AppArmor 3 and Beyond

Transcript

1. John Johansen AppArmor Maintainer [email protected] AppArmor 3 and Beyond Riding

   the Tumbleweed

2. First, lets review

3. RBAC & User Confnement

4. pam_apparmor • Mappings done through policy – Uses “hats” to

   do the mapping – Requires task calling into pam be confned • Roles use policy inheritance – task and all its children confned by the same profle

5. Policy Namespaces

6. Policy Namespaces /usr/sbin/libvirtd (enforce) /usr/sbin/mdnsd (complain) /usr/sbin/ippusbxd (enforce) /usr/sbin/dovecot (complain)

   /usr/lib/snapd/snap-confine (enforce) /usr/lib/telepathy/telepathy-ofono (enforce) /usr/lib/telepathy/telepathy-* (enforce) /usr/lib/telepathy/mission-control-5 (enforce) /usr/sbin/identd (complain) /usr/sbin/cupsd (enforce) /usr/sbin/libvirtd (enforce) /usr/sbin/mdnsd (complain) /usr/sbin/identd (complain) /usr/sbin/cupsd (enforce) firefox (enforce) firefox//sanitized_helper (enforce) firefox//lsb_release (enforce) firefox//browser_openjdk (enforce) firefox//browser_java (enforce) Namespace 1 Namespace 2

7. Policy Namespaces :ns:profle :ns://profle

8. Policy Namespaces - Hierarchical System nscd dnsmasq :ns2: :ns4: :ns1:

   nscd dnsmasq :ns5: :ns3:

9. View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5:

   :ns3:

10. Child NS View System nscd dnsmasq :ns2: :ns4: :ns1: nscd

    dnsmasq :ns5: :ns3:

11. Grand Child NS View System nscd dnsmasq :ns2: :ns4: :ns1:

    nscd dnsmasq :ns5: :ns3:

12. Policy Stacking

13. Stacking frefior//&evince

14. System View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq

    :ns5: :ns3: Task

15. Reduced View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq

    :ns5: :ns3: Task

16. Further Reduced View System nscd dnsmasq :ns2: :ns4: :ns1: nscd

    dnsmasq :ns5: :ns3: Task

17. AppArmor 3

18. Policy Versioning include <version/3.0> include <tunables/global> # We want to

    confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict> ...

19. Policy Versioning - Include $ cat /etc/apparmor.d/version/3.0 feature-abi=<features/upstream-4.18> @{version}=3.0 $

20. Multiple versions • Each profle fle has a version –

    Versions do not have to be the same • Policy in application packaging – Updated out ofi sync firom distro policy – Selectively use fieatures not in distro policy*

21. Versioned policy on older releases? • Versioning will not be

    back ported • Ercept – Backported 2.13, 2.12. 2.11 – Considering 2.10 & 2.9 include if exists <version/3.0> include <tunables/global> profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { if defined @{version} { include <abstractions/audio>

22. Policy with out Versioning • Will mostly continue to work

    – subset ofi current kernel abi and upstream 4.14 • Compatibility “patches” – Without “unsupported” rules will be downgraded

23. Pre-built policy & RO images

24. Pre 3.0 - Single binary policy Cache bin.ping sbin.klogd sbin.syslogd

    sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... /etc/apparmor.d/cache

25. Per Kernel binary policy bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince

    usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... $(location)/cache/7f01cf2e.1 $(location)/7f01cf2e.0 $(location)/cache/a035ea11.0

26. Binary policy overlays bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox

    usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... $(loc1)/7f01cf2e.0 $(loc2)/7f01cf2e.0 bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... $(loc1)/a035ea11.0 $(loc2)/a035ea11.0

27. Policy Overlays bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin

    usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... /var/lib/apparmor.d/ /etc/apparmor.d/

28. Support for new upstream features

29. Network • upstream Network socket mediation (4.16) • fne grain

    unir socket mediation (4.19) unix, unix (accept, receive) addr=@foo peer=(label=/bar), unix receive peer=(label=@{profile_name}) unix bind addr=@example, unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"),

30. DBus dbus send bus=session path=/com/example/path interface=com.example.Interface member=ExampleMethod peer=(name=(com.example.ExampleName1|com.example.ExampleName2)), dbus bind

    name=com.example.ExampleName, deny dbus bus=system interface=com.example.ExampleInterface, dbus eavesdrop bus=system,

31. IMA interaction profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { #include <abstractions/audio> #include <abstractions/cups-client>

    #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> #include <abstractions/dconf> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/p11-kit> #include <abstractions/ubuntu-unity7-base> #include <abstractions/ubuntu-unity7-launcher> ...

32. IMA interaction profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} xattrs=(security.ima=bar) { #include <abstractions/audio> #include

    <abstractions/cups-client> #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> #include <abstractions/dconf> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/p11-kit> #include <abstractions/ubuntu-unity7-base> #include <abstractions/ubuntu-unity7-launcher> ...

33. And beyond

34. Systemd integration • Use libapparmor directly • Direct loading ofi

    binary policy • Allows loading policy as early as possible

35. Policy NS – Scope & Views System nscd dnsmasq :ns2:

    :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task • View • Scope • Admin

36. System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3:

    Task nscd nscd nscd :ns5:nscd User sees: • View • Scope • Admin

37. System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :user_jj: :role:

    Task user admin chrome :chrome: sandbox

38. User confnement revisited • pam_apparmor – confg fle – change_profle

    instead ofi change_hat – doesn’t require total system confnement

39. User confnement revisited profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} user=(jj,cboltz) { #include <abstractions/audio>

    #include <abstractions/cups-client> #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> #include <abstractions/dconf> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/p11-kit> #include <abstractions/ubuntu-unity7-base> #include <abstractions/ubuntu-unity7-launcher> ...

40. Policy Learning – kernel interface • Boot Param to set

    bufer size • Divert complain messages • Allow applications to register to receive messages • Read complain messages directly firom the kernel

41. Fine grain ipv4/ipv6 networking ipv4 bind addr=192.168.1.100#53, ipv4 bind addr=#53,

    ipv4 (connect, send, receive) peer=(addr=192.168.1.200) ipv4 (connect, send) label:=foo peer=(addr=192.168.5) ipv4 (send, receive) label:=foo peer=bar

42. Questions Please https://gitlab.com/apparmor/apparmor John Johansen [email protected] www.canonical.com

43. License This slide deck is licensed under the Creative Commons

    Attribution-ShareAlike 4.0 International license. It can be shared and adapted fior any purpose (even commercially) as long as Attribution is given and any derivative work is distributed under the same license. Details can be fiound at https://creativecommons.org/licenses/by-sa/4.0/ General Disclaimer This document is not to be construed as a promise by any participating organisation to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or fiunctionality, and should not be relied upon in making purchasing decisions. openSUSE makes no representations or warranties with respect to the contents ofi this document, and specifcally disclaims any erpress or implied warranties ofi merchantability or ftness fior any particular purpose. The development, release, and timing ofi fieatures or fiunctionality described fior openSUSE products remains at the sole discretion ofi openSUSE. Further, openSUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notifiy any person or entity ofi such revisions or changes. All openSUSE marks refierenced in this presentation are trademarks or registered trademarks ofi SUSE LLC, in the United States and other countries. All third-party trademarks are the property ofi their respective owners. Credits Template Richard Brown [email protected] Design & Inspiration openSUSE Design Team http://opensuse.github.io/branding- guidelines/