Well, after playing around with Gutsy for a little while, I started looking into AppArmor, a software restriction tool. It's quite similar to SELinux, though easier to use (and faster according to their site). AppArmor lets you specify which files/folders an application can access while running, so if it is comprimised, it can only access files that it should (i.e. Apache looking at /etc/passwd). There are a few pre-made profiles for that can be installed by typing:
sudo apt-get install apparmor-profiles
From there, you can view the status of AppArmor using the command:
Which should return somethin like this:
apparmor module is loaded.
15 profiles are loaded.
9 profiles are in enforce mode.
6 profiles are in complain mode.
5 processes have profiles defined.
3 processes are in enforce mode :
2 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The difference between enforce and complain is what AppArmor will do when a profile violation occurs. In complain mode, it will log the offense, but let it occur, in enforce mode, it will deny access to that file (and log it). To switch modes for a profile, use the
aa-enforce <binname> and
aa-complain <binname> commands as root.
You should probably keep things set to complain mode until you use logprof to update the profiles. Speaking of which, logprof parses the logs for AppArmor violations and asks you what to do about them, allow them or deny. It will also let you widen access using globs, to make it more generic (rather than /proc/17238/foo /proc/*/foo). Once you are done, you are given the option to save your changes. Once you've used to program's full functionality (i.e. Firefox downloads and flash/applets), and finished the profile, you can switch it in into enforce mode. Congratulations! You've added another link onto your computer fence.
What about adding more programs to be watched? Glad you asked for that there is genprof, simply run as root with the path to the executable you'd like to add, it will see what libraries it requires, and make a simple profile and put it in complain mode. Now rn the program, and use it how you normally would, making sure to test all the features that might access files. Now, go back to genprof, and hit 's', it will show you all the files it tried to access, just like logprof. After adjusting the profile, you are good to go. If you think you did a good job, you can set it into enforce mode, or keep it in complain mode for a while longer to make sure you got all the needed files.
Congratulations! You're now an AppArmor pro! If you'd like more information, check out AppArmor Geeks or the Ubuntu Docs. As an interesting sidenote, I found that Firefox looks at /etc/passwd, though if I block it, it still works fine. While I'm sure there is a reason, as Firefox is open source, still makes you think.
Peace and chow,