Creating a New Profile

In YaST, you'll find a dedicated menu option to manage AppArmor. Before you click the Add Profile Wizard icon on this menu, make sure the application you want to create the profile for is not currently active. Once you have disabled the application, use the following steps to create a profile for it. In these steps, you will learn how to create a profile for the Mozilla Firefox browser. I prefer covering Firefox, because profiles for most server applications are present by default. Also, many administrators use Firefox on their servers, and a misconfigured browser is a major source of infections on a server.

1. From YaST, select Novell AppArmor > Add Profile Wizard. This opens the screen shown in Figure 32-1. On this screen, enter the name of the application for which you want to create the profile. You can enter a complete application name or just the name of the application you want to start. In the latter case, AppArmor will check the search path to find out where the application is installed. So to create a profile for Firefox, it suffices just to enter firefox on this screen. Then click Create to continue.

Figure 32-1. To create a profile for an application, enter the name of the application, and then click Create to continue.

2. You now see the start screen of the AppArmor Profile Wizard (see Figure 32-2). On this screen, you should also see the complete name of the application for which you are creating the profile. Double-check that you entered the correct name. Then start the application and perform all the tasks you usually do with your application. In the case of a web browser, make sure you access some complicated web pages, preferably some web pages that have active content. Also make sure you load and save some files from the File menu. It is important at this stage that the profiling program can get as complete an impression of what the application usually does as possible. During this learning phase of the process, a log file is created where all the activity of the application is logged. You can find this log in the file /var/log/audit/audit.log.

Figure 32-2. When you see this screen, it is time to start using your application so AppArmor can analyze what exactly it is doing.

3. Once you have done everything that is needed with your application, on the screen shown in Figure 32-2, click Scan System Log for AppArmor Events. This will display a dialog box for each event that was found. Three different types of dialog boxes can appear: one for program settings, one for capability settings, and one for file access. In Figure 32-3, you see the screen that pops up if a program file was accessed. On this screen, you need to specify what exactly you want to do for that program. You can choose from four different options:

• Inherit: Choose this to let the resource inherit the current program. Use this option for programs that are started by the parent program, which really are part of the parent program and should be treated as such. It makes sure that subprocesses started by a program can all run. In most situations, this is the best choice.

• Profile: Use this if you want to create a separate profile for a program. That is started from the parent program. This is a good choice for more important programs that can also run as independent programs.

• Unconfirmed: This option specifies that no profile should be used for this program. Only use this option if everything else doesn't work; it will completely disable AppArmor security settings for the selected program.

• Deny: Click this if you want to disallow execution of the selected program. Be aware that choosing this option will limit the usability of the program.

Figure 32-3. For each program that was started by your application, you can indicate how you want AppArmor to handle the program.

4. If you want to specify how to handle the use of one of the POSIX capabilities, the screen shown in Figure 32-4 appears. On this screen, you can indicate whether you want to allow or disallow the use of that capability. You should note that when disallowing a capability, your application can probably not do its work at all. If you want to check what exactly a certain capability is doing, check man 7 capabilities.

5. Again, you'll see a different screen when a file has been accessed (see Figure 32-5). To specify what your application can do with a file, make a choice from the following buttons:

• Allow: This gives the program access to the specified file or directory.

• Deny: This denies the program access to the specified file or directory.

• Glob: If you click the Glob button once, the name of the file is replaced by an asterisk (*), thus referring to all the files in the directory, but not in subdirectories. If you click the Glob button a second time, the name of the file is replaced by **, which refers to all the files in the directory where your file is, including all of its subdirectories. Every next time you click Glob, the utility walks up one level in the directory tree, thus including the parent directory of the directory that is currently selected as well.

• Glob w/Ext: This option is like globbing, but it keeps the extension of the selected file. So if the name of your file is blah.txt, clicking Glob w/Ext once will make sure that access is allowed to all files with the extension .txt, and clicking Glob w/Ext a second time will do the same for all of its subdirectories.

• Edit: Use this option to edit the highlighted filename by hand.

6. After specifying, for each file, the capabilities and processes that your application is allowed to do, click the Finish button. This exits the AppArmor Profile Wizard and writes the configuration to your system. Make sure your application is restarted now to allow complete AppArmor functionality.

Figure 32-5. One of the most powerful options with regard to file access is globbing. With this you can allow access to complete directory structures as well.

You now have a profile for your application. You may, however, experience that some functionality of the application is limited. In that case, you'll need to update the profile for your application. If your program doesn't work anymore after a path or update has been applied (this can happen, such as when the name of the binary or some of the files used by the application change), you need to update the profile as well. The next section describes how you can do that.

Was this article helpful?

0 0

Post a comment