Should we further enforce “user account separation” with this?
Currently, apparmor-profile-everything doesn’t allow root to snoop in users’ home directories but that does nothing to stop root from switching to those users then accessing their files.
To do this, we’d need to remove the CAP_SETUID and CAP_SETGID capabilities (and create a sudo profile so sudo still works). We’d need to prevent root from trying to crack or change the user’s password so we’d need to block access to files like /etc/shadow.
But then, root can still compromise user applications so we need to remove CAP_SYS_PTRACE to prevent root from modifying other processes or we can just further restrict apparmor’s ptrace rules but then root can still see other processes, they just can’t ptrace them.
These are the obvious issues but there are more obscure ones like TIOCSTI (kernel patch CONFIG_TIOCSTI_DISABLE to further restrict root CAP_SYS_ADMIN) or writing to /dev/tty*.
We can solve the /dev/tty* problem by only allowing root to write to ttys they’re owner of.
There are probably some more ways root can compromise user applications/switch user accounts.
Also, these ways to compromise applications can also be used to compromise apt which is dangerous as apt has more permissions than the rest of the system.