Securing Applications with Apparmor

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everybody today we're going to be taking a look at securing applications with app armor app armor is a kernel security module that's available with suse and debian based distributions and it allows you to limit the capabilities of an application such as its ability to read and write to the file system and to the network the difference between something like app armor and with traditional file based permissions is that app armor is mandatory access control where your typical file permissions are discretionary so with a mandatory access control system even the root user has to abide by it and you'll see that in just a minute when we hop into it so let's go ahead and get started in order to follow along the first thing you're going to have to do is install the app armor utils you can do that through the command prompt using sudo apt install app armor python utils and i've already installed it with that out of the way let's take a look at the first example that i've put together for us and we'll do this in real time so you can see all of the troubleshooting steps that are involved so the first thing we're going to do is take a look at them sample 1.c and you can see in here it's a very simple program basically all it does is take a command line argument and it writes some random output to that file and then it closes it out so let's go ahead and compile this and then run it so if we do gcc uh sample one and then we do output sample weekend dot slash sample and then we'll do test one and then you can see that it wrote to it so let's go ahead and remove test one and we'll generate a app armor profile for it so the first thing we're going to do is we're going to take a look at the app armor status and make sure that there's nothing already running for it so we'll run sudo aa status and if we scroll up you can see that there's no profile for the sample we have 22 that are in force mode that means they're actually being enforced by app armor we have two profiles that are in complaint mode which means that if it violates the app armor profile it's not going to stop it it's simply going to log it and then we have four processes that are also in enforce mode so let's go ahead and generate a profile for it to generate the profile we're going to use sudo aaa gin prof and if you don't specify an absolute path for example if we say ping it's going to search in your path variable so for this we need to specify an absolute path so it's going to be home nathan desktop sample once we do this we're going to need to open up another terminal and run it so we're going to open up another terminal we're going to do dot slash sample and we'll run test one and just test one then we'll close that out and we will scan and it's going to say that we need write permissions to desktop test one which is true so we're gonna allow it and then we're gonna save it and finish so let's go ahead and clear that and we'll take a quick look at the actual profile so we'll sudo them etsy and these are stored in app armor dot d and then we're gonna look for home nathan desktop samples so it's the absolute path of the program just instead of slashes it's going to have dots so let's go ahead and take a look in here and see what it created for us so you can see that we have the include abstraction space and that is not a comment it's just how they do includes kind of like with c and then you can see here we can read to home nathan desktop sample and then we can write to home a star so nathan or any other user but only if you're the owner of it and then desktop test one so let's go ahead and close that out and rerun samples dot slash sample and we'll do test one and that should work but now let's go ahead and rerun it and do test two and it fails so let's try sudo dot slash sample test two and it fails again so even the root user can't create test two let's see why that's the case let's go back into the profile so we can see here in the profile we only have write permissions to write to a file called test1 if we wanted to be able to write files of any name to the desktop we're going to have to modify this and we'll go ahead and put a star if you put a star that means only the top level directory so anything in desktop if you created another directory in desktop say desktop slash tests and you wanted to write into there you'd have to do two stars but for this we only need one so we'll put the star right quit we're gonna have to disable it and then we're going to have to reinforce it and then we can try it again so we'll do a sample test two see if it works how about three four excellent so we got that one working all right let's take a look at our second example this time instead of a binary we are going to be sandboxing a bash script so it's here sample two let's take a look at it so we have user been environment bash and then we are going to w get the latest kernel from kernel.org and drop it into the downloads directory and after it downloads we're gonna list out all the contents of that directory so it actually seems pretty simple but there is quite a bit that's going on here for example in this very top line we're invoking two separate binaries we're invoking um env environment and then we're invoking bash the next line down we're invoking yet another binary w get and then we're having it reach out to the internet and then writing to downloads and then we're invoking yet another binary which is ls which is reading the downloads directory so even though you would think that sandboxing a bash script would be simple it's actually a little more complicated than sandboxing a binary but let's take a look at it and see if we can do it so just like the last time we're going to use sudo a gen prop and then we have to specify the absolute path to it so it's going to be home nathan desktop sample 2.sh and then we're going to open up another terminal and we're going to run it so we're going to run dot slash sample i didn't give execute permission so we're going to use mod plus x sample 2 sample 2 and then we're going to run it good let's close out of here we're gonna scan we are going to inherit it so it's trying to use bash which it needs to use uh tty because it's outputting to the terminal and then we're going to save the changes we're going to finish clear it let's go ahead and take a look at the profile so we'll use novem etsy app armor.d and then it's going to be home nathan desktop sample example2.sh and you can see here that we have two abstractions so base and console and then we have read permissions to sample2.sh we have execute permissions to bash and environment so let's see if that allows us to execute it so we'll quit clear that and we'll do dot slash sample two dot sh again and we have permission denied so we're not allowed to use wget and we're not allowed to use ls well when this happens it still updates the log even though it's an enforce mode so at this point we can use sudo a a log prof and then you want to look here and make sure that it's for the correct profile so we're going to inherit wget and we're going to inherit ls and then we're going to allow the wget rc so we're going to allow it we're gonna allow writing to the downloads we're going to allow writing to [Music] uh downloads again that's because i think i ran it twice and then we're gonna save it we're gonna clear it and then let's take a look at the profile one more time before we run it sample two okay so this is what we have now so we have read permissions to sample two we have write permissions to the downloads directory and then we have write permissions for the actual name um of the download so uh the linux 5.11 10 then you can see it dot one and dot two so let's close that out and we'll run it one more time so we'll do dot slash sample two and it's downloading it and it saved it let's try it one more time great and it looks like it's working but it's really not working because let's run it one more time and see if we can increment that up to three so now you're seeing that we're getting a permission denied because it's trying to write the linux 5.11 but it's appending it with dot three this time so let's go ahead and fix that so we are going to sudo them see app armor.d and then home sample two and we can fix that right here so we'll just remove the slime and we'll go up and then delete all of this and just like last time we will give it a star here we'll right click that and then we need to sudo aa disable sample 2 and then we need to enforce it great and now it should be able to ride it yep every time we download it now it should be able to increment now as you likely notice when we were using the aa gen prof command and especially the aa log prop command instead of just hitting a for allow or i to inherit you probably notice that it had a globbing option so that is the wild card at the end so if we take a look again uh here at the profile so if we can go back up if we take a look at the profile you can see right here we have jump to the end here we have the star for the globbing we put that in manually but if you use log prop and gin prof it does have the option to put it in automatically i didn't use it because if you do use it through log crop and gin prof the permissions that you give to the profile tend to get carried away pretty quickly so any globbing i like to do manually but there is nothing wrong at all with using that through log prop or gen prof and that is how you secure applications using app armor remember if you found this video helpful be sure to like and subscribe thank you

Info

Channel: SecureRandom

Views: 1,196

Rating: undefined out of 5

Keywords: linux, apparmor, security, sandboxing

Id: 0t-UZFBNyF0

Channel Id: undefined

Length: 13min 2sec (782 seconds)

Published: Sat Mar 27 2021