AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

AppArmor
343

madaidan via Whonix Forum:

Create systemd-shutdown profile and remove CAP_SYS_BOOT by madaidan · Pull Request #34 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

Now at 23 capabilities.

Will Remove CAP_NET_ADMIN capability by madaidan · Pull Request #25 · Kicksecure/apparmor-profile-everything · GitHub get merged?

I didn’t manage yet to add Qubes compatibility. And then got distracted
by other things. Thanks for reminding me! :slight_smile:

apparmor-profile-everything does not work on Qubes at all anyhow. But
this would be another change which would make it hard to fix since it
would break networking. Should I merge changes which break Qubes for
certain?

1 Like
344

/var/lib/dkmks and /var/lib/hardened-kernel - compilation happens there. Kernel / module related addresses / symbols / binaries might leak there? Could add the read access rights restrictions please?

1 Like
345

Qubes will be broken either way so I think yes.

1 Like
346
1 Like
347

madaidan via Whonix Forum:

Don't allow any changes to dkms or hardened-kernel by madaidan · Pull Request #35 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

1 Like
348
1 Like
349

madaidan via Whonix Forum:

Put remove-system.map permissions in its own profile by madaidan · Pull Request #36 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

350

madaidan via Whonix Forum:

Qubes will be broken either way so I think yes.

Will merge.

Pretty sure . /etc/default/networking is not required. Untested.
/lib/systemd/system/networking.service already does
EnvironmentFile=-/etc/default/networking. Will remove.

Will rename etc/apparmor.d/sbin.networking to
etc/apparmor.d/sbin.networking-aae for consistency.

1 Like
351
1 Like
352
353

madaidan via Whonix Forum:

Deny write access to hard drives by madaidan · Pull Request #37 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

1 Like
354

https://forums.grsecurity.net/viewtopic.php?t=2574

There have been numerous ASLR holes due to /proc/[pid]/{,stat,maps,auxv} which we allow access to in apparmor-profile-everything. We should restrict these but test if it breaks anything.

1 Like
355

Denying access to /proc/[pid]/stat breaks a ton of stuff. We can probably fix that issue in another way (see how e.g. GRKERNSEC_PROC_MEMMAP fixes it).

I’m seeing some errors for /proc/[pid]/{,maps,auxv} but it doesn’t seem like anything major.

1 Like
356

Rename networking to networking-aae by madaidan · Pull Request #38 · Kicksecure/apparmor-profile-everything · GitHub merged.

1 Like
357

https://openwall.info/wiki/p_lkrg/Protected_Features#Protected-Process-example

This could be used to further protect privileged processes like apt.

358

madaidan via Whonix Forum:

Historical formerly experimental Linux Kernel Runtime Guard (LKRG) features [Openwall Community Wiki]

This could be used to further protect privileged processes like apt.

It’s part of LKRG experimental branch. Not part of LKRG main branch.
LKRG experimental branch as far I know was deprecated and LKRG upstream
wiki is outdated. If you like a more certain answer, please check in
LKRG source code or ask upstream LKRG.

1 Like
359

4 posts were split to a new topic: risks of writing to /dev/random, crediting entropy, RNDADDENTROPY related to untrusted root

360
1 Like
361
1 Like
362
1 Like