Apparmor selectively block internet access [SOLVED]

Kernels, Network, and Services configuration
Post Reply
Message
Author
User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Apparmor selectively block internet access [SOLVED]

#1 Post by sickpig »

For solution - refer to http://forums.debian.net/viewtopic.php?f=16&t=142644

Folks,

I am trying to selectively block applications' Internet access via apparmor. Testing it with Midori with the below apparmor profile

Code: Select all

# Last Modified: Wed Jul 10 09:17:35 2019
#include <tunables/global>

/usr/bin/midori {
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/lightdm>
  #include <abstractions/nameservice>

  deny network inet raw,
  deny network inet6 raw,
  deny network inet  stream,
  deny network inet6 stream,
  deny network inet  dgram,
  deny network inet6 dgram,
  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny @{PROC}/[0-9]*/net/if_inet6 r,
  deny @{PROC}/[0-9]*/net/ipv6_route r,
  deny capability net_raw,
  deny @{PROC}/net/route r,
 
  /home/*/.Xauthority r,
  /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
  /home/*/.cache/midori/** rw,
  /home/*/.cache/midori/web/1930540588 w,
  /home/*/.cache/midori/web/2068877454 w,
  /home/*/.cache/midori/web/2442868640 w,
  /home/*/.cache/midori/web/2709582449 w,
  /home/*/.cache/midori/web/2870961982 w,
  /home/*/.cache/midori/web/3123036655 w,
  /home/*/.cache/midori/web/3922757607 w,
  /home/*/.cache/midori/web/4225863230 w,
  /home/*/.cache/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.config/dconf/user r,
  /home/*/.config/midori/ rw,
  /home/*/.config/midori/* rwk,
  /home/*/.config/midori/config.D9XL4Z rw,
  /home/*/.config/midori/history.db-shm rwk,
  /home/*/.config/midori/running w,
  /home/*/.config/midori/tabby.db-shm rwk,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.local/share/gvfs-metadata/home r,
  /home/*/.local/share/gvfs-metadata/home-34641c3f.log r,
  /home/*/.local/share/gvfs-metadata/home-5166a826.log r,
  /home/*/.local/share/midori/apps/ r,
  /home/*/.local/share/midori/profiles/ r,
  /home/*/.local/share/webkit/databases/https_chicago.suntimes.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_phonograph2.voxmedia.com_0.localstorage w,
  /home/*/.local/share/webkit/databases/https_secure-assets.rubiconproject.com_0.localstorage w,
  /home/*/.local/share/webkit/icondatabase/ r,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db-journal rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /{,var/}run/** mrwk,

}
as u can c i have added every possible deny network option, but it's still not working

syslog excerpt below

Code: Select all

Jul 10 10:34:27 debian apparmor[3420]: Reloading AppArmor profiles:.
Jul 10 10:34:27 debian systemd[1]: Reloaded AppArmor initialization.
Jul 10 10:34:36 debian kernel: [ 3996.072241] audit_printk_skb: 93 callbacks suppressed
Jul 10 10:34:36 debian kernel: [ 3996.072242] audit: type=1400 audit(1562718876.939:278): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072264] audit: type=1400 audit(1562718876.939:279): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072276] audit: type=1400 audit(1562718876.939:280): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:36 debian kernel: [ 3996.072290] audit: type=1400 audit(1562718876.939:281): apparmor="DENIED" operation="mkdir" profile="/usr/bin/midori" name="/home/a/.config/midori/extensions/libadblock.so/" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 10 10:34:43 debian dbus-daemon[914]: Activating via systemd: service name='org.gnome.zeitgeist.Engine' unit='zeitgeist.service'
Jul 10 10:34:43 debian systemd[897]: Starting Zeitgeist activity log service...
Jul 10 10:34:43 debian zeitgeist-vacuu[3547]: zeitgeist-vacuum.vala:38: Impossible to open database `/home/a/.local/share/zeitgeist/activity.sqlite': unable to open database file
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Control process exited, code=exited status=14
Jul 10 10:34:43 debian systemd[897]: Failed to start Zeitgeist activity log service.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Unit entered failed state.
Jul 10 10:34:43 debian systemd[897]: zeitgeist.service: Failed with result 'exit-code'.
Jul 10 10:34:43 debian kernel: [ 4002.305680] audit: type=1400 audit(1562718883.181:282): apparmor="DENIED" operation="mknod" profile="/usr/bin/midori" name="/home/a/.local/share/webkit/databases/https_en.wikipedia.org_0.localstorage" pid=3521 comm="midori" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Code: Select all

a@debian:~$ lsb_release -da
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.9 (stretch)
Release:	9.9
Codename:	stretch
anyone managed to get apparmor to block network?
Last edited by sickpig on 2019-07-10 22:43, edited 1 time in total.

