当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 4 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : 大虾帮忙翻译一下关于Apparmor的文档
帖子发表于 : 2010-06-23 5:54 

注册: 2009-10-16 1:16
帖子: 23
送出感谢: 2
接收感谢: 0 次
Redhat系和Debian系用Selinux安全控件的多,而Ubuntu和Suse 则用Apparmor,谷歌一下有一关于此安全控件的文档,监于英文不好,麻烦大虾翻译一下:http://ubuntuforums.org/showthread.php?t=1008906


页首
 用户资料  
 
2 楼 
 文章标题 : Re: 大虾帮忙翻译一下关于Apparmor的文档
帖子发表于 : 2010-06-25 10:24 

注册: 2010-01-13 23:26
帖子: 3173
送出感谢: 0 次
接收感谢: 12
这里不是找人翻译你需要的材料的地方。


_________________
Here I am.
Ubuntu 桌面培训 - 全中文官方文档,含汉化截图,提供PDF


页首
 用户资料  
 
3 楼 
 文章标题 : Re: 大虾帮忙翻译一下关于Apparmor的文档
帖子发表于 : 2010-06-26 22:32 

注册: 2009-10-16 1:16
帖子: 23
送出感谢: 2
接收感谢: 0 次
Introduction to AppArmor
Introduction to AppArmor





Contents

Post 1 Introduction (This is it).
Post 2 AppArmor on Ubuntu.
Post 3 Anatomy of a Profile.
Post 4 Generating Profiles.



Introduction


The intent of this post is to increase awareness of AppArmor and encourage it's use by Ubuntu users. Although there are portions of this post that may seem quite technical, it is not my intent to give a full technical review of the workings of AppArmor or compare AppArmor to alternate options, such as SELinux.

From the Novell site :

Quote:
AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
AppArmor is a security tool and uses name-based mandatory access controls to restrict or confine system access by "at risk" applications. "At risk" applications generally include both server and client applications with network access. In this post I will use Firefox as an example.

The goal is to apply application specific rules or "profiles" to "confine" Firefox, or any other application, to only the directories, files, and posix 1003.1e draft capabilities needed for normal functioning. In the event Firefox is compromised, Apparmor's confinement helps to prevent the compromising of the system as a whole.

AppArmor is a powerful program and, when an application is confined, AppArmor can restrict the activity of even the root user. AppArmor was designed as an alternative to SELinux and is designed to be easier to use.

AppArmor is configured by writing a profile for an application. Profiles are written one application at at time and and typically targeted at applications which have network access. These profiles are a text files which restrict or confine an application. These restrictions are in addition to the standard Linux permissions. For example, you can not give access to a directory or file with AppArmor if such access violates the permissions.

Let us imagine, for example, your browser, Firefox, is hijacked (due to some flaw in the code). Let us also imagine the cracker may then use Firefox to access your home directory or system files, allowing him or her to read and modify system files and/or execute arbitrary code. This hypothetical flaw in Firefox then leads to an escalation of privileges and root access is obtained.

The "traditional" security model would remedy the problem by first correcting the flaw in the code (ie a "security update" for Firefox) and possibly result in a new rule for HIDS, such as viruses scanners or root kits.

The problem with this model it it does nothing to protect against the next attack, aka a Zero Day Attack. AppArmor adds another check to the system, asking the question, should Firefox be accessing or making changes to system files ? AppArmor confines Firefox and if there is a new exploit, AppArmor will help prevent any escalation of privileges.



I set up a collection of AppArmor profiles here . Additional contributions are welcome (PM me if interested).

References

http://en.wikipedia.org/wiki/Selinux
http://en.wikipedia.org/wiki/AppArmor
https://help.ubuntu.com/8.04/serverg.../apparmor.html
http://www.linux.com/feature/58789
http://www.linuxtopia.org/online_boo...ide/index.html
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999


Last edited by bodhi.zazen; March 14th, 2009 at 01:38 AM..

December 12th, 2008 #2
bodhi.zazen
Ubuntu Guru




Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release

Re: Introduction to AppArmor
AppArmor on Ubuntu

First, by default AppArmor does very little (and thus with this post I am hoping to change that ...). With a default installation of Ubuntu 8.04 , AppArmor protects only CUPS (Ubutu 9.04 includes 7 profiles by default: dhclient-script (listed twice), dhclient3, cupsd, tcpdump, cups-pdf, nm-dhcp-clinet.action {basically cpus, dhclient, and tcpdump} ).

