Difference between revisions of "UbuntuSecurity"
(13 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Akima's simple guide to LÖVE security sandboxing for Ubuntu users. | Akima's simple guide to LÖVE security sandboxing for Ubuntu users. | ||
− | == Overview | + | == Overview == |
AppArmor is a piece of security software that is already present on your Ubuntu computer and already configured by default to protect some software services running on your machine. | AppArmor is a piece of security software that is already present on your Ubuntu computer and already configured by default to protect some software services running on your machine. | ||
− | This page provides straight forward instructions that explain how to secure the LÖVE engine using an AppArmor profile. The effect of securing the LÖVE engine will be that .love games will have very restricted access to your computer so they can only | + | This page provides straight forward instructions that explain how to secure the LÖVE engine using an AppArmor profile. The effect of securing the LÖVE engine will be that .love games will have very restricted access to your computer so they can only execute, read or write the files that are likely to be necessary. The games will not be able to access your private files and will not be able to start any other executables on your system. |
− | One drawback of | + | One drawback of security sandboxing the LÖVE engine is that some .love games may try to do things which the AppArmor profile does not permit. This may partially or completely stop the .love game from working. Nothing bad can happen to your computer or your files as a result of a .love game being denied permission to do something though. |
'''Disclaimer:''' Until otherwise stated, this LÖVE security enhancement is not endorsed or supported by the LÖVE development team. | '''Disclaimer:''' Until otherwise stated, this LÖVE security enhancement is not endorsed or supported by the LÖVE development team. | ||
− | == Requirements | + | == Requirements == |
You must be using an officially packaged .deb install of LÖVE. They can be downloaded on the [http://love2d.org/ LÖVE home page]. | You must be using an officially packaged .deb install of LÖVE. They can be downloaded on the [http://love2d.org/ LÖVE home page]. | ||
Line 26: | Line 26: | ||
The apparmor profile ''should'' work on other [http://www.canonical.com/ Canonical] supported versions of Ubuntu Desktop. | The apparmor profile ''should'' work on other [http://www.canonical.com/ Canonical] supported versions of Ubuntu Desktop. | ||
− | == The Instructions | + | == The Instructions == |
− | '''1) Save the apparmor profile.''' To do that: select and copy the apparmor profile text below, paste it into a text editor and save it to a file called | + | '''1) Save the apparmor profile.''' To do that: select and copy the apparmor profile text below, paste it into a text editor and save it to a file called ''usr.bin.love'' in the root of your home directory: eg: /home/your_user_name/usr.bin.love |
<source lang="text"> | <source lang="text"> | ||
− | + | # Last Modified: Mon Mar 28 21:50:00 2011 | |
− | # Last Modified: Mon | ||
#include <tunables/global> | #include <tunables/global> | ||
Line 39: | Line 38: | ||
#include <abstractions/base> | #include <abstractions/base> | ||
+ | # Read access to the LOVE executable | ||
+ | /usr/bin/love r, | ||
+ | # Read access to misc files required by LOVE | ||
/etc/openal/alsoft.conf r, | /etc/openal/alsoft.conf r, | ||
− | |||
owner /proc/*/cmdline r, | owner /proc/*/cmdline r, | ||
/var/lib/dbus/machine-id r, | /var/lib/dbus/machine-id r, | ||
owner /var/run/gdm/auth*/database r, | owner /var/run/gdm/auth*/database r, | ||
+ | |||
+ | # Read access to all files with a .love extension | ||
/**.love r, | /**.love r, | ||
− | @{HOME}/.love/ rw, | + | |
− | @{HOME}/.love/** rw, | + | # Read & write access to user love config & save directories |
+ | owner @{HOME}/.love/ rw, | ||
+ | owner @{HOME}/.love/** rw, | ||
+ | owner @{HOME}/.local/share/love/ rw, | ||
+ | owner @{HOME}/.local/share/love/** rw, | ||
} | } | ||
Line 54: | Line 61: | ||
Applications -> Accessories -> Terminal | Applications -> Accessories -> Terminal | ||
− | '''3) Activate the profile.''' One line at a time enter each of these commands into the terminal: | + | '''3) Activate the profile.''' One line at a time enter each of these commands into the terminal: |
<source lang="bash"> | <source lang="bash"> | ||
sudo mv ~/usr.bin.love /etc/apparmor.d | sudo mv ~/usr.bin.love /etc/apparmor.d | ||
Line 60: | Line 67: | ||
sudo apparmor_parser --add /etc/apparmor.d/usr.bin.love | sudo apparmor_parser --add /etc/apparmor.d/usr.bin.love | ||
</source> | </source> | ||
+ | ''(note: each command uses sudo to elevate your user to an administrator. When you enter the first command, using sudo for the first time, you will be prompted for your password. This is normal.)'' | ||
− | == Removing the profile | + | '''4) (optional step).''' If you want to receive desktop notifications when AppArmor restricts a .love game from doing something that is not permitted then install the apparmor-notify package. To do this, simply enter this command into the terminal: |
+ | <source lang="bash"> | ||
+ | sudo apt-get install apparmor-notify | ||
+ | </source> | ||
+ | |||
+ | == Removing the profile == | ||
If you ever want to remove the AppArmor security profile you added and go back to how it was before, it is quite simple. Open a terminal again and one line at a time enter each of these commands into the terminal: | If you ever want to remove the AppArmor security profile you added and go back to how it was before, it is quite simple. Open a terminal again and one line at a time enter each of these commands into the terminal: | ||
Line 71: | Line 84: | ||
That's it! | That's it! | ||
− | == Advanced Geek AppArmor Stuff | + | == Advanced Geek AppArmor Stuff == |
This section is for people who want to know more about AppArmor and perhaps customize, extend or otherwise improve their AppArmor profile. | This section is for people who want to know more about AppArmor and perhaps customize, extend or otherwise improve their AppArmor profile. | ||
Line 77: | Line 90: | ||
An AppArmor profile simply contains a series of instructions telling AppArmor what a piece of software can and cannot do. If you want to understand the rules inside a profile better read the '''apparmor.d''' man page. | An AppArmor profile simply contains a series of instructions telling AppArmor what a piece of software can and cannot do. If you want to understand the rules inside a profile better read the '''apparmor.d''' man page. | ||
− | + | If you want to allow .love files to have TCP and UDP network access as well as the ability to resolve hostnames to ip addresses the make then following changes to the AppArmor profile given in ''The Instructions'': | |
− | <source lang=" | + | Add the following line underneith the other #includes: |
− | + | <source lang="text"> | |
+ | #include <abstractions/nameservice> | ||
+ | </source> | ||
+ | After the line: | ||
+ | <source lang="text"> | ||
+ | owner @{HOME}/.local/share/love/** rw, | ||
+ | </source> | ||
+ | ...add the following lines: | ||
+ | <source lang="text"> | ||
+ | # Network access | ||
+ | network udp, | ||
+ | network tcp, | ||
</source> | </source> | ||
A good place to learn more is the [https://wiki.ubuntu.com/AppArmor Ubuntu AppArmor wiki page]. | A good place to learn more is the [https://wiki.ubuntu.com/AppArmor Ubuntu AppArmor wiki page]. | ||
− | + | == Bugs == | |
− | == Bugs | ||
Found a bug? Have a problem? Got a suggested update for this page? | Found a bug? Have a problem? Got a suggested update for this page? | ||
Then [http://love2d.org/forums/ post in the forums] or [http://love2d.org/forums/memberlist.php?mode=viewprofile&u=2076 PM Akima!] | Then [http://love2d.org/forums/ post in the forums] or [http://love2d.org/forums/memberlist.php?mode=viewprofile&u=2076 PM Akima!] | ||
− | If you confirm the apparmor profile to work on an unlisted | + | If you confirm the apparmor profile to work on an unlisted version of the LÖVE engine or Ubuntu then update the "Requirements" section of this page accordingly. |
+ | |||
+ | == Known Working Games == | ||
+ | |||
+ | The following .love files have been tested and work fine in the AppArmor sandbox: | ||
+ | * [[Dave Gone Apeshit]] 1.2 | ||
+ | * [[AutoBenchmark]] 0.90 | ||
+ | * [[Desert Loot]] | ||
+ | |||
+ | == See also == | ||
+ | * [[SELÖVE]] |
Latest revision as of 13:32, 12 April 2011
Akima's simple guide to LÖVE security sandboxing for Ubuntu users.