User avatar
Head_on_a_Stick
Posts: 13446
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Apparmor selectively block internet access

#2 Post by Head_on_a_Stick »

Black Lives Matter

Debian buster-backports ISO image: for new hardware support


User avatar
GarryRicketson
Posts: 5871
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

#4 Post by GarryRicketson »

If there is a solution, it should have been posted here, instead of cross posting
and starting another topic on the same subject, making things more confusing.
Please read: Forum guidelines. Please read before first post!
Before you start using Debian User Forums, please observe the following guidelines:

1. Do not cross post. Posting the same topic in more than one category only creates confusion and makes it hard to keep track on the various replies. Double posts will be locked.
Also note : 9.
9.
The language on this board is primarily English but we do not exclude people with little or no English. When replying to posts in other languages please include an English translation. It's a good idea to help non-English speakers find resources in their language.
A forum is a means of written communication so make sure your posts are as readable as possible. That means: Use capital letters and punctuation, and use the formatting features of the forum wisely in order to make your post attractive. Try to avoid 'l33t speak', 'chatspeak,' and 'SMS language'.
There is no need to apologize for poor English skills. We have users from all over the world and trying your best is more than adequate.

Deb-fan
Posts: 1042
Joined: 2012-08-14 12:27

Re: Apparmor selectively block internet access [SOLVED]

#5 Post by Deb-fan »

Bad sickpig, bad, bad! No cross posting dude. Just saw a joke post opp and couldn't resist. Don't know crapall about apparmor so nothing useful to offer on the topic. Guessing it's well documented though and seen a few say, using it is a step in the right direction. If nobody knows how to effectively use it not sure how or who it's a right step for.

Run a custom kernel with support for apparmor compiled out, so isn't a step I'm taking atm. Looks like it's that ever popular time again. Time to research, learn and read the docs time! :)
Most powerful FREE tech-support tool on the planet * HERE. *

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#6 Post by sickpig »

GarryRicketson wrote:If there is a solution, it should have been posted here, instead of cross posting
and starting another topic on the same subject, making things more confusing.
[/quote]

I haven't started multiple threads asking for help.
i started this thread which was resolved by the howto created by be which i have linked here in the first line of my first post in this thread

i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#7 Post by sickpig »

Deb-fan wrote:Bad sickpig, bad, bad! No cross posting dude.
not a crosspost
this one was for support

the other one is an howto - i felt like sharing solution back with the community and aren't howtos the place for them?
i have personally learnt a lot from all the compiled howtos in one section, have also learned a lot by reading posts but the best part about howtos is that everything is compiled in one section, no need to jump across different threads

Apparmor is the bomb, i have been auditing all my apps and restricting their access levels to the strictest level possible without breaking their functionality

User avatar
GarryRicketson
Posts: 5871
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

#8 Post by GarryRicketson »

The solution to the question should have been posted in the same topic that the questions was asked. If you wanted to also start a How to topic, that is fine, no problem and you did.
As for this:
sickpig>i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed
That is not up to me, but you have said this before, when others also commented on your sloppy writing, if you are writing in your personal diary, yes , indeed write how ever you want.
These boards are public, and you should respect the requests that you at least make some effort to write your sloppy posts better. Instead, you seem to enjoy trying to turn the forum into a pig sty, and disregard those requests.
Thank you for making my day.

User avatar
sunrat
Global Moderator
Global Moderator
Posts: 3768
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 3 times
Been thanked: 13 times

Re: Apparmor selectively block internet access [SOLVED]

#9 Post by sunrat »

sickpig wrote:i will write how i want, i dont tell u how to write.
go ahead lock it if u feel that will add to your productivity. c if i care.
godspeed
OK I get it, you are not very good at English. At least start to care a bit. You are a bee's willy away from being added to a few peoples' foes list.
http://forums.debian.net/ucp.php?i=zebr ... dd=sickpig
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#10 Post by sickpig »

@GarryRicketson, i can very well reply in the same vein as yours but i choose not to as from reading your previous posts i know u r sensitive to whats posted. And i defer to your seniority. Respect.

