profile /usr/bin/nc.openbsd {
/usr/lib/** mr,
}
First written 2022-12-14; Last updated 2022-12-14
AppArmor does not restrict access to UNIX sockets in regular Linux kernels. As UNIX sockets are used by specifying a path one would assume that AppArmor restricts access to them. However, only the kernel in Ubuntu and derivatives (but not Debian and derivatives!) provides proper access control for UNIX sockets. Two kind of restrictions are necessary: to create/use UNIX sockets and to limit access to certain paths (path arbitration, which is how AppArmor works for regular files).
UNIX sockets are used by many services for local communication, including D-Bus. Restrictions which are configured via AppArmor have no effect on these kernels! AppArmor does not warn about this fact.
Last verified on Debian GNU/Linux Bullseye (default 5.10 kernel and backports 6.0 kernel), Arch (6.0 kernel) and Ubuntu 22.04 (5.15 kernel) using AppArmor command line utilities version 2 and 3.
To verify if UNIX sockets are restricted by AppArmor use the following basic
profile and save it to /etc/apparmor.d/usr.bin.nc.openbsd
(on Debian and
derivatives, Arch uses usr.bin.nc
; adapt paths on other systems):
profile /usr/bin/nc.openbsd {
/usr/lib/** mr,
}
AppArmor version 3 is more restrictive and restricts creation/usage of UNIX
sockets (but these are enabled per default via <abstractions/base>
for
regular profiles); use the following profile there:
abi <abi/3.0>,
profile /usr/bin/nc.openbsd {
/usr/lib/** mr,
unix (create),
}
Enable the profile with:
aa-enforce usr.bin.nc.openbsd
Then use nc
(from the package netcat-openbsd
on Debian and derivatives,
openbsd-netcat
on Arch) to verify if connections to the system D-Bus socket
are still possible:
nc -U /run/dbus/system_bus_socket
If a permission denied error is printed then AppArmor restricts access to UNIX sockets. Otherwise, AppArmor does not!
To verify that AppArmor is actually enforcing the profile run the following
command while nc
is running:
aa-status
It should show something like:
7 profiles are in enforce mode.
[...]
/usr/bin/nc.openbsd
[...]
1 processes are in enforce mode.
/usr/bin/nc.openbsd (1182)
Additionally, after running the nc
command dmesg
should contain the
following audit log because the profile doesn’t permit access to
/etc/ld.so.cache
:
audit: type=1400 audit(1671001273.813:13): apparmor="DENIED" operation="open" profile="/usr/bin/nc.openbsd" name="/etc/ld.so.cache" pid=1822 comm="nc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Only Ubuntu’s kernel restricts access to the socket path and thus also contains the following log entry:
audit: type=1400 audit(1671003430.819:62): apparmor="DENIED" operation="connect" profile="/usr/bin/nc.openbsd" name="/run/dbus/system_bus_socket" pid=3857972 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
On Ubuntu access can be permitted by adding the following line to the profile:
/run/dbus/system_bus_socket rw,
Last updated 2022-12-14