Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Selectively block internet access via Apparmor

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Post Reply
Message
Author
User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Selectively block internet access via Apparmor

#1 Post by sickpig »

Objective - achieve selective blocking of network access of individual apps via apparmor in debian

there is general misconception that debian's kernel lacks the ability to block network access to apps via apparmor. i have searched up to 10 pages of google and not a single result explains how to achieve our objective

i asked in our forums but was again directed to the incorrect information available on the internet http://forums.debian.net/viewtopic.php? ... 29#p702329

m not explaining how to create an apparmor profile as that is well documented. i will post a working example and the tweak needed to make it functional

so here it goes, enjoy

create a profile. i created one for midori to test against our objective as below

Code: Select all

#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/lightdm>
  #include <abstractions/nameservice>
  
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,

  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/extensions/libadblock.so/ w,
  /home/*/.config/midori/extensions/libcookie-manager.so/ w,
  /home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
  /home/*/.config/midori/extensions/libformhistory.so/ w,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
  /home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
  /home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-500d4881.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}
the above is a stock profile the portion added by me is below

Code: Select all

  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,
still it does not work
why
the answer is we need to remove abstraction/nameservice. it has network allow entries which supercede the ones defined by us in the profile. remove that and voila! u got yourself a functional apparmor profile that selectively blocks internet access to your app

the final profile will look like below

Code: Select all

#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
 
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,

  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/extensions/libadblock.so/ w,
  /home/*/.config/midori/extensions/libcookie-manager.so/ w,
  /home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
  /home/*/.config/midori/extensions/libformhistory.so/ w,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
  /home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
  /home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-500d4881.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}
this functionality fills the gap in linux firewall which cannot block individual apps' internet access like windows firewall can

the above works in stretch as well as buster

Post Reply