@sunrat, grammatically i doubt u can find anything amiss to say i am not very good at English, spelling wise i dont care.
I wonder how u divine m close being added to foes list of many people. but be it as it may. few things u can control most u cant. i dont even know the repercussions of being in the foes' list so i dont really care :D

User avatar
GarryRicketson
Posts: 5871
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Apparmor selectively block internet access [SOLVED]

#11 Post by GarryRicketson »

Deb-fan wrote:No worries, am mildly inebriated by this point. So not overly concerned. Am sure it's a long way from the worst Debian forum transgression ever committed. Though you know what they say, arguing on an gnu/nix forum, is like competing in the special Olympics, even if someone wins. They're still just a retard. :D
Being a drunken up boozer is no excuse for being a offensive , rude person and this is just plain offensive. My granddaughter recently won 2nd prize in a competition that is similar to the special Olympics, she may have some handicaps, but is far from being "just a retard", most of those "just retards", as you call them work very hard at doing the best they can in difficult circumstances.
Any way, we are not "just retards", as you seem to think. I am not arguing, just saying.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#12 Post by sickpig »

@GarryRicketson if u read the other "vent" thread he has already apologised to u

cross-posting m i?

http://forums.debian.net/viewtopic.php? ... 02#p702398
Deb-fan wrote:^@Garry never meant that comment in such a fashion. Was mostly an attempt at a joke to defuse a situation. Am sure your grandkid is a lovely person. No offense was meant, you're obviously a good nixer, keep being that please. Apologize for any offense, wasn't intended as that.

User avatar
sunrat
Global Moderator
Global Moderator
Posts: 3768
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 3 times
Been thanked: 13 times

Re: Apparmor selectively block internet access [SOLVED]

#13 Post by sunrat »

sickpig wrote:@sunrat, grammatically i doubt u can find anything amiss to say i am not very good at English, spelling wise i dont care.
I wonder how u divine m close being added to foes list of many people. but be it as it may. few things u can control most u cant. i dont even know the repercussions of being in the foes' list so i dont really care :D
It's your spelling that gives readers the impression you are not good at English. Spare a thought for those who are not native speakers and use a translation service to read the forum.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#14 Post by sickpig »

sunrat wrote:It's your spelling that gives readers the impression you are not good at English.
who made u the authority to speak on behalf of others? this is the language that i know, call it english or whatever. (Beware of the non-capitalisation of proper noun of the word English)
u speak or write however u want to, i dont give a hoot.
dont impose on anyone else.
live and let live man.
historically conflicts have started when one section of humanity starts imposing, saying my way is right.

User avatar
pylkko
Posts: 1800
Joined: 2014-11-06 19:02

Re: Apparmor selectively block internet access [SOLVED]

#15 Post by pylkko »

sickpig wrote: who made u the authority to speak on behalf of others? this is the language that i know, call it english or whatever. (Beware of the non-capitalisation of proper noun of the word English)
u speak or write however u want to, i dont give a hoot.
dont impose on anyone else.
live and let live man.
historically conflicts have started when one section of humanity starts imposing, saying my way is right.
Uhm... no. You are either deliberately or out of ignorance failing to see the difference between the social cognition that evolution has given us and deliberate systematic social violence/injustice. The way that you write gives me the impression that you are either very young, naive or dumb and I have to many times take a double take (that is reread) on your sentences (annoying). However, that does not mean that I am imposing anything on you.

Maybe we can find middle ground and agree that we all are allowed to respond to your posts like this:

"yoz in da meaning I cc are u in. for gazzin in c"


Please then don't impose any of your rules on me, don't attempt to disallow this very productive and pragmatic over-zealous application of anarchistic freedom on language. Because clearly that is injust.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#16 Post by sickpig »

thanks for reading n then double reading my posts of ur own free will. the operative expression is "of ur own free will".

User avatar
pylkko
Posts: 1800
Joined: 2014-11-06 19:02

Re: Apparmor selectively block internet access [SOLVED]

#17 Post by pylkko »

sickpig wrote:thanks for reading n then double reading my posts of ur own free will. the operative expression is "of ur own free will".
I do it because I would like to be a kind person, and I don't think that you are making my life hard in an act of aggression, only because you are inexperienced and naive, you maybe think that you have the answers to life, whereas in reality it appears to be an never ending growing pile of challenges to balance. Otherwise I would, I don't know, "flame". That is an old "power word" our people used before you were born, lol. Joking; don't take it too seriously.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Apparmor selectively block internet access [SOLVED]

#18 Post by sickpig »

pylkko wrote:I do it because I would like to be a kind person, and I don't think that you are making my life hard in an act of aggression, only because you are inexperienced and naive, you maybe think that you have the answers to life, whereas in reality it appears to be an never ending growing pile of challenges to balance. Otherwise I would, I don't know, "flame". That is an old "power word" our people used before you were born, lol. Joking; don't take it too seriously.
Thanks for being helpful and kind. Your help is much appreciated. About answers, me knows nothing. there are 100 questions in the world me has 0 answers :)

Post Reply