AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

No, I meant in apparmor-profile-everything/etc/initramfs-tools/scripts/init-bottom/apparmor-profile-everything at master · Kicksecure/apparmor-profile-everything · GitHub

securityfs is mounted with nosuid, nodev and noexec by default but apparmor-profile-everything would prevent that as we are mounting it ourselves in the initramfs.

1 Like

Should we further enforce “user account separation” with this?

Currently, apparmor-profile-everything doesn’t allow root to snoop in users’ home directories but that does nothing to stop root from switching to those users then accessing their files.

To do this, we’d need to remove the CAP_SETUID and CAP_SETGID capabilities (and create a sudo profile so sudo still works). We’d need to prevent root from trying to crack or change the user’s password so we’d need to block access to files like /etc/shadow.

But then, root can still compromise user applications so we need to remove CAP_SYS_PTRACE to prevent root from modifying other processes or we can just further restrict apparmor’s ptrace rules but then root can still see other processes, they just can’t ptrace them.

These are the obvious issues but there are more obscure ones like TIOCSTI (kernel patch CONFIG_TIOCSTI_DISABLE to further restrict root CAP_SYS_ADMIN) or writing to /dev/tty*.

We can solve the /dev/tty* problem by only allowing root to write to ttys they’re owner of.

There are probably some more ways root can compromise user applications/switch user accounts.

Also, these ways to compromise applications can also be used to compromise apt which is dangerous as apt has more permissions than the rest of the system.

1 Like
1 Like

madaidan via Whonix Forum:

Deny writing to ld.so.preload by madaidan · Pull Request #11 · Kicksecure/apparmor-profile-everything · GitHub

Merged. And added on top:

1 Like

My first guess was “no, don’t bother, root should beat user”. But then we’re not only talking about user “user” but also user “apt”.

This is a strong argument. If root can set a break point and inject arbitrary code into processes such as APT, it is game over.

1 Like

apparmor-profile-everything is another reason to set this. During boot, a lot of apparmor messages are displayed on the console which slows down boot speed a large amount. We can probably set it in the initramfs so stuff before systemd-sysctl gets hidden too.

1 Like

Just did this. It’s crazy how fast boot speed improves. We should definitely add this. Maybe we should add an initramfs hook to security-misc to set this in early boot.

2 Likes

We can add the grub menus once we figure that out. I need this in order to make further modifications to init-systemd (as the main profile gets deleted and moved to an abstraction).

1 Like

Restricting mounting is far harder than it seems. Sandboxes need to use mount to create the filesystem within the sandbox. Many system services are sandboxed by default. This causes a lot of systemd services to fail and I don’t know how to fix this without disabling the sandbox.

1 Like

Let’s try fix the root cause.
https://github.com/Whonix/grub-output-verbose could be the cause. Try remove.

sudo apt purge grub-output-verbose

make sure /etc/default/grub.d/30_output_verbose.cfg is gone.

sudo update-grub

That should remove verbose boot kernel options? Speeds up boot?

1 Like

Allow systemd to use mount unrestricted but prohibit everyone else except exceptions such as for remount-secure?

1 Like

Doesn’t work. The console is still spammed with apparmor messages after removing that package.

The systemd profile is the everyone else profile. I do want to move away from that though and split up init-systemd to an init-only profile and everything else into a more restrictive profile. Maybe via something like

/usr/bin/** px -> confined_app,

Also:

1 Like
1 Like

madaidan via Whonix Forum:

Boot modes by madaidan · Pull Request #12 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

We can add the grub menus once we figure that out.

grub boot menu entries are probably already sorted out. See:

But untested. What is not done yet is “warn against superroot”. Did not
get to that yet. But that can be done any time later. See it this way.
First, there wasn’t any root/superroot separation / boot modes. Now
there is. To educate against superroot is just a further detail enhancement.

1 Like
1 Like
1 Like

I tried removing access to logs but it didn’t work. Removing read access to /var/log/** caused XFCE to fail to start which I cannot debug due to no logs.

I couldn’t restrict just dmesg either. It doesn’t seem to read stuff from a file but use some kernel magic to get the logs.

I did manage to restrict journalctl though which might be useful although its usefulness would be very limited due to the tons of other info in /var/log/.

1 Like

Should /etc/apparmor/ (not the same as apparmor.d) and /var/cache/apparmor/ be protected by dangerous-files?

Dunno if they pose much of a risk. Or, we can just add:

deny /**/apparmor/ rw,
deny /**/apparmor/** rw,

We might also want to change our apt/dpkg protections to:

deny /**/apt/ rw,
deny /**/apt/** rw,
deny /**/dpkg/ rw,
deny /**/dpkg/** rw,

Instead of selecting just a few folders.

1 Like

Superroot is allowed to change them.

1 Like

The following is non-ideal.

mount -t securityfs nosuid,nodev,noexec /sys/kernel/security

echo "profile systemd-sysctl /lib/systemd/systemd-sysctl {}" | /sbin/apparmor_parser -a

if grep "noape" /proc/cmdline; then
  echo "apparmor-profile-everything has been disabled via the boot parameter."
  exit
elif grep "superroot" /proc/cmdline; then
  echo "profile init-systemd-superroot /lib/systemd/systemd flags=(complain) {}" | /sbin/apparmor_parser -a
elif grep "aadebug" /proc/cmdline; then
  echo "profile init-systemd-debug /lib/systemd/systemd flags=(complain) {}" | /sbin/apparmor_parser -a
else
  echo "profile init-systemd /lib/systemd/systemd flags=(complain) {}" | /sbin/apparmor_parser -a
fi

This is because it does things (mount securityfs, systemd-sysctl) even if noape kernel parameter is set.


1 Like