Apparmor Profile For DNSCrypt

DNSCrypt is a program that provides encryption for DNS requests. I have a guide for setting it up here and a guide for locking it down further here.

This is a short apparmor profile for the program. I’ve removed all abstractions, and it works for me.

# Last Modified: Sat Jul 6 02:21:04 2013
# This Apparmor profile is provided by insanitybit.com , and if there are updates that # is where you will find them. Report
# issues or changes there please!

#include <tunables/global>

/usr/local/sbin/dnscrypt-proxy {

network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,

capability block_suspend,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,

/usr/local/lib/libsodium.so* mr,

/bin/false r,
/dev/null rw,
/dev/urandom r,
/etc/ld.so.cache r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/lib/*-linux-gnu*/libc-*.so mr,
/lib/*-linux-gnu*/libm-*.so mr,
/lib/*-linux-gnu*/libnsl-*.so mr,
/lib/*-linux-gnu*/libnss_compat-*.so mr,
/lib/*-linux-gnu*/libnss_files-*.so mr,
/lib/*-linux-gnu*/libnss_nis-*.so mr,

/usr/lib/libsodium.so* mr,
/usr/local/lib/libsodium.so* mr,

/usr/lib/libdns.so* mr,

}

The dnscrypt-proxy service can run as a separate user, and chroot itself into the directory and drop rights. It also makes use of compiler security flags, so it’s PIE enabled, uses full RELRO, and stack protection. It’s pretty cool, but I like to be sure, so enforcing an apparmor profile is always nice.

With this apparmor profile enabled an attacker who compromises DNSCrypt will have absolutely no write access to the file system, and incredibly limited read access. The most viable option at this point is for them to go for a local kernel exploit.

Enjoy.

28 thoughts on “Apparmor Profile For DNSCrypt

  1. Pingback: Hardening DNSCrypt - InsanityBit

      • Actually, the file names are “libsodium.a” and “libsodium.la” so I’ve written that out as “libsodium.*a”; there might be a better way to write it, like enumeration or something like “libsodium.l?a” if that’s supported.

        • Weird, I just installed 1.3.1 and I had to compile libsodium from source to get it working.

          Your rule is fine, there’s a way to do slightly more specific regex stuff in Apparmor, but it won’t make things more secure in this case.

          • 1.3.1 no longer includes a custom copy of libsodium. Only 1.3.0 seems to do that.
            Since libsodium is not packaged for Ubuntu yet, I’ve packaged 1.3.0 in the PPA for now. I don’t think there are any notable changes in 1.3.1 for Linux, so I didn’t bother to package the library to get it (yet).

    • I’ll have to update my version and figure out the issue. I’ll get back to you with a solution later today hopefully.

        • The error you get is basically what happens when you have inbound connections denied via UFW/GUFW/IPTables. Not sure what else it could be. But by default Ubuntu doesn’t use any iptables rules that I know of.

          • It works fine without the AppArmor profile, so I assume it’s AppArmor that breaks it. Perhaps it tries to do something not covered by any of the stock networking capabilities?

            • Strange, as I’m on 13.04 and the profile works fine for me. Are you getting any violations with aa-logprof?

              Also, are you running it as a separate user?

  2. Off the top of my head, your profile mentions libsodium in /usr/local/lib twice.

    Also, in 1.3.0 it’s “libsodium.a” and “libsodium.la”, not “libsodium.so”, so I can’t use your profile without modifying it. Specifying “libsodium.*” should fix it.

    It’s good to see you’ve added IPv6 capabilities, I was about to ask if you’ve tested IPv6. I wonder if it requires any additional CLI parameters to work and if I can just enable it by default in the package.

    Sorry I’m not replying to your relevant comment, WordPress won’t let me to 🙁

    • I’ve just remembered that IPv4 DNS resolves IPv6 addresses just fine so there’s no point in enabling IPv6 in the package by default. Sorry for the stupid quiestion XD

      I wonder if the AppArmor profile allows IPv6 though.

    • WordPress is weird. The commit I sent to dnscrypt is for the latest branch, which is 1.3.1, which uses .so so that’s what I’m using. using a .* isn’t a big deal, but I’m not gonna change it for consistency’s sake – if they change back to using .a or .la I’ll change it.

      Haven’t tested out ipv6, personally. But ipv6 is fully supported on DNSCrypt.

      • Okay, as you wish.

        I’ve packaged libsodium and DNSCrypt 1.3.1 now, and that lets me compile them on Ubuntu Precise! However, AppArmor on Precise complains that there’s no such thing as “capability block_suspend”. Are you sure it’s needed for DNSCrypt to function?

        • You *should* be able to remove it without completely breaking it. But I don’t know why it’s saying that there’s no such capability. Precise may use an older version of apparmor.

  3. So I’ve generalized the profile a bit and included it in DNSCrypt mainline codebase as well as in my PPA, https://launchpad.net/~shnatsel/+archive/dnscrypt

    However, turns out that the profile breaks shutdown on Ubuntu 14.04 (and only on 14.04!) even though it doesn’t have the “block_suspend” capability. My attempts to debug this have failed, so I’d really appreciate if you could take a look.

    This is a serious bug because it breaks rebooting on remote servers, and the only solution so far is disabling the AppArmor profile, which is obviously a no-go.

    • I noticed that bug, I’ll see if I can reproduce it again on this system. As I recall it looked more like an apparmor bug than a DNSCrypt issue.

Leave a Reply

Your email address will not be published. Required fields are marked *