[HOWTO] Tomoyo - Apparmor - Application Based Firewall

Here you'll find a place for solutions and hints.

Please use one of the support subforums below for questions or if you have any issues and need support.

[HOWTO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 12th, '14, 03:07

Hello all

it's been a while i am looking for a firewall based application for my mageia server and finally i find a way after a long lonnnnnggggg looonngggg time lol

What is it about :
- Use tomoyo as an alternative to Apparmor in the purpose of Firewall Based Application

Note :
- To edit all the files described below and to execute any of the described commands you need local root access rights.
The firewall setting works as a white list, when you're done with this tutorial, any Internet access to or from any application on your computer will be blocked by default,
you will need to enable it explicitly for selected application by using "tomoyo-editpolicy" and changing it's profile from 0 to 1 as simple as that.

Tested :
- Mageia v3

Check :
- "cat /boot/config | grep SECURITY"
- to check if tomoyo is activated, normally it is by default

Activate Tomoyo :
- "sudo gedit /boot/config"
- And add/edit those lines :
Code: Select all
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
CONFIG_DEFAULT_SECURITY_TOMOYO=y

Install Needed Package :
- "sudo mcc &" and go to "add remove package"
- install the package tomoyo-tools

Reboot :
- Reboot the system

Initialize Tomoyo default configs and profiles:
- "sudo /usr/lib/tomoyo/init_policy"

Edit the default profiles:
"sudo gedit /etc/tomoyo/policy/current/profile.conf" - Import or override your entries with the following code
Code: Select all
PROFILE_VERSION=20110903
0-COMMENT=-----block network inet-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
0-CONFIG={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
1-COMMENT=-----allow all-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
1-CONFIG={ mode=disabled grant_log=no reject_log=no }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

Reboot :
- Reboot the system

Usage :
- You can edit any rule by executing:
- "sudo tomoyo-editpolicy"
- And then after editing
- "sudo tomoyo-savepolicy"

Usage Help :
- Before you can allow an application you have to run it at least once, that way Tomoyo notes the application's existence.
- After "sudo tomoyo-editpolicy" by pressing s you can change application's profile 0=block all Internet access, 1=allow all Internet access, you can press f to search an application then n to look for the next occurrence, you can exit the policy editor by pressing q.
- After any changes you made to the policy, you need to save it to the disk, to do so, just type in the terminal : "sudo tomoyo-savepolicy"

Yes it's that simple !!!!!!!!!
EEENNNNNNNJJJJOOOOOOOOOYYYYYYYYYYYY !!!!!
Last edited by intika on Aug 12th, '14, 03:16, edited 1 time in total.
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium

Re: [HOW TO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 12th, '14, 03:11

Last edited by intika on Aug 18th, '18, 00:58, edited 3 times in total.
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium

Re: [HOW TO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 12th, '14, 03:14

Note :
Mageia Dev Team, could update Drakewall (integrated firewall) to manage applications with rules the integration of this is very easy and it would be awesome.

;)
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium

Re: [HOWTO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 12th, '14, 03:54

Update profile.conf :

Code: Select all
PROFILE_VERSION=20110903
0-COMMENT=-----Block Network INnet-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=1}
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=yes }
0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
1-COMMENT=-----Allow All-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=disabled grant_log=no reject_log=no }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium

Re: [HOW TO] Tomoyo - Apparmor - Application Based Firewall

Postby doktor5000 » Aug 12th, '14, 08:15

intika wrote:Note :
Mageia Dev Team, could update Drakewall (integrated firewall) to manage applications with rules the integration of this is very easy and it would be awesome.

Note: this is the wrong place to contact Mageia developers, nobody reads here (apart from me).
Either send a mail to mageia-dev mailing list and discuss that there or create a bug for the enhancement request:
https://wiki.mageia.org/en/How_to_report_a_bug_properly
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: [HOWTO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 13th, '14, 08:29

email sent to dev
thanks
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium

Re: [HOWTO] Tomoyo - Apparmor - Application Based Firewall

Postby intika » Aug 14th, '14, 05:10

related info

to run an application without network access
use : "unshare -n application"
User avatar
intika
 
Posts: 61
Joined: Jul 4th, '13, 03:16
Location: Belgium


Return to The magician suggests...

Who is online

Users browsing this forum: No registered users and 1 guest

cron