Using AppArmor with UnrealIRCd

UnrealIRCd 4.0.16 and later ship with an AppArmor profile that you can install.

Why use it?
AppArmor allows you to fine-tune what files can be accessed by a process. If you enable this for UnrealIRCd and later some some security vulnerability would be discovered then AppArmor would limit an attackers abilities. For example, the attacker would be unable to execute any programs, will be unable read other files in the home directory, etc.

AppArmor is installed by default on Ubuntu. It is also available as an option on a number of other distributions.

How to install
First, become root (sudo -i).

Copy and edit the policy
In the UnrealIRCd tarball there is a file extras/security/apparmor/unrealircd. Copy this to the /etc/apparmod.d/ directory: cp extras/security/apparmor/unrealircd /etc/apparmor.d/

Now, modify the file /etc/apparmor.d/unrealircd with an editor. You should only need to modify this line: /home/ircd/unrealircd/bin/unrealircd { Change this to the account you are using and where you have UnrealIRCd installed. Of course, if you are using the account ircd and your binary is in /home/ircd/unrealircd/bin/unrealircd then you can leave it as-is. IMPORTANT: Be sure to provide the path the bin/unrealircd binary (eg: /home/xyz/unrealircd/bin/unrealircd) and NOT the unrealircd script (eg: /home/xyz/unrealircd/unrealircd)
 * 1) Change the pathname of your UnrealIRCd executable here:

Activate the policy
To activate the apparmor policy, run: apparmor_parser /etc/apparmor.d/unrealircd Or: /etc/init.d/apparmor restart

Restart UnrealIRCd
Now try to (re)start your UnrealIRCd. Naturally, do this from the user account, NOT as root. ./unrealircd start

Disabling the policy
If you think you broke something then you can temporarily run this to deactivate the policy: apparmor_parser --remove /etc/apparmor.d/unrealircd Or to permanently disable the policy: Move or delete /etc/apparmor.d/unrealircd and run /etc/init.d/apparmor restart

Harmless log messages
You may see some messages like this in the syslog: Nov 25 09:40:16 machine kernel: [3080084.104059] audit: type=1400 audit(1511599216.755:11475): apparmor="DENIED" operation="chmod" profile="/home/ircd/unrealircd/bin/unrealircd" name="/home/ircd/unrealircd/conf/unrealircd.conf" pid=12661 comm="unrealircd" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 These are harmless (note the operation="chmod") and you'll see them upon boot and on each /REHASH.

TODO: get rid of these? ;)