end();
}).listen(8080);
EOF
root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 834 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 834 # create a profile for it above root@dlp:~# aa-genprof /usr/bin/node
Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/node.
Setting /usr/bin/node to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Profiling: /usr/bin/node
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
Setting /usr/bin/node to enforce mode.
# stdout stops here
# it needs to operate all required operations for the target application on another terminal
# to log required operations in a logfile,
# after finishing all required operations, push [f(F)] key to finish,
# then [aa-genprof] finishes
Reloaded AppArmor profiles in enforce mode.
Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Finished generating profile for /usr/bin/node.
# for the case with [aa-genprof], target app will be entered in [enforce] mode control root@dlp:~# aa-status apparmor module is loaded. 11 profiles are loaded. 11 profiles are in enforce mode. /usr/bin/man /usr/bin/node /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script ..... ..... # created profile root@dlp:~# cat /etc/apparmor.d/usr.bin.node
# Last Modified: Fri Dec 16 13:37:55 2022
abi <abi/3.0>,
include <tunables/global>
/usr/bin/node {
include <abstractions/base>
/usr/bin/node mr,
}
# start the application # * if all required operations are not learned by logs, some errors occur root@dlp:~# node /usr/local/bin/nodejs_test.js Cannot load externalized builtin: "internal/deps/cjs-module-lexer/lexer:/usr/share/nodejs/cjs-module-lexer/lexer.js". 1: 0x7ff733bf4a98 node::Abort() [/lib/x86_64-linux-gnu/libnode.so.108] 2: 0x7ff733bd54eb [/lib/x86_64-linux-gnu/libnode.so.108] ..... ..... # if target app does not run normally, change it to [complain] mode and operate it again to learn all root@dlp:~# aa-complain /usr/bin/node Setting /usr/bin/node to complain mode. root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 1165 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1165
# read unauthorized actions in logs # logs are recorded in [/var/log/audit/audit.log] if Auditd is running # if Auditd is not installed, logs are recorded in [/var/log/syslog] root@dlp:~# aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/audit/audit.log. Complain-mode changes: Profile: /usr/bin/node Capability: dac_override Severity: 9 [1 - capability dac_override,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish # set policy to the unauthorized action Adding capability dac_override, to profile. Profile: /usr/bin/node Path: /usr/share/nodejs/cjs-module-lexer/lexer.js New Mode: owner r Severity: unknown [1 - owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish # select all in the same way below Adding owner /usr/share/nodejs/cjs-module-lexer/lexer.js r, to profile. Profile: /usr/bin/node Path: /usr/share/nodejs/cjs-module-lexer/dist/lexer.js New Mode: owner r Severity: unknown [1 - owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish Adding owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r, to profile. ..... ..... = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/bin/node] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /usr/bin/node. # back to the [enforce] mode and verify target app runs normally root@dlp:~# aa-enforce /usr/bin/node root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 1185 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1185
# completed profile for the app root@dlp:~# cat /etc/apparmor.d/usr.bin.node
# Last Modified: Wed Jul 12 22:46:46 2023
abi <abi/3.0>,
include <tunables/global>
/usr/bin/node {
include <abstractions/apache2-common>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
capability dac_override,
/usr/bin/node mr,
owner /dev/ttyS0 rw,
owner /usr/local/bin/nodejs_test.js r,
owner /usr/share/nodejs/acorn-walk/dist/walk.js r,
owner /usr/share/nodejs/acorn/dist/acorn.js r,
owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,
owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,
owner /usr/share/nodejs/undici/undici-fetch.js r,
}
|
| Sponsored Link |