Apparmor selectively block internet access [SOLVED]

Kernels & Hardware, configuring network, installing services

Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-10 00:05

For solution - refer to viewtopic.php?f=16&t=142644

Folks,

I am trying to selectively block applications' Internet access via apparmor. Testing it with Midori with the below apparmor profile
Code: Select all
# Last Modified: Wed Jul 10 09:17:35 2019
#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/lightdm>
  #include <abstractions/nameservice>

  deny network inet raw,
  deny network inet6 raw,
  deny network inet  stream,
  deny network inet6 stream,
  deny network inet  dgram,
  deny network inet6 dgram,
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny @{PROC}/[0-9]*/net/if_inet6 r,
  deny @{PROC}/[0-9]*/net/ipv6_route r,
  deny capability net_raw,
  deny @{PROC}/net/route r,
 
  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage w,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}


as u can c i have added every possible deny network option, but it's still not working

syslog excerpt below
Code: Select all
Jul 10 10:34:27 debian apparmor[3420]: Reloading AppArmor profiles:.
Jul 10 10:34:27 debian systemd[1]: Reloaded AppArmor initialization.
Jul 10 10:34:36 debian kernel: [ 3996.072241] audit_printk_skb: 93 callbacks suppressed
Jul 10 10:34:36 debian kernel: [ 3996.072242] audit: type=1400 audit(1562718876.939:278): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072264] audit: type=1400 audit(1562718876.939:279): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072276] audit: type=1400 audit(1562718876.939:280): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072290] audit: type=1400 audit(1562718876.939:281): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:43 debian dbus-daemon[914]: Activating via systemd: service name='org.gnome.zeitgeist.Engine' unit='zeitgeist.service'
Jul 10 10:34:43 debian systemd[897]: Starting Zeitgeist activity log service...
Jul 10 10:34:43 debian zeitgeist-vacuu[3547]: zeitgeist-vacuum.vala:38: Impossible to open database `/home/a/.local/share/zeitgeist/activity.sqlite': unable to open database file
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Control process exited, code=exited status=14
Jul 10 10:34:43 debian systemd[897]: Failed to start Zeitgeist activity log service.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Unit entered failed state.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Failed with result 'exit-code'.
Jul 10 10:34:43 debian kernel: [ 4002.305680] audit: type=1400 audit(1562718883.181:282): apparmor="DENIED" operation="mknod" profile="/usr/bin/midori" name="/home/a/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000


Code: Select all
a@debian:~$ lsb_release -da
No LSB modules are available.
Distributor ID:   Debian
Description:   Debian GNU/Linux 9.9 (stretch)
Release:   9.9
Codename:   stretch


anyone managed to get apparmor to block network?
Last edited by sickpig on 2019-07-10 22:43, edited 1 time in total.
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34


Re: Apparmor selectively block internet access

Postby sickpig » 2019-07-10 22:42

Head_on_a_Stick wrote:https://unix.stackexchange.com/questions/414490/how-to-deny-applications-access-to-network-by-apparmor


viewtopic.php?f=16&t=142644
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby GarryRicketson » 2019-07-10 23:35

If there is a solution, it should have been posted here, instead of cross posting
and starting another topic on the same subject, making things more confusing.
Please read: Forum guidelines. Please read before first post!
Before you start using Debian User Forums, please observe the following guidelines:

1. Do not cross post. Posting the same topic in more than one category only creates confusion and makes it hard to keep track on the various replies. Double posts will be locked.

Also note : 9.
9.
The language on this board is primarily English but we do not exclude people with little or no English. When replying to posts in other languages please include an English translation. It's a good idea to help non-English speakers find resources in their language.
A forum is a means of written communication so make sure your posts are as readable as possible. That means: Use capital letters and punctuation, and use the formatting features of the forum wisely in order to make your post attractive. Try to avoid 'l33t speak', 'chatspeak,' and 'SMS language'.
There is no need to apologize for poor English skills. We have users from all over the world and trying your best is more than adequate.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

Postby Deb-fan » 2019-07-10 23:56

Bad sickpig, bad, bad! No cross posting dude. Just saw a joke post opp and couldn't resist. Don't know crapall about apparmor so nothing useful to offer on the topic. Guessing it's well documented though and seen a few say, using it is a step in the right direction. If nobody knows how to effectively use it not sure how or who it's a right step for.

