Skip to main content
Topic: apparmor blocking .exe dont work (Read 776 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

apparmor blocking .exe dont work

idea is to allow executing all .exe files inside specific folder and deny all other on the system. Problem is when I enable apparmor with this config file i got not possible to open any .exe:
Also, if you have other suggestions or better solution, shoot! :)


Code: [Select]
#include <tunables/global>

/usr/bin/wine-stable {
  #include <abstractions/base>
  #include <abstractions/user-tmp>

  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/** r,
  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/*.exe rix,


  audit deny /**.exe rwx,
}
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.wine

sudo systemctl stop apparmor.service
sudo systemctl start apparmor.service


Re: apparmor blocking .exe dont work

Reply #1
Shouldn't the global deny be first in the options?
The global deny first closes everything then the next rules open the running in the specified locations.
Quote
  audit deny /**.exe rwx,
  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/** r,
  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/*.exe rix,
Convert these following lines to the init that you are using.
Quote
sudo systemctl stop apparmor.service
sudo systemctl start apparmor.service

Re: apparmor blocking .exe dont work

Reply #2
i changed it, but again, same problem, i cant open any exe.

Code: [Select]
#include <tunables/global>

/usr/bin/wine-stable {
  #include <abstractions/base>
  #include <abstractions/user-tmp>

  audit deny /**.exe rwx,

  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/** r,,
  /home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/*.exe rix,
}

Re: apparmor blocking .exe dont work

Reply #3
You will have to revaluate the methodology on the rule profile.
The opening up a path after a global deny path rule appears to be out of the question due to apparmor's code.
The deny rule is the master rule that cannot be overwritten.
Apparmor Documentation
Quote
IMPORTANT: deny rules are evaluated before allow rules and cannot be overridden by an allow rule.

Re: apparmor blocking .exe dont work

Reply #4
Quote from: jspaces – on
You will have to revaluate the methodology on the rule profile.
The opening up a path after a global deny path rule appears to be out of the question due to apparmor's code.
The deny rule is the master rule that cannot be overwritten.
Apparmor Documentation

idea is ti block any other exe on the system and permit only exe files into one folder. Why than this kind of apparmor config wont work?

Re: apparmor blocking .exe dont work

Reply #5
Quote from: mercy_angel – on
idea is ti block any other exe on the system and permit only exe files into one folder.

Strange idea.

Why do you install any "other exe files" at all if you don't need them?
"Wer alles kann, macht nichts richtig"

Artix USE="runit openrc slim openbox lxde gtk2 qt4 qt5 qt6 conky
-gtk3 -gtk4 -adwaita{cursors,themes,icons} -gnome3 -kde -plasma -wayland "

Re: apparmor blocking .exe dont work

Reply #9
Apparmor deny at the root of the directory will disable all executable files from that root.

Code: [Select]
audit deny /**.exe rwx,
A blanket rule at the root will kill every *.exe on the whole system including the wine path since wine is located in the root structure.
Therefore the deny rules have to be fine tuned.
One level up for the non-home folder and two levels up for the home folder.
Something like so:
Code: [Select]
#include <tunables/global>

/usr/bin/wine-stable {
  #include <abstractions/base>
  #include <abstractions/user-tmp>

deny /bin/**.exe rwx,
deny /boot/**.exe rwx,
deny /dev/**.exe rwx,
deny /etc/**.exe rwx,
deny /lib/**.exe rwx,
deny /lib64/**.exe rwx
deny /mnt/**.exe rwx,
deny /opt/**.exe rwx,
deny /proc/**.exe rwx,
deny /root/**.exe rwx,
deny /run/**.exe rwx,
deny /sbin/**.exe rwx,
deny /src/**.exe rwx,
deny /tmp/**.exe rwx,
deny /usr/**.exe rwx,
deny/var/**.exe rwx,
deny /home/<other user(s)>/**.exe rwx,
deny/home/<any other folder not on the wine path>/**.exe rwx,

/home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/** r,,
/home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/*.exe rix,
}
Any other folders that need to be denied would have to be added including all the other non-wine containing home folders on the system.
This is a somewhat cumbersome method to deal with but if you want to use apparmor I believe it is the only way to get viable solution.

Re: apparmor blocking .exe dont work

Reply #10
I tried with this:
Code: [Select]
#include <tunables/global>

/usr/bin/wine {
  #include <abstractions/base>
  #include <abstractions/user-tmp>

deny /bin/**.exe rwx,
deny /boot/**.exe rwx,
deny /dev/**.exe rwx,
deny /etc/**.exe rwx,
deny /lib/**.exe rwx,
deny /lib64/**.exe rwx,
deny /mnt/**.exe rwx,
deny /opt/**.exe rwx,
deny /proc/**.exe rwx,
deny /root/**.exe rwx,
deny /run/**.exe rwx,
deny /sbin/**.exe rwx,
deny /src/**.exe rwx,
deny /tmp/**.exe rwx,
deny /usr/**.exe rwx,
deny /var/**.exe rwx,
deny /home/myuser/Downloads/**.exe rwx,
deny /home/myuser/Documents/**.exe rwx,
deny /home/myuser/Pictures/**.exe rwx,
deny /home/myuser/Desktop/**.exe rwx,

/home/myuser/.wine/dosdevices/c:/myusers/myuser/My\ Documents/New\ Folder\ -\ For\ \(myuser\)/** r,,
/home/myuser/.wine/dosdevices/c:/myusers/myuser/My\ Documents/New\ Folder\ -\ For\ \(myuser\)/*.exe rix,
}
and i can open exe on allow ed folder, but i also can in Download folder. I change it to .wine instead of wine-stable , cause when i right click to that exe i opening it with opstion "Open with Wine Windows Program Loader".

Re: apparmor blocking .exe dont work

Reply #11
Quote
deny /home/mymyuser/Downloads/**.exe rwx,

but i also can in Download folder
Assuming that this folder is different from the wine containing folder.
How about changing the other home folder to like so:
Code: [Select]
deny /home/mymyuser/**.exe rwx,

Fine tuning the rules does involve some trail and error unfortunately.

Re: apparmor blocking .exe dont work

Reply #12
Quote
deny /home/mymyuser/**.exe rwx,
yeah, but .wine is in /home/mymyuser..and folder which i want to exclude is in .wine in home folder

Re: apparmor blocking .exe dont work

Reply #13
If the path that was denied is not working then are you sure that:
1) The folders are not soft linked from anywhere gaining parent rules affecting them from their actual location.
2) The syntax does not have an error

The deny should work for the /home/<the home folder with the wine path>/Downloads as far as I can see if the syntax on the path is correct.
The names that you have used somewhat confuse me so I put a variable that hopefully makes sense.