December 5, 2006

Firewall your applications with AppArmor

Author: Mayank Sharma

Traditional methods of securing a computer have revolved around controlling access to critical services. So, if you need to secure network applications, you need to police network traffic. But security vendors are realizing that securing a computer, in effect, boils down to protecting the applications instead. Novell's AppArmor is designed with just this is mind.

One would assume defending applications is as easy as guarding the whole gamut of services running on a network attached computer. But applications these days are complex and intertwined, sharing libraries and files scattered all over the disk. More importantly, Discretionary Access Control (DAC) allows a program to run with the permissions of the user executing it, which introduces the possibility of exploiting a defect in the application to gain super user privileges.

With AppArmor, the idea is to defend individual applications against such threats by restricting their access to only the necessary files and libraries. Simply put, it allows one to lock down an application and the files to be accessed with absolute path names, followed by the common read and write access modes.

AppArmor plugs into the Linux Security Model (LSM) kernel interface. LSM is the de-facto API in the Linux kernel that security models must talk to, which can be applied as a patch to a stock kernel.

AppArmor also compliments the DAC model of accessing files under Linux. First, the user running an application must have sufficient permission to run the program and to access any files. Then, AppArmor applies the mechanism of Mandatory Access Control (MAC) by granting programs only the privileges they need to do their job and nothing else. So if program X needs to access a library Y, DAC first ensures it has adequate permissions to do so, before AppArmor comes into the picture and further locks down the privileges.

Using AppArmor

AppArmor actually began life with Immunix, which was acquired by Novell in May 2005. Novell then worked on the closed-source application and released it as free software under the GNU General Public License (GPL) in January 2006. AppArmor is integrated into both of Novell's offerings, the subscription-based SUSE Enterprise Linux and the free openSUSE Linux distribution. If you chose not to install AppArmor during installation, you can do it post-install through SUSE's setup tool, YaST.

AppArmor has its own management section under YaST. From here, you can enable or disable AppArmor as well as add, delete, and update application profiles. Once AppArmor is enabled, it automatically enforces security profiles that are present in the /etc/apparmor.d directory.

AppArmor or SELinux?

The open source security camp is divided into (at least) two factions; one group advocating the easy to use AppArmor and the other rallying behind the more comprehensive SELinux. AppArmor and SELinux have similar goals, but they approach it differently. AppArmor wraps around individual applications and limits its access to the essential libraries and files only.

SELinux is designed to control the whole operating system and even regulate the flow of information within the distribution. SELinux's approach is more comprehensive, and is based on strong security techniques like MAC and Multi-Level Security (MLS). But this makes it rather cumbersome to set up.

While both products are open source, Novell is still in the driver's seat for AppArmor's development. SELinux on the other hand, is developed by several vendors including Red Hat, Tresys, NSA, IBM, HP, and by individual open source developers. Comparing how the tools have evolved would be unfair, since AppArmor is still the new kid on the block. Since being open sourced in late 2000, SELinux has been making steady progress towards being easy to setup and maintain, thanks to several new graphical tools and utilities that make the job easier.

Both solutions are focusing on securing applications that operate on the threshold between the local computer and the outside world. So what should you be running? Well, as things stand currently, the answer depends on what distribution you run. To get the most out of AppArmor you have to be using either the free openSUSE distribution or SUSE Linux for the enterprise. Similarly, Fedora and Red Hat Enterprise Linux users get the maximum benefit of SELinux development.

SUSE ships with profiles for common services such as ntp, netstat, ping, traceroute, and applications such as Firefox. SUSE also includes several profiles under /etc/apparmor/profiles/extras/ for various applications like Gaim, Evolution, RealPlayer, and for several commands and services like useradd, userdel, Squid, Sendmail, and MySQL -- though the README in the directory warns that these profiles haven't been tested enough and should not be used without modifications.

To help you generate profiles, AppArmor includes several console-based as well as graphical tools. Ensure the application isn't running before you pull it up for profiling. AppArmor begins by asking the location of the program you want to profile. It then runs an analysis tool to detect and make note of all library references made by the application. Once completed (it usually takes only few seconds), it switches into a "learning mode" and requests you to start and use the application. Use it to perform all the required functions. Upon completion AppArmor will scan the system logs and generate a series of questions to help you lock down the application.