You can install additional AppArmor-profiles , which will get you started with a few additional applications, but we must also write and customize our own profiles. I will cover Firefox as an example.

To install some additional profiles :

Code:
sudo apt-get install apparmor-profiles
Although this installs some additional profiles, they are permissive in that they default to the complain mode (you will need to manually activate them).

Profiles are stored in /etc/apparmor.d

On Ubuntu, AppArmor logs profile violations to /var/log/messages

Apparmor uses the kernel standard securityfs mechanism load and monitor profiles.

securityfs is moutned on /sys/kernel/security .
/sys/kernel/security/apparmor/profiles is a virtualized file representing the currently loaded set of profiles.

On Ubuntu there are no gui tools to manage or write profiles, so we are talking good old command line tools and editing configuration files. The configuration files are text files and ,with a little reading, are fairly easy to understand.

Profiles

Profiles are stored in /etc/apparmor.d

Profiles are names for the application they confine, using the full path, dropping the first / and converting the others to a . Firefox is a bit confusing because /usr/bin/firefox is a link to /usr/bin/firefox-3.0, which in turn is a link to /usr/lib/firefox-3.0.4/firefox.sh (On Ubuntu 9.04 Alpha).

Thus /usr/lib/firefox-3.0.4/firefox.sh
becomes usr.lib.firefox-3.0.4.firefox.sh
and is stored in /etc/AppArmor.d/usr.lib.firefox-3.0.4.firefox.sh

More on profiles later.


Enforcement

Once a profile is defined it is automatically activated when the application is started. There are 2 modes of operation, complain and enforce.

complain - In complain mode AA monitors applications and logs violations to your profile without restricting or confining the application. I think of this as "Testing" mode.

enforce - In enforce mode AA monitors applications and logs violations to your profile. In the event of a violation, access to the resource is denied and the application is confined.


Start / Stop AppArmor

Usage: /etc/init.d/apparmor {start|stop|restart|try-restart|reload|force-reload|status|kill}

Start : sudo /etc/init.d/apparmor start
Stop : sudo /etc/init.d/apparmor stop
reload: sudo /etc/init.d/apparmor reload
Show status: sudo /etc/init.d/apparmor status

and on ...


Additional useful AppArmor commands

Note: In these examples, | = or. So you may use geprof or aa-gprof (and on).

Source : Novell AppArmor Guide


genprof | aa-genprof
Quote:
Generate or update a profile. When running, you must specify a program to profile. If the specified program is not an absolute path, genprof searches the $PATH variable. If a profile does not exist, genprof creates one using autodep.
Syntax : sudo genprof application
Example sudo genprof firefox
This generates a profile for firefox at /etc/apparmor.d/usr.lib.firefox-3.0.4.firefox.sh


autodep | aa-autodep
Quote:
Guess basic AppArmor profile requirements. autodep creates a stub profile for the program or application examined. The resulting profile is called approximate because it does not necessarily contain all of the profile entries that the program needs to be confined properly.
complain | aa-complain
Quote:
Set an AppArmor profile to enforce mode from complain mode.
syntax : complain rule
Example : sudo complain firefox


enforce | aa-enforce
Quote:
Set an AppArmor profile to enforce mode from complain mode.
syntax : enforce rule
Example : sudo enforce firefox


unconfined | aa-unconfined
Quote:
Output a list of processes with open tcp or udp ports that do not have AppArmor profiles loaded.
logprof | aa-logprof
Quote:
Manage AppArmor profiles. logprof is an interactive tool used to review the learning or complain mode output found in the AppArmor syslog entries and to generate new entries in AppArmor profiles.
Translation: search your logs for problems and use this information to modify the firefox profile.


apparmor_parser

This is used to load, or more commonly reload a profile into the kernel. After modifying (editing) a profile use :

Code:
sudo apparmor_parser -r /etc/apparmor.d/<profile>
Where "<profile>" is the profile to re-load.

If you prefer you can restart AppArmor (same as reload)
Code:
/etc/init.d/apparmor restart
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999


Last edited by bodhi.zazen; July 13th, 2009 at 03:06 AM..

December 12th, 2008 #3
bodhi.zazen
Ubuntu Guru




Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release

Re: Introduction to AppArmor
Anatomy of a Profile

Now we are getting into the nitty gritty

Each application you wish to confine under AppArmor is given a profile which is stored in the
/etc/AppArmor.d directory.

