Selectively block internet access via Apparmor

Share your own howto's etc. Not for support questions!

Selectively block internet access via Apparmor

Postby sickpig » 2019-07-10 22:42

Objective - achieve selective blocking of network access of individual apps via apparmor in debian

there is general misconception that debian's kernel lacks the ability to block network access to apps via apparmor. i have searched up to 10 pages of google and not a single result explains how to achieve our objective

i asked in our forums but was again directed to the incorrect information available on the internet viewtopic.php?f=5&t=142621&p=702329#p702329

m not explaining how to create an apparmor profile as that is well documented. i will post a working example and the tweak needed to make it functional

so here it goes, enjoy

create a profile. i created one for midori to test against our objective as below

Code: Select all
#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/lightdm>
  #include <abstractions/nameservice>
 
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,

  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/extensions/libadblock.so/ w,
  /home/*/.config/midori/extensions/libcookie-manager.so/ w,
  /home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
  /home/*/.config/midori/extensions/libformhistory.so/ w,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
  /home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
  /home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-500d4881.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}


the above is a stock profile the portion added by me is below

Code: Select all
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,


still it does not work
why
the answer is we need to remove abstraction/nameservice. it has network allow entries which supercede the ones defined by us in the profile. remove that and voila! u got yourself a functional apparmor profile that selectively blocks internet access to your app

the final profile will look like below

Code: Select all
#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
 
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,

  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/extensions/libadblock.so/ w,
  /home/*/.config/midori/extensions/libcookie-manager.so/ w,
  /home/*/.config/midori/extensions/libexternal-download-manager.so/ w,
  /home/*/.config/midori/extensions/libformhistory.so/ w,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-020fb5be.log r,
  /home/*/.local/share/gvfs-metadata/home-063bb51a.log r,
  /home/*/.local/share/gvfs-metadata/home-24c4a4a6.log r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-500d4881.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/gvfs-metadata/home-6ba27e16.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_cdn.districtm.io_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage rw,
  /home/*/.local/share/webkit/databases/https_www.apparmor.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_www.youtube.com_0.localstorage rw,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}


this functionality fills the gap in linux firewall which cannot block individual apps' internet access like windows firewall can

the above works in stretch as well as buster
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable