Profile creation advice

I want to try making a profile for controlport filter since the transition is complete. I gave up last time because of problems of changing packages when it wasn’t officially included.

If you have any tips on making the profiles feel free to share.

To start, the process of writing a profile is quite simple. For control-port-filter-python, run;

Press (F)inish at the prompt, (S)can does nothing. A profile template is created in /etc/apparmor.d. It’s nearly empty at this stage, and the tedious work begins.

Monitor the apparmor messages with

Restart the application, modify the profile, adding permission for the denied files, reload the profile in the kernel,

Restart the application… and so on, until no denied message are shown, and the application is running.

Sounds easy, but generally, you’ll find some obstacles. Just done cpfpd. The profile is quite short, the daemon is running in enforced mode, but there is an - unknown until now - denied message left, that apparently cannot be fixed the usual way.

Looking into it, but if this indroduction makes sense, please feel free to give it a try.

# Last Modified: 
#include <tunables/global>

/usr/sbin/cpfpd {
  #include <abstractions/base>
  #include <abstractions/python>

  /usr/bin/python2.7 ix,
  /usr/sbin/cpfpd r,
  /tmp/** rw,
  /var/tmp/** r,
  /home/user/** r,
  /var/log/control-port-filter-python.log rw,
  [b]/var/run/control-port-filter-python/pid mrakCx,[/b]

}

All went well until the PID permissions, I don’t know what will make it work. Even giving it memory execution rights doesn’t solve it. I thought the python abstractions should take care of it?

Nearly there :slight_smile:

In the profile, we use “/run” instead of “/var/run” with rwlk permissions. ‘l’ for link, ‘k’ for lock, it’s standard in “run”. “log”, “tmp”.

If you fix the last line, you’ll get the remaining denied messages (they don’t pop all at once).

Changed the last line to:

and no error messages are generated anymore. Tested with starting, stopping and restarting cpfpd. Is there anything else to test?

No, bur ot’s surprising you have no more denied message. There should be /etc/cpfpy.d where the program reds its configuration file.

Have you checked with

It should show usr.sbin.cpfpd in the list of enforced processes.

[code]# Last Modified:
#include <tunables/global>

/usr/sbin/cpfpd {
#include <abstractions/base>
#include <abstractions/python>
capability dac_override,
capability setuid,
capability setgid,
capability kill,

/usr/bin/python2.7 ix,
/usr/sbin/cpfpd r,
/tmp/** rw,
/var/tmp/** r,
/home/user/** r,
/var/log/control-port-filter-python.log rw,
/run/control-port-filter-python/** rwlk,

}
[/code]

You’re right, there were more things that needed to be added for it to work. I had to allow these four capabilities for the errors to go away. Capabilities are powerful and may water down the profile strength but I saw no other way.

Just when I thought everything was working,

cpfpd complains about needing read access to /run/tor/control.authcookie. I give it “r” with no success.

I didn’t notice you had a profile uploaded to git already :slight_smile:

It’s included in 11.0.0.3.0 btw. (Whonix Forum)