Apparmor privoxy profile

This blog is an extension of a discussion we had at our LUG regarding security. We are reviewing both apparmor and selinux and started with apparmor.

One advantage of apparmor is that it is relatively easy to learn, but a potential downside is that as an end user you will need to learn to generate and maintain profiles. When learning to write profiles it is best to start with a smaller, simple application (rather then a large complex application such as firefox).

In this blog I will review how to generate a profile using privoxy as an example.

If needed, start by installing privoxy and apparmor-utils.

1. Generate a profile for privoxy using aa-genprof :

aa-genprof privoxy
Writing updated profile for /usr/sbin/privoxy.
Setting /usr/sbin/privoxy to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /usr/sbin/privoxy
[(S)can system log for AppArmor events] / (F)inish

2. Open a second terminal and “exercise” privoxy – start and stop it, configure your browser to use privoxy and open a few web pages.

sudo service privoxy start
sudo service privoxy stop
sudo service privoxy restart

3. Return to the first terminal and “Scan” the logs. You will be given a series of choices for apparmor to allow or deny privoxy access to various capabilities and system files. Select an option using the keyboard, I bolded the keys I typed to work through the questions.

[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
Profile: /usr/sbin/privoxy
Capability: setgid
Severity: 9
[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish
Adding capability setgid to profile.
Profile: /usr/sbin/privoxy
Capability: setuid
Severity: 9
[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish
Adding capability setuid to profile.
Profile: /usr/sbin/privoxy
Path: /etc/group
Mode: r
Severity: 4
1 – #include
[2 – /etc/group]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Profile: /usr/sbin/privoxy
Path: /etc/group
Mode: r
Severity: 4
[1 – #include ]
2 – /etc/group
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding #include to profile.
Profile: /usr/sbin/privoxy
Path: /etc/privoxy/config
Mode: r
Severity: unknown
[1 – /etc/privoxy/config]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/privoxy/config r to profile.
Profile: /usr/sbin/privoxy
[1 – /etc/privoxy/default.action]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Profile: /usr/sbin/privoxy
Path: /etc/privoxy/default.action
Mode: r
Severity: unknown
1 – /etc/privoxy/default.action
[2 – /etc/privoxy/*]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/privoxy/* r to profile.
Deleted 1 previous matching profile entries.
Profile: /usr/sbin/privoxy
Path: /run/
Mode: w
Severity: unknown
[1 – /run/]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /run/ w to profile.
Profile: /usr/sbin/privoxy
Path: /var/log/privoxy/logfile
Mode: w
Severity: 8
[1 – /var/log/privoxy/logfile]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/log/privoxy/logfile w to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 – /usr/sbin/privoxy]
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/privoxy.
Profiling: /usr/sbin/privoxy
[(S)can system log for AppArmor events] / (F)inish

4. Using any editor, review the profile, the one I generated looks like this:

# Last Modified: Tue Jul 26 21:39:52 2011
/usr/sbin/privoxy {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
/etc/privoxy/* r,
/run/ w,
/var/log/privoxy/logfile w,

Note: You will have to allow rw access to file in /etc/privoxy/* if you wish to configure privoxy via the web interface.

5. Re-load the profile and set apparmor to enforce the profile.

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.privoxy
sudo aa-enforce privoxy
sudo service privoxy restart

6. Privoyx should start and be functioning normally. You can see apparmor is confining privoxy by reviewing aa-status (privoxy will be listed in the enforcing section).

sudo aa-status

Apparmor logs to /var/log/kern.log and /var/log/syslog

This entry was posted in Linux and tagged , . Bookmark the permalink.

9 Responses to Apparmor privoxy profile

  1. simon_g says:

    why bother with Apparmor, when Tomoyo exists?

  2. bodhi.zazen says:

    @simon_g Why use Tomoyo when selinux exists ?

    Use the tool you like, Ubuntu uses Apparmor, Fedora uses selinux, or if you prefer roll your own.

    Personally I am not familiar with Tomoyo, what distro uses / supports it by default ? What distro activly maintains integration similar to say selinux in Fedora ?

    As this is the first in a series of discussions, and as selinux is next, if you can give me a distro perhaps we can do Tomoyo third.

    But my criteria is that I want to see a major distro support it out of the box (by major distor I mean Fedora, Debian, Ubuntu, Slackware, Arch, SUSE, etc and by out of the box I men it is installed an configured and working at the time of installation without me needing to go and install it myself).

    Otherwise there are lots of these minor projects, grsecurity being another, that just have not become popular enough to be used by a major distro.

    Apparmor and selinux are the two tools I covered in my LUG as they are the only tools I know of that are used by a major distro out of the box.

  3. bodhi.zazen says:

    @simon_g: I looked at Tomoyo and I frankly I am surprised you even mentioned it.

    It looks very similar to Apparmor, except since no major distro uses it, there are no profiles, so as an end user I need to install it, start learning to write policy, and hope I do not make a mistake ?

    So you can download an Ubuntu or Centos live CD, in “learning mode” and start writing your own policies – sounds horrible. Not to mention that the live CD have an old version of Tomoyo – 1.8.2 while the Tomoyo project’s most recent release is 2.4.x ? so the project can not even seem to maintain an up to date live CD ?

    I can not recommend Tomoyo to anyone, not when there are more mature options available.

    Perhaps once the project matures and can include some working policies as well as some profiles and debugging tools.

    I would want to see a live Centos , Ubuntu, Fedora, or Debian CD with working profiles and working servers (ssh, http, mysql, php at a minimum) before I even considered looking any further at Tomoyo.

  4. Saint says:

    :D That was a really informative LUG! I am really interested in seeing SELinux next time. I am currently running aa. Thanks!

    I don’t want to crowd the LUG scene with a bunch of security if only I and three others have a mentioned interest in learning it. But I would be thrilled to see SELinux next time.

  5. Pingback: LEAK – d4op gets bored! @d4op « LegionNET

  6. Random Noise says:

    Thanks. Security can seem like a real bother, especially when there seems to be a “learning curve” threatening to toss your cookies into the ditch by the side of the road. Paid internships are a plus in this respect.

  7. Pingback: Christopher Land (deuxciel) | Pearltrees

  8. blastoffset says:

    I have been setting for 8 years or so. This article is very useful. But, little old. Please update this article.

  9. Pingback: Ubuntu:Contain Docker Engine with AppArmor – Ubuntu Linux Questions

Leave a Reply

Your email address will not be published. Required fields are marked *