0

I have an AppArmor profile which allows everything except for writing to /etc/hosts. I would like to also make it impossible to execute iptables. Other than that, I want bash to behave completely normally. The following is the policy I have, but it has no effect on iptables. I'd like to understand why and what I can do about it.

#include <tunables/global>

profile /usr/bin/bash {
  # Allow everything
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
  change_profile,

  # But deny write access to /etc/hosts
  deny /etc/hosts w,
  deny /usr/bin/iptables x,
}

After verifying the bash process is enforce mode, I get the following result.

> which iptables
/usr/bin/iptables
> iptables
iptables v1.8.11 (legacy): no command specified

I would expect a permission denial.

Improve this question
2
  • 1
    In this setup, assuming the user has root (because /bin/iptables is already nonfunctional without root), what stops the user from copying the executable to some other location and executing it through a different path? What is it that you're even trying to protect against? Commented Aug 18 at 8:33
  • In the current policy, nothing stops that. I'd have to make it unreadable also. I'm just trying to make it much more difficult to disable iptables for self-control reasons. Denying read to iptables also has no effect on whether it's executable, it seems. Commented Aug 18 at 8:57

1 Answer 1

Reset to default
2

The problem is that iptables was a symlink. Apparently symlinks can be used to bypass AppArmor. That's pathetic. I updated the policy to block xtables-legacy-multi and it worked fine.

# ls -lh /usr/bin/iptables
lrwxrwxrwx 1 root root 20 22 mar 18.58 /usr/bin/iptables -> xtables-legacy-multi
# iptables
-bash: /usr/bin/iptables: Permission denied
Improve this answer
1
  • 1
    It might be surprising if you don’t expect a given command to be a symlink, or if a command changes from being an actual file to being a symlink, but AppArmor resolves symlinks to avoid profiles being worked around using symlinks. A profile blocking xtables-legacy-multi will work on any file linking to that, whereas a profile blocking iptables could be worked around by invoking xtables-legacy-multi directly. Commented Aug 18 at 11:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.