'Re: [opensuse-security] AppArmor and blocking network connections'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [opensuse-security] AppArmor and blocking network connections
From:       Crispin Cowan <crispin () crispincowan ! com>
Date:       2007-11-09 18:46:57
Message-ID: 4734AB21.30909 () crispincowan ! com
[Download RAW message or body]

Andreas Bolsch wrote:
> The problem I'm considering is the following (openSuSE 10.3):
>
> Some proprietary software is based on the client-server model, the communication
> takes place via a TCP socket. Since I don't want to trust this software too
> much, I've restricted file access of both the client and server via AppArmor
> profiles.
>
> Unfortunately, both components need "network inet(6) stream" facility due to the
>  TCP socket usage. But this means there is no possibility to prevent remote TCP
> communication any more?! So although file accesses are restricted, there is no
> way to stop that software from sending e.g. usage statistics or other
> confidential information to somewhere.
>   
Network access controls is a new feature in AppArmor 2.1 (what's in
openSUSE 10.3) and it is only partially there. Currently it gives you
very coarse grained control: a program either can or cannot use TCP,
UDP, etc.

The next version of AppArmor should have better granularity, so that you
can specify basically firewall rules in your profile. However, I no
longer speak for Novell
<http://www.news.com/8301-13580_3-9796140-39.html> and it is unclear to
me when this will happen due to staff shortages.

> The only possibility I can see right now is to block outbound TCP traffic via
> iptables using e.g. "--cmd-owner" matching rules. But the man page says this
> is broken on SMP machines, hence not useable.
>   
Worse, I think it no longer works at all. The approach it was using to
get per program rule matching simply didn't work very well. AppArmor is
using the new NetLabel infrastructure added to IPTables to try and do it
better.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security+help@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic