2019年12月11日 星期三

Apparmor for linux 5 and above(anti-hacking)

apparmor 3.1.7 for linux 5.10 and 6.6 is the best
https://gitlab.com/apparmor/apparmor/-/releases

full source
https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor

1. ########### defconfig ###########
CONFIG_AUDIT=y

CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_LSM="lockdown,yama,apparmor"

# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
# CONFIG_SECURITY_APPARMOR_PARANOID_LOAD is not set
# CONFIG_SECURITY_LOADPIN is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
# CONFIG_INTEGRITY is not set
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
# CONFIG_DEFAULT_SECURITY_DAC is not set

2. ########### Makefile ###########
APPARMOR_NAME        = apparmor
APPARMOR_VERSION    = 3.1.7
APPARMOR_SRC_DIR    = $(SOURCE_DIR)/$(APPARMOR_NAME)-$(APPARMOR_VERSION)
APPARMOR_BUILD_DIR    = $(OBJS_DIR)/$(APPARMOR_NAME)-$(APPARMOR_VERSION)
APPARMOR_CFLAGS        = -Os
APPARMOR_LDFLAGS    =
APPARMOR_CONFIGURE    = --build=x86_64-unknown-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
APPARMOR_CONFIGURE += --prefix=$(APPARMOR_BUILD_DIR)/build
APPARMOR_CONFIGURE += --disable-man-pages
APPARMOR_CONFIGURE += --without-perl
APPARMOR_CONFIGURE += --without-python
APPARMOR_CONFIGURE += --without-ruby

apparmor-update:
    @$(CMD_MKDIR) -p $(APPARMOR_BUILD_DIR)

apparmor: apparmor-update
    @cd $(APPARMOR_SRC_DIR)/libraries/libapparmor && ACLOCAL_PATH=$(STAGING_DIR)/usr/share/m4 ./autogen.sh
    @[ -f $(APPARMOR_BUILD_DIR)/Makefile ] || (cd $(APPARMOR_BUILD_DIR) && $(APPARMOR_SRC_DIR)/libraries/libapparmor/configure $(APPARMOR_CONFIGURE) \
        CFLAGS='$(APPARMOR_CFLAGS)' CXXFLAGS='$(APPARMOR_CFLAGS)' LDFLAGS='$(APPARMOR_LDFLAGS)')
    @[ -f $(APPARMOR_BUILD_DIR)/build/lib/libapparmor.a ] || $(MAKE) -C $(APPARMOR_BUILD_DIR) install
    @[ -f $(APPARMOR_SRC_DIR)/parser/apparmor_parser ] || ($(MAKE) -C $(APPARMOR_SRC_DIR)/parser \
        USE_SYSTEM=1 \
        CFLAGS='$(APPARMOR_CFLAGS) -I$(APPARMOR_BUILD_DIR)/build/include' \
        CXXFLAGS='$(APPARMOR_CFLAGS) -I$(APPARMOR_BUILD_DIR)/build/include' \
        LDFLAGS='$(APPARMOR_LDFLAGS) -L$(APPARMOR_BUILD_DIR)/build/lib')

apparmor-install: apparmor
    @[ -d $(DESTDIR)/etc/apparmor.d ] || install -m 755 -d $(DESTDIR)/etc/apparmor.d
    @[ -d $(DESTDIR)/usr/bin ] || $(CMD_INSTALL) -m 755 -d $(DESTDIR)/usr/bin
    @cp -f $(APPARMOR_SRC_DIR)/parser/apparmor_parser $(DESTDIR)/usr/bin
    $(CMD_STRIP) $(DESTDIR)/usr/bin/apparmor_parser

3. after target boot
#create empty file in target avoid warning
gedit /etc/apparmor/parser.conf

4. 
gedit /etc/apparmor.d/myextend.po
#include <tunables/global>
profile myextend /volume0/usr/builtin/webman/portal/apis/external/myextend.cgi {
    #include <abstractions/base>

    /volume0/usr/builtin/webman/portal/apis/external/myextend.cgi rmix,

    /lib/*.so*             mr,
    /usr/lib/*.so*         mr,
    /volume0/lib/*.so*     mr,
    /volume0/usr/lib/*.so* mr,

    /tmp/myextend.log        w,
}

5.
#upload base policy
sshpass -p "202301001" scp -r ~/source/apparmor-3.1.7/profiles/apparmor.d/tunables root@172.16.3.95:/etc/apparmor.d
sshpass -p "202301001" scp -r ~/source/apparmor-3.1.7/profiles/apparmor.d/abstractions root@172.16.3.95:/etc/apparmor.d
sshpass -p "202301001" scp -r ~/source/apparmor-3.1.7/profiles/apparmor.d/abi root@172.16.3.95:/etc/apparmor.d

6. 
#apparmor_parser requires securityfs to load profiles
mount -t securityfs securityfs /sys/kernel/security

7.
#test grammar
apparmor_parser -p /etc/apparmor.d/myextend.po

# normal load
apparmor_parser -r /etc/apparmor.d/myextend.po

# complain load sim running
apparmor_parser -r --complain /etc/apparmor.d/myextend.po

# after complain load check log
root@AS6806T-CBA2:/volume1 # cat /sys/kernel/security/apparmor/profiles
myextend (complain)
root@CBA1:/volume1 # dmesg | grep apparmor | tail -30
[    2.073507] LSM: initializing lsm=capability,lockdown,yama,apparmor
[ 4547.330419] audit: type=1400 audit(1781067345.648:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="myextend" pid=7338 comm="apparmor_parser"

# remove
apparmor_parser -R /etc/apparmor.d/myextend.po

# optimize level check
echo "" | apparmor_parser -O show 2>&1
Optimize=expr-normalize, expr-simplify, minimize, diff-encode

張貼者:

2 則留言:

  1. 匿名2026年6月11日 上午9:31

    Add binder IPC to filter command will be more better
    https://fatalfeel.blogspot.com/2013/12/binder-on-ubuntu-process-to-process.html

    回覆刪除
  2. fatalfeel2026年6月11日 上午9:38

    SVM can detect user abnormal activity
    https://fatalfeel.blogspot.com/2022/04/hog-pca-svm-slider-nms-in-c.html

    回覆刪除

訂閱: 張貼留言 (Atom)