AppArmor : プロファイルを作成する : aa-genprof2023/07/13 |
|
[aa-genprof] でプロファイルを新規作成します。
|
|
| [1] | |
| [2] | 例として、簡易なテストスクリプトを作成し、そのスクリプトが正常に動作できるように AppArmor プロファイルを作成します。 |
|
# テストスクリプト作成
root@dlp:~# cat > /usr/local/bin/nodejs_test.js <<'EOF'
var http = require('http');
var server = http.createServer(function(req, res) {
res.write("Hello, This is the Node.js Simple Web Server!\n");
res.end();
}).listen(8080);
EOF
root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 834 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 834 # テストスクリプト用のプロファイルを作成する root@dlp:~# aa-genprof /usr/bin/node
Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/node.
Setting /usr/bin/node to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Profiling: /usr/bin/node
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
Setting /usr/bin/node to enforce mode.
# ここで標準出力がストップする
# この状態で 別端末を開く等して 対象プログラムで必要な操作を全て実行する
# 全ての必要な操作実行後に [f(F)] キーを押下すると
# 以下のようなメッセージが表示され [aa-genprof] は終了する
Reloaded AppArmor profiles in enforce mode.
Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Finished generating profile for /usr/bin/node.
# [aa-genprof] でプロファイルを作成した場合 [enforce] モード管理下となる root@dlp:~# aa-status apparmor module is loaded. 11 profiles are loaded. 11 profiles are in enforce mode. /usr/bin/man /usr/bin/node /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script ..... ..... # 作成されたプロファイル root@dlp:~# cat /etc/apparmor.d/usr.bin.node
# Last Modified: Fri Dec 16 13:37:55 2022
abi <abi/3.0>,
include <tunables/global>
/usr/bin/node {
include <abstractions/base>
/usr/bin/node mr,
}
# プログラム起動 # * 必要な操作が足りていなかった場合はアクセス拒否が発生しエラーとなる root@dlp:~# node /usr/local/bin/nodejs_test.js Cannot load externalized builtin: "internal/deps/cjs-module-lexer/lexer:/usr/share/nodejs/cjs-module-lexer/lexer.js". 1: 0x7ff733bf4a98 node::Abort() [/lib/x86_64-linux-gnu/libnode.so.108] 2: 0x7ff733bd54eb [/lib/x86_64-linux-gnu/libnode.so.108] ..... ..... # 正常動作しない場合は [complain] モードにして必要な操作を全て実行しロギングする root@dlp:~# aa-complain /usr/bin/node Setting /usr/bin/node to complain mode. root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 1165 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1165
# ログに記録された、プロファイルでは許可されなかった操作を読み込む # ログは Auditd インストール済みの場合は [/var/log/audit/audit.log] # Auditd 未インストールの場合は [/var/log/syslog] root@dlp:~# aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/audit/audit.log. Complain-mode changes: Profile: /usr/bin/node Capability: dac_override Severity: 9 [1 - capability dac_override,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish # ポリシー違反となったアクセスについて 許可/拒否/無視/まとめて許可 等々を選択する Adding capability dac_override, to profile. Profile: /usr/bin/node Path: /usr/share/nodejs/cjs-module-lexer/lexer.js New Mode: owner r Severity: unknown [1 - owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish # 以下 ロギングされた違反について全て対応を選択する Adding owner /usr/share/nodejs/cjs-module-lexer/lexer.js r, to profile. Profile: /usr/bin/node Path: /usr/share/nodejs/cjs-module-lexer/dist/lexer.js New Mode: owner r Severity: unknown [1 - owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish Adding owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r, to profile. ..... ..... = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/bin/node] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /usr/bin/node. # [enforce] モードに戻し 以下のように正常に動作すれば OK root@dlp:~# aa-enforce /usr/bin/node root@dlp:~# node /usr/local/bin/nodejs_test.js & [1] 1185 root@dlp:~# curl localhost:8080 Hello, This is the Node.js Simple Web Server!
root@dlp:~#
kill 1185
# 許可ポリシーが追加されたプロファイル root@dlp:~# cat /etc/apparmor.d/usr.bin.node
# Last Modified: Wed Jul 12 22:46:46 2023
abi <abi/3.0>,
include <tunables/global>
/usr/bin/node {
include <abstractions/apache2-common>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
capability dac_override,
/usr/bin/node mr,
owner /dev/ttyS0 rw,
owner /usr/local/bin/nodejs_test.js r,
owner /usr/share/nodejs/acorn-walk/dist/walk.js r,
owner /usr/share/nodejs/acorn/dist/acorn.js r,
owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,
owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,
owner /usr/share/nodejs/undici/undici-fetch.js r,
}
|
| Sponsored Link |