[opensuse-security] Confining Java applications
How do you best confine Java applications using AppArmor? Can you just confine the Java interpreter itself or can you confine the Java *.jar package? I think this is similar to shell scripts? Shell scripts consist of individual application calls that render just confining the interpreter useless I guess? So, how to handle Java applications? And what is the target for aa-genprof in that setting? The Java interpreter, the *.jar package or both, like aa-genprof "/usr/bin/java foo,jar"? Thanks
Hello, Am Sonntag, 24. August 2014 schrieb pinguin74:
How do you best confine Java applications using AppArmor?
I don't know much about Java, but let me answer nevertheless ;-)
Can you just confine the Java interpreter itself or can you confine the Java *.jar package?
Confining the interpreter is not a good idea IMHO - that would be like confining bash or perl, which is a) not a good idea, b) can break other users of $interpreter or c) you'll need a profile that allows everything every user of $interpreter needs - which means you won't have many restrictions left. I'm not aware of a way to confine a *.jar (but, see above, I don't know much about Java). _If_ it's possible to run a *.jar with ./foo.jar then it might also be possible to create a profile for it - just try it ;-) (hint: aa-genprof ./foo.jar) IMHO the easiest way is to write a small wrapper script that starts "java foo.jar" and to create a profile for this wrapper script (with ix or Cx for java). If you start your *.jar with a systemd service file, then newer versions of systemd also allow to specify the profile to use in the service file. ("Newer versions" probably means only openSUSE Factory at the moment, but I never tested this feature.) Regards, Christian Boltz -- And I think we'd be much more succesful if we could deliver functional NetworkManager and updater applets for the first time in years, than providing some hyped "innovation". [Martin Schlander in opensuse-project] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Can you just confine the Java interpreter itself or can you confine the Java *.jar package?
Confining the interpreter is not a good idea IMHO - that would be like confining bash or perl, which is a) not a good idea, b) can break other users of $interpreter or c) you'll need a profile that allows everything every user of $interpreter needs - which means you won't have many restrictions left.
I'm not aware of a way to confine a *.jar (but, see above, I don't know much about Java).
I solved it now this way, created a small wrapper script java-foo.sh with this content: #!/bin/sh java -jar /bin/foo.jar then I confined the wrapper script java-foo.sh. Works well and has the advantage to have a profile for every individual *.jar package. As a basis I used abstractions/ubuntu-browsers.d/java and built a profile upon this abstraction. Works like a charm. I just don´t know yet how to handle links in AA. I added /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/bin/java rix, to my profile, because I wasn´t able to confine the link /usr/bin/java Still need to learn proper link handling in AA...
participants (2)
-
Christian Boltz -
pinguin74