[opensuse-security] AppArmor and blocking network connections
The problem I'm considering is the following (openSuSE 10.3): Some proprietary software is based on the client-server model, the communication takes place via a TCP socket. Since I don't want to trust this software too much, I've restricted file access of both the client and server via AppArmor profiles. Unfortunately, both components need "network inet(6) stream" facility due to the TCP socket usage. But this means there is no possibility to prevent remote TCP communication any more?! So although file accesses are restricted, there is no way to stop that software from sending e.g. usage statistics or other confidential information to somewhere. The only possibility I can see right now is to block outbound TCP traffic via iptables using e.g. "--cmd-owner" matching rules. But the man page says this is broken on SMP machines, hence not useable. Is there any way to restrict network access to either a specific interface (lo) or to "local" destination via AppArmor? If not, this might be a useful extension as the usage case described above is certainly quite common. Regards, Andreas Bolsch
Andreas Bolsch wrote:
The problem I'm considering is the following (openSuSE 10.3):
Some proprietary software is based on the client-server model, the communication takes place via a TCP socket. Since I don't want to trust this software too much, I've restricted file access of both the client and server via AppArmor profiles.
Unfortunately, both components need "network inet(6) stream" facility due to the TCP socket usage. But this means there is no possibility to prevent remote TCP communication any more?! So although file accesses are restricted, there is no way to stop that software from sending e.g. usage statistics or other confidential information to somewhere.
Network access controls is a new feature in AppArmor 2.1 (what's in openSUSE 10.3) and it is only partially there. Currently it gives you very coarse grained control: a program either can or cannot use TCP, UDP, etc. The next version of AppArmor should have better granularity, so that you can specify basically firewall rules in your profile. However, I no longer speak for Novell http://www.news.com/8301-13580_3-9796140-39.html and it is unclear to me when this will happen due to staff shortages.
The only possibility I can see right now is to block outbound TCP traffic via iptables using e.g. "--cmd-owner" matching rules. But the man page says this is broken on SMP machines, hence not useable.
Worse, I think it no longer works at all. The approach it was using to get per program rule matching simply didn't work very well. AppArmor is using the new NetLabel infrastructure added to IPTables to try and do it better. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin CEO, Mercenary Linux http://mercenarylinux.com/ Itanium. Vista. GPLv3. Complexity at work --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Andreas Bolsch
-
Crispin Cowan