How does AppArmor deal with non-profiled Programs?

Solution 1:

Accrding to the http://wiki.apparmor.net FAQ any program that has no profile is basically unprotected / unconstrained and can do any mischief in Ubuntu, almost in the same way as there would not have been any AppArmor in the first place

Solution 2:

First, the background of AppArmor:

AppArmor's security model is to bind access control attributes to programs rather than to users.

AppArmor profiles can be in one of two modes: enforcement and complain.

via the Ubuntu Security Team's wiki page

So, enforcement enforced whatever rules (for more details on that, take a look here) are defined, and complain just logs attempts to violate policy to the syslog (most of the time).

Some supported profiles are:

  • Cups (cupsd)
  • MySQL (mysqld)
  • Evince (PDF viewer on Ubuntu - enabled by default).
  • Firefox (Will be disabled by default and be opt-in for advanced users)
  • Apache (webserver, ditto)
  • and the list goes on, but not long enough. Full list is here.

Notable exceptions are:

  • Chrom(ium)e. While they do have a AppArmor profile on their wiki, doesn't seem like anyone uses it.
  • I didn't see empathy, pidgin or transmission on this list, or anything similar to them.

Lastly, someone else has asked a similar question about a fallback profile for anything that isn't defined.

But the answer is, by default, if a application doesn't have a profile in AppArmor, it will have access to everything - it won't be sandboxed.

However, on 12.10 Chrome will run inside a seccomp-bpf sandbox, which had it's modules backported from version 3.5 of the Linux Kernel to the 3.2 series that 12.10 is using by Canonical.

Solution 3:

It's quite interesting that @humanityANDpeace answered no to the question while providing a solution in another thread.

Anyway, here is the answer for completeness sake:

profile default /** {
  #insert default profile rules here
}

Source