Each profile is named after the application to which it applies, changing the / in the path to a . (the first / is simply dropped).

So, /usr/lib/firefox-3.0.4/firefox.sh becomes usr.lib.firefox-3.0.4.firefox.sh.

Profiles are nothing more then text files and are generated by you the user sometimes with the assistance of AppArmor tools from the command line (sorry no GUI in Ubuntu, although there is a GUI in YAST on OpenSUSE). They can be viewed and manually managed (tweaked) with any editor (gedit, nano, vim, etc). I will walk you through generating a profile for firefox in the next post.

Profiles are comprised of 4 sections #include, capability entries, rules, and hats.

# include

#include is akin to sourcing or libraries and allows you to generate a list of common restrictions. Rather then writing this list over and over in profiles, you can keep it in a common location and incorporate it into a profile with an #include. When you update the common list, all your profiles are updated.


Capability entries

In English, this is permission checking.

In Geek speak :

Quote:
Capabilities statements are simply the word capability followed by the name of the POSIX.1e capability as defined in the capabilities(7) man page.
And, if you are interested, capabilities(7) man page.


Rules

These are basically a set of permissions applied to files or directories. The syntas is a path followed by a set of rules.

[path] [rules]

path

You may use Globing or special characters in the path.


Code:
* Substitutes for any number of characters, except /.

** Substitutes for any number of characters, including /.

? Substitutes for any single character, except /.

[ abc ] Substitutes for the single character a, b, or c.

[ a-c ] Substitutes for the single character a, b, or c.

{ ab,cd } Expand to one rule to match ab and another to match cd.

[ ^a ] Substitutes for any character except a.

Rules for files include

Code:
r = read
w = write
l = link
k = lock
a = append
Rules for executable (applications) include

Code:
ix = inherit = Inherit the parent's profile.
px = requires a separate profile exists for the application, with environment scrubbing.
Px = requires a separate profile exists for the application, without environment scrubbing.

ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).

m = allow executable mapping.
For a more detailed explaination see the man page : AppArmor(5)

Example (from the above man page)

Quote:

# a variable definition
@{HOME} = /home/*/ /root/

# a comment about foo.
/usr/bin/foo {
/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo.conf r,
/etc/foo/* r,
/lib/ld-*.so* x,
/lib/lib*.so* r,
/proc/[0-9]** r,
/usr/lib/** r,
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,

# a comment about foo's subprofile, bar.
^bar {
/lib/ld-*.so* x,
/usr/bin/bar ix,
/var/spool/* rwl,
}
}
Comments :
Note the use of variable. This is only necessary if you mount your /home partition in a non-standard location.
" /@{HOME}/.foo_file"
Comments start with an octothorpe (#).
/etc/foo/* r,
Allows read access to the files in /etc/foo
/etc/** would allow read access to all sub-directories in /etc


Hats

While an AppArmor profile is applied to an application, there are times with a sub process of the program may need access differing from the main program. In this event, the sup process may "change hats" or use an alternate sub-profile.

A profile may have more then 1 sub-profile, however the sub-profiles may not have sud-sub profiles (if that makes sense).

Right now very few applications use hats, and one example is Apache.

For a more detailed explanation see

man AppArmor
man AppArmor.d
__________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999


Last edited by bodhi.zazen; December 12th, 2008 at 02:08 AM..

December 12th, 2008 #4
bodhi.zazen
Ubuntu Guru




Join Date: Apr 2006
Location: Montana
My beans are hidden!
Xubuntu Development Release

Re: Introduction to AppArmor
Generating Profiles

By default, Ubuntu includes a profile only for CUPS. You can install a few additional profiles with

Code:
sudo apt-get install apparmor-profiles
The additional profiles are :

usr.sbin.avahi-daemon , usr.sbin.nmbd , bin.ping, sbin.klogd , usr.sbin.nscd , sbin.syslogd , usr.sbin.dnsmasq, usr.sbin.ntpd , sbin.syslog-ng, usr.sbin.identd , usr.sbin.smbd , gdm-guest-session , usr.sbin.mdnsd , and usr.sbin.traceroute

Also included are some information for #includes in /etc/AppArmor.d/abstractions directory.

Note: After you generate a new profile, or edit an existing profile, the profile must be (re)loaded into the kernel and the application to which it applies must be restarted. The can be performed by restarting the application or rebooting.

Code:
sudo apparmor_parser -r /etc/apparmor.d/<profile>
Where "<profile>" is the name of the profile to reload.

