Folks,
I am trying to selectively block applications' Internet access via apparmor. Testing it with Midori with the below apparmor profile
Code: Select all
# Last Modified: Wed Jul 10 09:17:35 2019
#include <tunables/global>
/usr/bin/midori {
#include <abstractions/base>
#include <abstractions/evince>
#include <abstractions/lightdm>
#include <abstractions/nameservice>
deny network inet raw,
deny network inet6 raw,
deny network inet stream,
deny network inet6 stream,
deny network inet dgram,
deny network inet6 dgram,
deny network,
deny network inet stream,
deny network inet6 stream,
deny @{PROC}/[0-9]*/net/if_inet6 r,
deny @{PROC}/[0-9]*/net/ipv6_route r,
deny capability net_raw,
deny @{PROC}/net/route r,
/home/*/.Xauthority r,
/home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
/home/*/.cache/midori/** rw,
/home/*/.cache/midori/web/1930540588 w,
/home/*/.cache/midori/web/2068877454 w,
/home/*/.cache/midori/web/2442868640 w,
/home/*/.cache/midori/web/2709582449 w,
/home/*/.cache/midori/web/2870961982 w,
/home/*/.cache/midori/web/3123036655 w,
/home/*/.cache/midori/web/3922757607 w,
/home/*/.cache/midori/web/4225863230 w,
/home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.config/dconf/user r,
/home/*/.config/midori/ rw,
/home/*/.config/midori/* rwk,
/home/*/.config/midori/config.D9XL4Z rw,
/home/*/.config/midori/history.db-shm rwk,
/home/*/.config/midori/running w,
/home/*/.config/midori/tabby.db-shm rwk,
/home/*/.config/user-dirs.dirs r,
/home/*/.local/share/gvfs-metadata/home r,
/home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
/home/*/.local/share/gvfs-metadata/home-5166a826.log r,
/home/*/.local/share/midori/apps/ r,
/home/*/.local/share/midori/profiles/ r,
/home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
/home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage w,
/home/*/.local/share/webkit/icondatabase/ r,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
/home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
/lib/x86_64-linux-gnu/ld-*.so mr,
/{,var/}run/** mrwk,
}
syslog excerpt below
Code: Select all
Jul 10 10:34:27 debian apparmor[3420]: Reloading AppArmor profiles:.
Jul 10 10:34:27 debian systemd[1]: Reloaded AppArmor initialization.
Jul 10 10:34:36 debian kernel: [ 3996.072241] audit_printk_skb: 93 callbacks suppressed
Jul 10 10:34:36 debian kernel: [ 3996.072242] audit: type=1400 audit(1562718876.939:278): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072264] audit: type=1400 audit(1562718876.939:279): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072276] audit: type=1400 audit(1562718876.939:280): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072290] audit: type=1400 audit(1562718876.939:281): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:43 debian dbus-daemon[914]: Activating via systemd: service name='org.gnome.zeitgeist.Engine' unit='zeitgeist.service'
Jul 10 10:34:43 debian systemd[897]: Starting Zeitgeist activity log service...
Jul 10 10:34:43 debian zeitgeist-vacuu[3547]: zeitgeist-vacuum.vala:38: Impossible to open database `/home/a/.local/share/zeitgeist/activity.sqlite': unable to open database file
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Control process exited, code=exited status=14
Jul 10 10:34:43 debian systemd[897]: Failed to start Zeitgeist activity log service.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Unit entered failed state.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Failed with result 'exit-code'.
Jul 10 10:34:43 debian kernel: [ 4002.305680] audit: type=1400 audit(1562718883.181:282): apparmor="DENIED" operation="mknod" profile="/usr/bin/midori" name="/home/a/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Code: Select all
a@debian:~$ lsb_release -da
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.9 (stretch)
Release: 9.9
Codename: stretch