How does AppArmor deal with non-profiled Programs?
Solution 1:
Accrding to the http://wiki.apparmor.net FAQ any program that has no profile is basically unprotected / unconstrained and can do any mischief in Ubuntu, almost in the same way as there would not have been any AppArmor in the first place
Solution 2:
First, the background of AppArmor:
AppArmor's security model is to bind access control attributes to programs rather than to users.
AppArmor profiles can be in one of two modes: enforcement and complain.
via the Ubuntu Security Team's wiki page
So, enforcement enforced whatever rules (for more details on that, take a look here) are defined, and complain just logs attempts to violate policy to the syslog (most of the time).
Some supported profiles are:
- Cups (cupsd)
- MySQL (mysqld)
- Evince (PDF viewer on Ubuntu - enabled by default).
- Firefox (Will be disabled by default and be opt-in for advanced users)
- Apache (webserver, ditto)
- and the list goes on, but not long enough. Full list is here.
Notable exceptions are:
- Chrom(ium)e. While they do have a AppArmor profile on their wiki, doesn't seem like anyone uses it.
- I didn't see empathy, pidgin or transmission on this list, or anything similar to them.
Lastly, someone else has asked a similar question about a fallback profile for anything that isn't defined.
But the answer is, by default, if a application doesn't have a profile in AppArmor, it will have access to everything - it won't be sandboxed.
However, on 12.10 Chrome will run inside a seccomp-bpf sandbox, which had it's modules backported from version 3.5 of the Linux Kernel to the 3.2 series that 12.10 is using by Canonical.
Solution 3:
It's quite interesting that @humanityANDpeace answered no to the question while providing a solution in another thread.
Anyway, here is the answer for completeness sake:
profile default /** {
#insert default profile rules here
}
Source