Here's a portion of a sample profile:


#include <tunables/global>

/usr/bin/ldd {
  #include <abstractions/consoles>

  /dev/log                       w,
  /dev/urandom                   r,

  /usr/lib64/locale/**           r,
  /lib/lib*.so*                  r,

  /dev/null                      rw,
  /dev/zero                      rw,
}

As you can see, a major portion of the profile is nothing but a list of files and libraries the application requires, with absolute pathnames and the access mode. The #include statement pulls in external predefined components of AppArmor into the profile. The profile begins with the absolute path to the application, in this case, /usr/bin/ldd.

Also notice how the wildcard character (*) is used to give read access to every file that begins with lib and has a extension that begins with so. This is to safeguard against future changes to the libraries. The double asterisk (**) is borrowed from rsync. It will include all files, even subdirectories and files under them as well.

Profiles are automatically enforced upon creation. If you make changes to the application or the libraries and files it depends upon, you also need to update the profile accordingly. The AppArmor Administration Guide details the entire procedure of creating, updating, and managing profiles with illustrations.

For creating and editing profiles you need root privileges. But the idea with AppArmor is to neutralize the adverse effects of a compromised application that itself runs as root. If you are a paranoid user and don't trust your new system admin with the root password, use AppArmor to create restricted login shells. This AppArmor FAQ entry, for example, shows how a user can be given some of root's privileges to access the system log, but not the power to reboot the server.

One interesting feature of AppArmor is its ability to run portions of a program protected by a profile in a security context of their own. An application can be made to "change hats" as required to confine a particular sub-process. But for this to work, applications need to be made "change hat" aware. Novell ships the Apache Web server with a special module called mod_change_hat. Using this module, individual PHP pages or CGI scripts can run inside their own security domain without the full privileges of Apache.

Bouquets and Brickbats

For what it promises, AppArmor is fairly simple to roll-out, at least for SUSE users. Installation doesn't require any kernel or application recompilation and is well integrated into both Novell distributions. Even home users of SUSE Linux would find it relatively easy to wrap a secure profile around some of their critical network applications, like the Gaim instant messenger or the Firefox Web browser.

But to extract maximum juice out of AppArmor you really have to know the application thoroughly. Once the profile takes over, access to every feature that you forgot to make it aware of, will be blocked. If you are careless, you can also even trip over AppArmor's flexibility. Read and carefully choose the appropriate permissions for all the references to the various files and libraries. Make careful use of the wildcard characters.

Novell has two guides related to AppArmor, the detailed Administrators Guide and the short Quick Start Guide. Plus they have a FAQ, and several mailing lists as well. As mentioned earlier, there are several profiles included to help you get started. Enterprise users get the benefit of maintenance updates through their SUSE Linux subscription.

Improvements in the pipeline

AppArmor is under heavy development. While it is well integrated into the Novell distributions, you could also use AppArmor with Slackware. An Ubuntu port is also under way. To make AppArmor smarter, the developers have plans to use a better static analyzer in place of the current one that just recursively runs ldd to list shared library calls. Also under works is a smarter learning mode that will help administrators save time, by not reporting actions that have already been reported.

AppArmor is limited to guarding applications that have profiles. The plan for the future is to have a blanket profile for all applications that do not have a dedicated profile. By following a blacklist approach, this profile could deny access to key files in the distribution (/etc/sudoers, /etc/shadow) unless there is an application with a profile that is allowed access.

Conclusion

AppArmor is a very mature tool and Novell continues to develop it further. Like I have said throughout the article, it doesn't require a 500-page manual to get started with. But like every security tool, you must learn to use it properly. It's fairly easy to use from within the two SUSE variants but to reach the masses it has to be supported by other distributions as well. With mixed reactions to the recent Novell-Microsoft partnership, AppArmor could face some resistance from other distribution vendors.

Category:

  • Security
Click Here!