Contents
Overview
AppArmor is a piece of security software that is already present on your Ubuntu computer and already configured by default to protect some software services running on your machine.
This page provides straight forward instructions that explain how to secure the LÖVE engine using an AppArmor profile. The effect of securing the LÖVE engine will be that .love games will have very restricted access to your computer so they can only execute, read or write the files that are likely to be necessary. The games will not be able to access your private files and will not be able to start any other executables on your system.
One drawback of security sandboxing the LÖVE engine is that some .love games may try to do things which the AppArmor profile does not permit. This may partially or completely stop the .love game from working. Nothing bad can happen to your computer or your files as a result of a .love game being denied permission to do something though.
Disclaimer: Until otherwise stated, this LÖVE security enhancement is not endorsed or supported by the LÖVE development team.
Requirements
You must be using an officially packaged .deb install of LÖVE. They can be downloaded on the LÖVE home page.
The following setups have been tested and are confirmed working:
LÖVE versions:
- 0.6.2
- 0.7.1
Ubuntu versions:
- Ubuntu Desktop 10.04 (64bit).
The apparmor profile should work on other Canonical supported versions of Ubuntu Desktop.
The Instructions
1) Save the apparmor profile. To do that: select and copy the apparmor profile text below, paste it into a text editor and save it to a file called usr.bin.love in the root of your home directory: eg: /home/your_user_name/usr.bin.love
# Last Modified: Mon Mar 28 21:50:00 2011
#include <tunables/global>
/usr/bin/love {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
# Read access to the LOVE executable
/usr/bin/love r,
# Read access to misc files required by LOVE
/etc/openal/alsoft.conf r,
owner /proc/*/cmdline r,
/var/lib/dbus/machine-id r,
owner /var/run/gdm/auth*/database r,
# Read access to all files with a .love extension
/**.love r,
# Read & write access to user love config & save directories
owner @{HOME}/.love/ rw,
owner @{HOME}/.love/** rw,
owner @{HOME}/.local/share/love/ rw,
owner @{HOME}/.local/share/love/** rw,
}
2) Open a terminal. You should be able to find Gnome Terminal under: Applications -> Accessories -> Terminal
3) Activate the profile. One line at a time enter each of these commands into the terminal:
sudo mv ~/usr.bin.love /etc/apparmor.d
sudo chown root:root /etc/apparmor.d/usr.bin.love
sudo apparmor_parser --add /etc/apparmor.d/usr.bin.love
(note: each command uses sudo to elevate your user to an administrator. When you enter the first command, using sudo for the first time, you will be prompted for your password. This is normal.)
4) (optional step). If you want to receive desktop notifications when AppArmor restricts a .love game from doing something that is not permitted then install the apparmor-notify package. To do this, simply enter this command into the terminal:
sudo apt-get install apparmor-notify
Removing the profile
If you ever want to remove the AppArmor security profile you added and go back to how it was before, it is quite simple. Open a terminal again and one line at a time enter each of these commands into the terminal:
sudo apparmor_parser --remove /etc/apparmor.d/usr.bin.love
sudo rm /etc/apparmor.d/usr.bin.love
That's it!
Advanced Geek AppArmor Stuff
This section is for people who want to know more about AppArmor and perhaps customize, extend or otherwise improve their AppArmor profile.
An AppArmor profile simply contains a series of instructions telling AppArmor what a piece of software can and cannot do. If you want to understand the rules inside a profile better read the apparmor.d man page.
If you want to allow .love files to have TCP and UDP network access as well as the ability to resolve hostnames to ip addresses the make then following changes to the AppArmor profile given in The Instructions: Add the following line underneith the other #includes:
#include <abstractions/nameservice>
After the line:
owner @{HOME}/.local/share/love/** rw,
...add the following lines:
# Network access
network udp,
network tcp,
A good place to learn more is the Ubuntu AppArmor wiki page.
Bugs
Found a bug? Have a problem? Got a suggested update for this page? Then post in the forums or PM Akima!
If you confirm the apparmor profile to work on an unlisted version of the LÖVE engine or Ubuntu then update the "Requirements" section of this page accordingly.
Known Working Games
The following .love files have been tested and work fine in the AppArmor sandbox:
- Dave Gone Apeshit 1.2
- AutoBenchmark 0.90
- Desert Loot