Apparmor full system implementation help

user596374

3/31/24, 3:51 PM

I am trying to implement Apparmor full system implementation on Ubuntu Bionic in AWS EC2 instances. https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy#distribution

My goal is employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

I have a couple of questions:

Following the link, I am not able to do profile init-systemd /lib/systemd/** because udevd and timesyncd disrupts the boot up process and box fails to reboot. So I have individually captured everything in /lib/systemd and added it to /etc/initramfs-tools/scripts/init-bottom/apparmor file.

echo "profile init-systemd /lib/systemd/systemd-logind flags=(complain) {}" | /sbin/apparmor_parser -a

echo "profile lib-systemd-systemd-journald /lib/systemd/systemd-journald flags=(complain) {}" | /sbin/apparmor_parser -a

echo "profile init-systemd /lib/systemd/systemd flags=(complain) {}" | /sbin/apparmor_parser -a

What can I do for udevd and timesyncd? How can I include them and still get a functioning box.

Secondly, right now I am passing empty profiles in /etc/initramfs-tools/scripts/init-bottom/apparmor. What is the best way to identify the permissions I should be giving in the profiles to achieve my goal?

Any help would be appreciated. Thanks

102

1 + 0

security

apparmor

secure-boot

18.04

Score:1

Ubuntu

Saxtheowl

4/3/24, 12:10 PM

you can start by creating profiles in complain mod for udevd and timesyncd this way you can log violations without actually enforcing.

first we create the profiles

sudo touch /etc/apparmor.d/lib-systemd-udevd
sudo touch /etc/apparmor.d/lib-systemd-timesyncd

then edit them sudo nano /etc/apparmor.d/lib-systemd-udevd add those lines

#include <tunables/global>

/lib/systemd/systemd-udevd flags=(complain) {

}

then reload the profiles and set the complain mod:

sudo apparmor_parser -r -C /etc/apparmor.d/lib-systemd-udevd
sudo apparmor_parser -r -C /etc/apparmor.d/lib-systemd-timesyncd

then reboot and just check the logs sudo journalctl -b | grep apparmor

You can do the same to identify required permissions for other profiles.

+ 1

user596374

4/3/24, 11:15 PM

I tried what you suggested. In attempt one, I left the `init-bottom/apparmor` un touched & created profile for udevd in apparmor.d dir, reload the profiles and did a reboot. Post reboot I grepped for apparmor in journald but nothing related to udev showed up, there were several messages for journald comm=systemd-journal. So I added profile lib-systemd-systemd-journald in complain mode, updated initramfs. Added blank profile in apparmor.d dir too and rebooted. Post reboot, several messages for journald, tried using aa-logprof to augment the profile in apparmor.d but no success.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apparmor full system implementation help

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.