AppArmor and Capabilities

albiurs

Hi,

In "Lab 33.2. Explore the AppArmor Security"
https://trainingportal.linuxfoundation.org/learn/course/linux-system-administration-essentials-lfs207/linux-security-modules/lab-exercises?page=2

...the capabilities commands getcap and setcap are used, whereas these commands are nowhere described before in this chapter 33.

In which way are they part of the AppArmor framework? I'm asking because if I read through the man pages of these commands, AppArmor is not referenced anywhere. So, are they independent commands or interconnected in some way with AppArmor? And why are they used at this point in the Lab (1. - 3.) before the AppArmor Profiles are set up (4. - ...)?

Thanks,
Urs

albiurs

...As an addition to my question above, why do we need to set an AppArmor profile for the new /bin/ping-x application? Even after a reboot, it already works as expected, after setting the capabilities with
sudo setcap cap_net_raw+ep /bin/ping-x

Could you please explain that too?

Thanks,
Urs

albiurs

Could anyone please answer this one too?

Thanks,
Urs

luisviveropena

Hi Urs,

In which way are they part of the AppArmor framework? I'm asking because if I read through the man >pages of these commands, AppArmor is not referenced anywhere. So, are they independent commands >or interconnected in some way with AppArmor?

AppArmor is related to 'getcap' and 'setcap' tools, and they can work together. But you also can work with 'getcap' and 'setcap' without AppArmor. I mean, they are independent tools, but as 'setcap' can modify the capabilities of files and what they can do, it's completely related to AppArmor.

I hope that helps!

Regards,
Luis.

albiurs

Hi Luis,

Thank your for your reply.

What I still do not understand is the workflow in Lab 33.2.. After setting the capabilities in Step 1-3, the new ping-x program works as expected, even after a reboot:

Step 2:

alu@ubuntu-dt-vm:~$ ls -l /bin/ping
-rwxr-xr-x 1 root root 89768 Apr  8  2024 /bin/ping
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ sudo cp /bin/ping /bin/ping-x
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ ls -l /bin/ping-x
-rwxr-xr-x 1 root root 89768 Nov 12 08:44 /bin/ping-x
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping
/bin/ping cap_net_raw=ep
alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping-x
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1
ping-x: socktype: SOCK_RAW
ping-x: socket: Operation not permitted
ping-x: => missing cap_net_raw+p capability or setuid?
alu@ubuntu-dt-vm:~$

Step 3:

alu@ubuntu-dt-vm:~$ sudo setcap cap_net_raw+ep /bin/ping-x
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping
/bin/ping cap_net_raw=ep
alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping-x
/bin/ping-x cap_net_raw=ep
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.055 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.055 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2061ms
rtt min/avg/max/mdev = 0.055/0.063/0.081/0.012 ms
alu@ubuntu-dt-vm:~$ 
alu@ubuntu-dt-vm:~$ sudo reboot

# [... after reboot...]

alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.066 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.051 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2053ms
rtt min/avg/max/mdev = 0.051/0.062/0.070/0.008 ms

Maybe I missed something, but this means that the following steps by generating the AppArmor profile with aa-genprof (Step 4+) become useless as it doesn't change anything in terms of the ping-x's behavior. The program ping-x works before and it also works after setting up the AppArmor profile.

Therefore, after restoring the latest VM snapshot, I tried it again without setting the capabilities, but this experiment failed. Only setting up an AppArmor profile without previously changing the capabilities seam not to work for some reason.

Hence, the only way I get the ping-x to work is setting the capabilities, with or without creating an AppArmor profile.

It would be great if you could further explain that behavior, so I can understand the relationship between setting the capabilities and AppArmor.

Thanks,
Urs

luisviveropena

Hi Urs,

It's seems to me it's working fine, as expected. What we do is the following:

1.- We try the ping tool, it works.
2.- We copy the ping tool to another file named ping-x.
3.- We try ping-x and this won't work. Why? Because it doesn't have the required capabilities. I tested this and it's working as expected:

ubuntu@master:~$ sudo cp /bin/ping /bin/ping-x

ubuntu@master:~$ ping-x google.com
ping-x: socktype: SOCK_RAW
ping-x: socket: Operation not permitted
ping-x: => missing cap_net_raw+p capability or setuid?

ubuntu@master:~$ getcap /bin/ping-x
ubuntu@master:~$
ubuntu@master:~$ getcap /bin/ping
/bin/ping cap_net_raw=ep

4.- We add the cap_net_raw+ep capability to /bin/ping-x and it works.

That's it!

5.- About the profiles:

Maybe I missed something, but this means that the following steps by generating the AppArmor profile >with aa-genprof (Step 4+) become useless as it doesn't change anything in terms of the ping-x's >behavior. The program ping-x works before and it also works after setting up the AppArmor profile.

It's because the profile for ping-x was copied from ping. But if it was copied from a different type of tool -let's say from cupsd- it would have failed. So, the idea behind this is to give you an idea about profiles.

Regards,
Luis.

albiurs

Perfect, thank you very much.

Regards,
Urs

luisviveropena

Hi Urs, it's a pleasure

Luis.