Using AppArmor to deny network access per app?

kktsuri · 06-24-2014, 02:05 PM

Hey all,

Here's me with another one of my questions related to Linux-from-Windows. Basically, you may or may not know, but in Windows the "Personal Firewalls" are very common, they set rules per application to deny or allow it network access.

This is mostly for outbound connections. Meaning, they protect mostly from malware who "phones home" or "stealing files" or whatever the name is for this kind of malware -- you know, when the app takes some of your personal information on your PC and sends it out there on the internet.

I've been searching for hours now and a lot of people say that Linux can't do this and that firewalls in Linux only help with inbound connections? That would be messed up but I read a bit on AppArmor and it *seems* to have this capability.

Note that this is very important for me as I use a lot of proprietary software under WINE, which tends to phone home and frankly I don't even trust open source software after the Heartbleed bug, so I want to be as secure as possible against applications.

So please, don't tell me how this is not needed, because it is and I have apps that constantly need to be denied access (again, per application, as I need others to connect).

Either way, for WINE at least, I can set up an AppArmor profile to deny network for all applications that run via WINE, correct?

It is simple what I request:

1) Deny network by default for every single application, or at least every single WINE-based application (wine-preloader and wineserver profiles I guess?).

2) Allow only very specific applications to have network access, outbound especially.

This simple task is something I can't manage to get working but I'm a noob with AppArmor anyway. It seems "deny network" overrides any "network" (which allows it), so it is kinda impossible for me to deny it all and then allow it only on some apps? Do I really have to make a profile for every single application and deny them all except a few ones? That would take ages! I hope there's a better way, I don't want hundreds of profiles!

If you know of a fast and easy way please share here, and remember I'm noob with AppArmor so try to be slow or step by step how I can do this the easiest way possible? Thank you.

PS: I know AppArmor can do far more than deny network access, but I don't need the "deny file" functionality at the moment, just this.

(In Windows I used personal firewalls where the GUI just popped a dialog asking me to allow certain applications and block all others, that was it, so I'm not used to here yet)

EDIT: Oh and if there's a better tool for this simple job then it is no problem, even if the title has AppArmor in it, I don't mind using something else

endhx · 06-24-2014, 06:26 PM

If you give it unrestricted file access it can probably just write to a file as a method for accessing the internet, since UNIX files etc.

But either way, just run the application as another user and use IPTables to deny internet access to that user - far better method for what you want.

kktsuri · 06-24-2014, 07:04 PM

Thank you for the response.

That is very interesting, I was actually not aware you can have multiple users logged at the same time on same PC multi tasking (yes I'm kind of newbie with this as with Windows I only ever used my normal user account and admin when I needed system access).

I have no idea how to use IPtables, is there some easy tutorial to follow for this to deny internet access to a whole user?

For sure I won't let it have unrestricted file access, at least I thought if I'm not admin/root then it can't do that kind of things right? Or is there something else I need to do besides deny network access to that user?

(if it matters, I'm using Linux Mint 16 MATE edition)

So if I got it right: make 2 users (besides admin), one which has internet access for the few apps I need it for, and one which has it blocked. And I use the latter for 99% of the apps (since I need internet for only about 2), correct?

Now need a simple tutorial how to set IPtables for user to deny all network access.

And just to be sure again, I can run apps from user 1 (the one with internet) and user 2 at the same time right? (with no security issues)

Sorry for newbish questions but I'm learning these things.

kktsuri · 06-26-2014, 07:22 AM

Hey all,

I've been doing some research on this, unfortunately finding tutorials for Iptables seems pretty damn difficult especially for this purpose, I managed to get one from an article who was written in kinda broken english, but it seems something like this works

iptables -I OUTPUT -o ethX -m owner --uid-owner Username -j DROP

My question now is, will this work with WINE? I mean, as far as I read, this seems to drop packets with the "Username" uuid. However, it seems that depending on how WINE works this may not block all the traffic. I'm not looking for chroot jail or anything like that, it's way too complicated for me at this point, and I know that the apps I use with WINE are not even "Linux aware" so they won't try to "escape" the network block.

What I mean is, if wine programs actually use something like wineserver to communicate with, and then wineservers sends the network traffic, this will not stop it, since wineserver would not be run under that user. (any way to make that happen, btw?)

So, anyone with knowledge of how wine works can clarify? I know I can run a simple test, but I'm talking about the more obscure network access for apps that are silent about it and won't tell me anything. Do wine apps connect to the internet directly or through some different program/server/daemon?

Any way I can monitor this easily? Thanks!

kktsuri · 06-30-2014, 08:01 AM

UPDATE for those interested:

I *think* I have solved it, in a way.

It appears that "wineserver" is separate for each WINEPREFIX, so at worst and just to be safe, I think using a separate WINEPREFIX for the different user with internet access should be enough. I'm aware there might be ways to "break out" of this but obviously you shouldn't run insane malware, just normal apps who don't even know they run on Linux to begin with (or shouldn't) and might do some background phoning home and such.

And you can always just use virustotal.com to do a fast scan on them.

Each WINEPREFIX creates a different "windows simulated environment" though, which means different registry and windows settings and "virtual" windows drives etc. If you want to use an app both for internet and for offline use (on both users, the one with internet and the one without) then just make a symbolic link in one of the WINEPREFIX so you don't have to copy it for nothing. And you can use it on both WINEPREFIX there without having to copy or worry about it being out of sync or whatever.

I hope this helps others with similar issues.

If anyone has more knowledge on this, or if I'm wrong and need to do something else, I'd appreciate it. Thanks all.