Nov 12, 2011

Running stuff like firefox, flash and skype with apparmor

Should've done it a long time ago, actually. I was totally sure it'd be much harder task, but then recently I've had some spare time and decided to do something about this binary crap, and looking for possible solutions stumbled upon apparmor.

A while ago I've used SELinux (which was the reason why I thought it'd have to be hard) and kinda considered LSM-based security as kind of heavy-handed no-nonsense shit you chose NOT to deal with if you have such choice, but apparmor totally proved this to be a silly misconception, which I'm insanely happy about.
With apparmor, it's just one file with a set of permissions, which can be loaded/enforced/removed at runtime, no xattrs (and associated maintenance burden) or huge and complicated policies like SELinux has.
For good whole-system security SELinux still seem to be a better approach, but not for confining a few crappy apps on a otherwise general system.
On top of that, it's also trivially easy to install on a general system - only kernel LSM and one userspace package needed.

Case in point - skype apparmor profile, which doesn't allow it to access anything but ~/.Skype, /opt/skype and a few other system-wide things:

#include <tunables/global>
/usr/bin/skype {
  #include <abstractions/base>
  #include <abstractions/user-tmp>
  #include <abstractions/pulse>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>
  #include <abstractions/fonts>
  #include <abstractions/X>
  #include <abstractions/freedesktop.org>
  #include <abstractions/kde>
  #include <abstractions/site/base>
  #include <abstractions/site/de>

  /usr/bin/skype mr,
  /opt/skype/skype pix,
  /opt/skype/** mr,
  /usr/share/fonts/X11/** m,

  @{PROC}/*/net/arp r,
  @{PROC}/sys/kernel/ostype r,
  @{PROC}/sys/kernel/osrelease r,

  /dev/ r,
  /dev/tty rw,
  /dev/pts/* rw,
  /dev/video* mrw,

  @{HOME}/.Skype/ rw,
  @{HOME}/.Skype/** krw,

  deny @{HOME}/.mozilla/ r, # no idea what it tries to get there
  deny @{PROC}/[0-9]*/fd/ r,
  deny @{PROC}/[0-9]*/task/ r,
  deny @{PROC}/[0-9]*/task/** r,
}

"deny" lines here are just to supress audit warnings about this paths, everything is denied by default, unless explicitly allowed.

Compared to "default" linux DAC-only "as user" confinement, where it has access to all your documents, activities, smartcard, gpg keys and processes, ssh keys and sessions, etc - it's a huge improvement.

Even more useful confinement is firefox and it's plugin-container process (which can - and does, in my configuration - have separate profile), where known-to-be-extremely-exploitable adobe flash player runs.
Before apparmor, I mostly relied on FlashBlock extension to keep Flash in check somehow, but at some point I noted that plugin-container with libflashplayer.so seem to be running regardless of FlashBlock and whether flash is displayed on pages or not. I don't know if it's just a warm-start, check-run or something, but still looks like a possible hole.
Aforementioned (among others) profiles can be found here.
I'm actually quite surprised that I failed to find functional profiles for common apps like firefox and pulseaudio on the internets, aside from some blog posts like this one.
In theory, Ubuntu and SUSE should have these, since apparmor is developed and deployed there by default (afaik), so maybe google just haven't picked these files up in the package manifests, and all I needed was to go over them by hand. Not sure if it was much faster or more productive than writing them myself though.
Member of The Internet Defense League