As promised, let us generate a profile for firefox.

First, close firefox.

Next run
Code:
sudo genprof firefox
This will generate a "basic" profile for Firefox and place it into complain mode. You will be able to run Firefox and any violations of the profile will be logged.

I suggest you start by reviewing the profile for Firefox and add what you can.

Now lets follow the logs while we take Firefox for a spin. Open a terminal and enter

Code:
tail -F /var/log/messages
The next step, with the AppArmor profile for Firefox still in complain mode, start Firefox and perform "normal activities". Open and close Firefox, browse some web sites, download some simple files, browse local files, etc. This will vary from one setup to another and we do not all use Firefox in the same way.

During this trial period you will see a variety of error messages flash in the terminal where your are following /var/log/messages. Initially you will get an overwhelming number, that is OK, work through the error messages one at at time, modify your profile, quit Firefox, reload your profile and work on the next set of messages.

If you get stuck and do not understand what to add, use aa-logprof. I suggest you make a backup of your current profile first (keep backups outside of /etc/apparmor.d):

Code:
sudo cp /etc/apparmor.d/user.lib.firefox-3.0.4.firefox.sh /root/user.lib.firefox-3.0.4.firefox.sh
Next,
Code:
sudo aa-logprof firefox
This will search your logs and modify your profile on the basis of how you answer the resulting questions.

Note: aa-logprof is a bit unrefined and you should review and edit the resulting changes in the profile manually.

My final profile was (Ubuntu 9.04 Alpha, FF 3.0.4):

Quote:
# Last Modified: Thu Dec 11 21:08:14 2008
#include <tunables/global>

/usr/lib/firefox-3.0.4/firefox.sh {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>

network dgram,
network stream,

/bin/dash rix,
/bin/grep rix,
/bin/ps rix,
/usr/bin/basename rix,
/usr/lib/firefox-3.0.4/firefox mrix,
/usr/lib/gamin/gam_server mrix,

/dev/shm/ r,
owner /dev/shm/pulse-* rw,
/etc/ r,
/etc/firefox-3.0/pref/ r,
/etc/firefox-3.0/pref/* r,
/etc/gre.d/ r,
/etc/gre.d/1.9.0.4.system.conf r,
/etc/mime.types r,
/etc/pulse/client.conf r,
/etc/sound/events/gtk-events-2.soundlist r,
/etc/xulrunner-1.9/system-greprefs.js r,
owner /home/** rw,
owner /home/*/.adobe/ rw,
owner /home/*/.adobe/** rw,
owner /home/*/.config/gtk-2.0/** rwk,
owner /home/*/.macromedia/ w,
owner /home/*/.macromedia/** rw,
owner /home/*/.mozilla/** rwk,
owner /home/*/.pulse-cookie rwk,
owner /home/*/.pulse/ w,
owner /home/*/{Desktop,Documents,Downloads}/ rw,
owner /home/*/{Desktop,Documents,Downloads}/** rw,

owner /proc/*/maps r,
/proc/*/mounts/* r,
owner /proc/*/stat r,
/proc/version r,
/usr/local/share/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,

}
Note: If you use this profile you will probably NOT be able to browse local files and / or pictures etc.

Generating a profile is thus an active process an one where you can learn what "normal functioning" of Firefox entails. There are only really two mistakes you can make:

1. Too restrictive. In extreme cases Firefox will not run (when Apparmor is in the enforcing mode).

2. Too permissive. Keep in mind, however, that before you make a profile Firefox had relatively unfettered access to your system. Also standard Linux permissions still apply.

Some helpful globs:

/home/*/

/usr/share/** r
/usr/local/share/** r

When you are ready, put the Firefox profile into enforcing mode. Watch your log and re-start Firefox. You may need to further modify your profile.

As with any application, as you use AppArmor you will get a feel for how it works and how to write efficient Profiles.

DON'T FORGET to reload a profile after editing it.

Code:
sudo apparmor_parser -r /etc/apparmor.d/<profile>
Or if you prefer,
Code:
/etc/init.d/apparmor restart
I would also like to start a thread :

Share your AppArmor Profiles


页首
 用户资料  
 
4 楼 
 文章标题 : Re: 大虾帮忙翻译一下关于Apparmor的文档
帖子发表于 : 2010-06-26 22:43 

注册: 2009-10-16 1:16
帖子: 23
送出感谢: 2
接收感谢: 0 次
嗯?也许吧?问问而己! :em06


页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 4 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 3 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译