Run a custom kernel with support for apparmor compiled out, so isn't a step I'm taking atm. Looks like it's that ever popular time again. Time to research, learn and read the docs time! :)
Deb-fan
 
Posts: 273
Joined: 2012-08-14 12:27

Re: Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-10 23:57

GarryRicketson wrote:If there is a solution, it should have been posted here, instead of cross posting
and starting another topic on the same subject, making things more confusing.
[/quote]

I haven't started multiple threads asking for help.
i started this thread which was resolved by the howto created by be which i have linked here in the first line of my first post in this thread

i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-11 00:03

Deb-fan wrote:Bad sickpig, bad, bad! No cross posting dude.


not a crosspost
this one was for support

the other one is an howto - i felt like sharing solution back with the community and aren't howtos the place for them?
i have personally learnt a lot from all the compiled howtos in one section, have also learned a lot by reading posts but the best part about howtos is that everything is compiled in one section, no need to jump across different threads

Apparmor is the bomb, i have been auditing all my apps and restricting their access levels to the strictest level possible without breaking their functionality
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby GarryRicketson » 2019-07-11 00:26

The solution to the question should have been posted in the same topic that the questions was asked. If you wanted to also start a How to topic, that is fine, no problem and you did.
As for this:
sickpig>i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed

That is not up to me, but you have said this before, when others also commented on your sloppy writing, if you are writing in your personal diary, yes , indeed write how ever you want.
These boards are public, and you should respect the requests that you at least make some effort to write your sloppy posts better. Instead, you seem to enjoy trying to turn the forum into a pig sty, and disregard those requests.
Thank you for making my day.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

Postby sunrat » 2019-07-11 02:00

sickpig wrote:i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed


OK I get it, you are not very good at English. At least start to care a bit. You are a bee's willy away from being added to a few peoples' foes list.
ucp.php?i=zebra&mode=foes&add=sickpig
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2796
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-11 02:27

@GarryRicketson, i can very well reply in the same vein as yours but i choose not to as from reading your previous posts i know u r sensitive to whats posted. And i defer to your seniority. Respect.

@sunrat, grammatically i doubt u can find anything amiss to say i am not very good at English, spelling wise i dont care.
I wonder how u divine m close being added to foes list of many people. but be it as it may. few things u can control most u cant. i dont even know the repercussions of being in the foes' list so i dont really care :D
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby GarryRicketson » 2019-07-11 02:51

Deb-fan wrote:No worries, am mildly inebriated by this point. So not overly concerned. Am sure it's a long way from the worst Debian forum transgression ever committed. Though you know what they say, arguing on an gnu/nix forum, is like competing in the special Olympics, even if someone wins. They're still just a retard. :D

Being a drunken up boozer is no excuse for being a offensive , rude person and this is just plain offensive. My granddaughter recently won 2nd prize in a competition that is similar to the special Olympics, she may have some handicaps, but is far from being "just a retard", most of those "just retards", as you call them work very hard at doing the best they can in difficult circumstances.
Any way, we are not "just retards", as you seem to think. I am not arguing, just saying.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-11 03:04

@GarryRicketson if u read the other "vent" thread he has already apologised to u

cross-posting m i?

viewtopic.php?f=20&t=142631&p=702402#p702398

Deb-fan wrote:^@Garry never meant that comment in such a fashion. Was mostly an attempt at a joke to defuse a situation. Am sure your grandkid is a lovely person. No offense was meant, you're obviously a good nixer, keep being that please. Apologize for any offense, wasn't intended as that.
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby sunrat » 2019-07-11 05:19

sickpig wrote:@sunrat, grammatically i doubt u can find anything amiss to say i am not very good at English, spelling wise i dont care.
I wonder how u divine m close being added to foes list of many people. but be it as it may. few things u can control most u cant. i dont even know the repercussions of being in the foes' list so i dont really care :D


It's your spelling that gives readers the impression you are not good at English. Spare a thought for those who are not native speakers and use a translation service to read the forum.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2796
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: Apparmor selectively block internet access [SOLVED]

Postby sickpig » 2019-07-11 05:37

sunrat wrote:It's your spelling that gives readers the impression you are not good at English.

who made u the authority to speak on behalf of others? this is the language that i know, call it english or whatever. (Beware of the non-capitalisation of proper noun of the word English)
u speak or write however u want to, i dont give a hoot.
dont impose on anyone else.
live and let live man.
historically conflicts have started when one section of humanity starts imposing, saying my way is right.
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

Postby pylkko » 2019-07-11 06:13

sickpig wrote:who made u the authority to speak on behalf of others? this is the language that i know, call it english or whatever. (Beware of the non-capitalisation of proper noun of the word English)
u speak or write however u want to, i dont give a hoot.
dont impose on anyone else.
live and let live man.
historically conflicts have started when one section of humanity starts imposing, saying my way is right.

Uhm... no. You are either deliberately or out of ignorance failing to see the difference between the social cognition that evolution has given us and deliberate systematic social violence/injustice. The way that you write gives me the impression that you are either very young, naive or dumb and I have to many times take a double take (that is reread) on your sentences (annoying). However, that does not mean that I am imposing anything on you.

Maybe we can find middle ground and agree that we all are allowed to respond to your posts like this:

"yoz in da meaning I cc are u in. for gazzin in c"


Please then don't impose any of your rules on me, don't attempt to disallow this very productive and pragmatic over-zealous application of anarchistic freedom on language. Because clearly that is injust.
User avatar
pylkko
 
Posts: 1565
Joined: 2014-11-06 19:02

Next

Return to System configuration

Who is online

Users browsing this forum: No registered users and 17 guests

fashionable