Sunday, June 21, 2009

Playing with laptop-mode

The other day I decided to squeeze most out of my laptop's battery. After a few minutes of tweaking I had discovered (to my surprise) that laptop-mode is disabled by default in Ubuntu 9.04. The comment in /etc/default/acpi-support provides an explanation:

# Switch to laptop-mode on battery power - off by default as it causes odd
# hangs on some machines. (Note: This is reported to cause breakage in

# Debian - see deb bug #425800. Leaving enabled for Ubuntu for now
# since presumably it's still valid here.)

But apparently it's disabled in Ubuntu... W00t? This means that if you're running on battery power, the system doesn't perform any optimizations to reduce power consumption except for CPU frequency scaling performed by ondemand governor (please correct me if I'm wrong...).

So the first step is enabling laptop-mode (set ENABLE_LAPTOP_MODE=true in acpi-support config file) and restarting /etc/init.d/laptop-mode. A quick look at /etc/laptop/conf.d directory reveals plethora of options for tweaking laptop-mode. Many of them depend on and require specific hardware and are disabled by default; some are generic. The ones I found interesting for my laptop are:
  • cpufreq.conf - configures frequency scaling rules, e.g. makes it possible to force slowest CPU frequency when running on battery power, no matter what system load is.
  • start-stop-programs.conf - allows for setting programs or services which should be started or stopped when on battery power.
  • ethernet.conf - configures power saving settings for Ethernet cards, e.g. limits connection speed from 1Gbit to 100Mbit.
  • wireless-iwl-power.conf - configures powersave mode of Intel 3945/4965 wireless adapters.
  • intel-hda-powersave.conf - configures power saving settings of Intel HDA audio chipsets.
Enabling the above settings didn't impact the stability of my system. I haven't tested battery lifetime with these changes yet. Conclusion will follow this post. To be continued.

Saturday, June 13, 2009

Securing applications with AppArmor

The main problem with standard Unix security model (DAC - Discretionary access control) is passing user privilleges to applications he/she executes. The problem is, whenever you launch e.g. a web browser, it has access to all files/resources you would normally have to. While under normal conditions it's not a big deal, think of what happens if it has a bug that can be exploited by an attacker... Such danger can be minimized by employing MAC - Mandatory access control.

Having some prior experience with SELinux MAC implementation (the master thesis I wrote one year ago), I've decided to try out Novell's AppArmor . While SELinux is very powerful and may seem to be an ultimate MAC solution for Linux, it's far too complex for average joe user. Sure, the default 'targeted' policy implemented e.g. in Fedora Linux works fine out of the box, but debugging problems may still be too intimidating for most users. AppArmor is a MAC implementation for the masses: it's much easier to comprehend, use and administer.

I'm not going to describe AppArmor's history, command line tools etc. as they are explained in detail in the official documentation as well as in man pages. Instead, here is a short walk-through of creating a policy for Adobe Acrobat Reader 9. Acrobat Reader has a long track of security issues - most problems were related to application crashes when opening malformed (crafted) PDF files. The goal is to limit the resources/files that acroread can access by forcing read-only access to the filesystem, write access for specific paths only and 'execute' permission to specific commands only.

  1. Run AppArmor's 'learning' mode (profile generation) and point it to /usr/bin/acroread.
    $ sudo aa-genprof
  2. Run Acrobat Reader and excercise it a bit, that is, perform all the usual operations, e.g. open file, print it etc.
  3. When you're done, press "S" key in the aa-genprof window. You'll now have to answer a series of questions about granting or denying access to specific resources based on the actions you've just performed in Acrobat Reader. Use your best judgment to allow/deny access to given resources; keep in mind that some rules may need to be adjusted and made more generic by specifying glob patterns, e.g. allow acroread to read/write files in /tmp/** rather than a specific file in /tmp/ detected by aa-genprof.
  4. Once you're done with aa-genprof a new AppArmor profile will appear in /etc/apparmor.d/opt.Adobe.Reader9.bin.acroread. Open it in an editor and perform further adjustements.
  5. When done, reload AppArmor with sudo /etc/init.d/apparmor reload. Run Adobe Acrobat and verify if it works. Check /var/log/messages (or /var/log/audit/audit.log if you have auditd running) for any APPARMOR_DENIED messages which may be related to acroread actions. Repeat steps 4-5 if needed.
You'll need around 10 minutes to complete steps 1-3. You may stop there if you're happy with the rules created automatically by aa-genprof, but it's a good idea to tweak them manually. This will take you around 30 minutes, depending on your skills, needs and application complexity.

