there is general misconception that debian's kernel lacks the ability to block network access to apps via apparmor. i have searched up to 10 pages of google and not a single result explains how to achieve our objective
i asked in our forums but was again directed to the incorrect information available on the internet http://forums.debian.net/viewtopic.php? ... 29#p702329
m not explaining how to create an apparmor profile as that is well documented. i will post a working example and the tweak needed to make it functional
so here it goes, enjoy
create a profile. i created one for midori to test against our objective as below
Code: Select all
#include <tunables/global>
/usr/bin/midori {
#include <abstractions/base>
#include <abstractions/evince>
#include <abstractions/lightdm>
#include <abstractions/nameservice>
deny network,
deny network inet stream,
deny network inet6 stream,
deny network inet dgram,
deny network inet6 dgram,
deny network netlink raw,
/home/*/.Xauthority r,
/home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
/home/*/.cache/midori/** rw,
/home/*/.cache/midori/web/1930540588 w,
/home/*/.cache/midori/web/2068877454 w,
/home/*/.cache/midori/web/2442868640 w,
/home/*/.cache/midori/web/2709582449 w,
/home/*/.cache/midori/web/2870961982 w,
/home/*/.cache/midori/web/3123036655 w,
/home/*/.cache/midori/web/3922757607 w,
/home/*/.cache/midori/web/4225863230 w,
/home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.config/dconf/user r,
/home/*/.config/midori/ rw,
/home/*/.config/midori/* rwk,
/home/*/.config/midori/config.D9XL4Z rw,
/home/*/.config/midori/extensions/libadblock.so/ w,
/home/*/.config/midori/extensions/libcookie-manager.so/ w,
/home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
/home/*/.config/midori/extensions/libformhistory.so/ w,
/home/*/.config/midori/history.db-shm rwk,
/home/*/.config/midori/running w,
/home/*/.config/midori/tabby.db-shm rwk,
/home/*/.config/user-dirs.dirs r,
/home/*/.local/share/gvfs-metadata/home r,
/home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
/home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
/home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
/home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
/home/*/.local/share/gvfs-metadata/home-500d4881.log r,
/home/*/.local/share/gvfs-metadata/home-5166a826.log r,
/home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
/home/*/.local/share/midori/apps/ r,
/home/*/.local/share/midori/profiles/ r,
/home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
/home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
/home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
/home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
/home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
/home/*/.local/share/webkit/icondatabase/ r,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
/lib/x86_64-linux-gnu/ld-*.so mr,
/{,var/}run/** mrwk,
}
Code: Select all
deny network,
deny network inet stream,
deny network inet6 stream,
deny network inet dgram,
deny network inet6 dgram,
deny network netlink raw,
why
the answer is we need to remove abstraction/nameservice. it has network allow entries which supercede the ones defined by us in the profile. remove that and voila! u got yourself a functional apparmor profile that selectively blocks internet access to your app
the final profile will look like below
Code: Select all
#include <tunables/global>
/usr/bin/midori {
#include <abstractions/base>
#include <abstractions/evince>
deny network,
deny network inet stream,
deny network inet6 stream,
deny network inet dgram,
deny network inet6 dgram,
deny network netlink raw,
/home/*/.Xauthority r,
/home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
/home/*/.cache/midori/** rw,
/home/*/.cache/midori/web/1930540588 w,
/home/*/.cache/midori/web/2068877454 w,
/home/*/.cache/midori/web/2442868640 w,
/home/*/.cache/midori/web/2709582449 w,
/home/*/.cache/midori/web/2870961982 w,
/home/*/.cache/midori/web/3123036655 w,
/home/*/.cache/midori/web/3922757607 w,
/home/*/.cache/midori/web/4225863230 w,
/home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.config/dconf/user r,
/home/*/.config/midori/ rw,
/home/*/.config/midori/* rwk,
/home/*/.config/midori/config.D9XL4Z rw,
/home/*/.config/midori/extensions/libadblock.so/ w,
/home/*/.config/midori/extensions/libcookie-manager.so/ w,
/home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
/home/*/.config/midori/extensions/libformhistory.so/ w,
/home/*/.config/midori/history.db-shm rwk,
/home/*/.config/midori/running w,
/home/*/.config/midori/tabby.db-shm rwk,
/home/*/.config/user-dirs.dirs r,
/home/*/.local/share/gvfs-metadata/home r,
/home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
/home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
/home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
/home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
/home/*/.local/share/gvfs-metadata/home-500d4881.log r,
/home/*/.local/share/gvfs-metadata/home-5166a826.log r,
/home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
/home/*/.local/share/midori/apps/ r,
/home/*/.local/share/midori/profiles/ r,
/home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
/home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
/home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
/home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
/home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
/home/*/.local/share/webkit/icondatabase/ r,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
/lib/x86_64-linux-gnu/ld-*.so mr,
/{,var/}run/** mrwk,
}
the above works in stretch as well as buster