When creating my own profile for Acrobat Reader I've decided to simplify rules that govern /opt/Adobe/Reader9 subdirectories like this:

/opt/Adobe/Reader9/** r,
/opt/Adobe/Reader9/Reader/intellinux/bin/acroread rix,
/opt/Adobe/Reader9/Reader/intellinux/lib/* mr,
/opt/Adobe/Reader9/Reader/intellinux/plug_ins/* rixm,
/opt/Adobe/Reader9/Reader/intellinux/SPPlugins/* rixm,

I've also decided to restrict read-access to specific files and directories only; I came to the conclusion that PDF files usually reside in/home directories, /media/ directories (mounted devices like cdrom or flash drives) and/usr/share/doc subdirectories. So I ended up with the following rules:

deny /home/*/.ssh/** r,
deny /home/*/.gnupg/** r,
owner /home/** r,
/media/ r,
/media/** r,
/ r,
/usr/ r,
/usr/share/ r,
/usr/share/doc/ r,
/usr/share/doc/** r,

First two "deny" rules protect some vital user's files. Remaining rules grant read-only access for the paths mentioned above. Please note, that read-access for /, /usr, /usr/share and /usr/share/doc (no globs here!) is needed to allow standard "Open file" dialog to read contents of these directories (just the list of files) and browse to /usr/share/doc/. Try to navigate to e.g. /usr/share/perl to see it's not allowed. Cool!

There are of course more rules - in fact the profile file contains around 60 rules in total. Among them are rules that:
  • grant read/write access to configuration files in /home/*/.adobe/Acrobat/**
  • grant read access to standard GNOME/GTK configuration files in home subdirectories.
  • grant read/execute access to some standard commands like cat, pwd, mkdir and printing-related commands (lpq, lpr).
  • grant read access to icons, fonts and pixmaps.
  • grant execute access to /usr/lib directory.
That's it. Happy hacking.

Tuesday, June 2, 2009

Favourite movie scenes #1

There are movies you'll never forget. Most often this is because of their stories, but sometimes there are scenes and takes which make some movies brilliant in your eyes. Here are some of my favorite movie scenes (part #1), in no particular order...
Planet Terror. Opening titles - Cherry's Go-Go dance. One of the best and most hot movie openings... Cherry is performing a seductive Go-Go dance, supported by great music by Robert Rodriguez himself. The scene is very dynamic, thanks to frequent changes of camera distance and angle.

Lost Highway. Pete and Renee making love on the desert in the night. Surreal setting with warm, bright car lights illuminating them.
When Renee whispers 'You'll never have me', you can almost fell a chill on your back...

Natural Born Killers. Opening titles - Cafe on the desert, in the middle of nowhere. Mickey is eating a pie while Mallory is turning a jukebox on and starting her defiant dance. Two men enter the cafe, one is mashing her... A scorpion gets smashed on the road,a deer is dying on the desert. The air is incredibly hot. You know something is going to happen soon. Soon they will unleash hell... Great music by Leonard Cohen, by the way.

Spy Game. Scene on the roof of a building. Muir and Bishop argue about a man used as a bait on their mission in East Germany. Muir explains what espionage is all about. You think Bishop is right, but there's no denying Muir is a professional and knows the score... The scene is nicely set on the roof of a building and the camera is circling around from time to time giving the wrangle a boost.

To be continued...