AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

Patrick · October 31, 2019, 3:10pm

/var/lib/dpkg/info/** rwpix,

Write access to dpkg, maintainer, postinst scripts?

Some folders are not addressed yet such as /etc/dpkg/dpkg.cfg.d and others listed in this post: AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #17 by Patrick?

madaidan · October 31, 2019, 3:16pm

I added the licensing.

Write access is given anyway with the /var/{,lib,log}/** rw, rule.

Feel free to add them to the dangerous-files abstraction.

Btw, some rules in that abstraction break some apt upgrades e.g. deny /**/initramfs-tools/** w, breaks adding new files to that directory during upgrades so it’s commented out in the apt profile.

Patrick · October 31, 2019, 3:20pm

etc/initramfs-tools/hooks/apparmor can I rename to apparmor-profile-everything? Reason: the name “apparmor” might be used by some other package (apparmor?) in the future and thereby break things. apparmor-profile-everything is more unique and very very unlikely being used by anyone else in future.

madaidan · October 31, 2019, 3:23pm

Sure, that’s a good idea.

I doubt many packages would be using initramfs hooks for apparmor though.

You should also rename etc/initramfs-tools/scripts/init-bottom/apparmor

Patrick · October 31, 2019, 3:29pm

Merged. Done. Notable changes:

Patrick · October 31, 2019, 4:28pm

This is now all in the developers repository. Qubes test results:

whonixcheck VM detection broken.

ERROR: Virtualizer /usr/lib/security-misc/permission-lockdown failed: caught signal 11 xen /usr/lib/security-misc/permission-lockdown failed: caught signal 11 unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: true)

host audit[4565]: AVC apparmor=“DENIED” operation=“file_mmap” profile=“/usr/lib/security-misc/permission-lockdown” name=“/usr/bin/bash” pid=4565 comm=“permission-lock” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

madaidan · October 31, 2019, 4:31pm

/{,usr/,usr/local/}{,s}bin/** rmpix, should fix that.

I’m not sure if we need to give everyone the m permission so maybe try

owner /{,usr/,usr/local/}{,s}bin/** rmpix,

which restricts the m permission to the owner of the file.

Patrick · October 31, 2019, 4:32pm

Patrick · October 31, 2019, 4:33pm

The apparmor issue is happening without apparmor-profile-everything. I haven’t tested that yet at all. Only the new security-misc apparmor profiles.

madaidan · October 31, 2019, 4:40pm

github.com/Kicksecure/apparmor-profile-everything

Improve profile

Kicksecure:master ← madaidan:improve-apparmor

opened 04:40PM - 31 Oct 19 UTC

madaidan

+28 -9

* Restricts signal access to everything in the init-systemd profile * Restricts… ptrace access to things in init-systemd, whonixcheck and unconfined processes. * Restricts /home/** to the owner e.g. /home/user is only accessible by the user `user` and not even by root. * Makes `/usr/lib/python3/dist-packages/*/__pycache__/` writable so programs can create it * Makes `/var/swapfile` readable * Depends on apparmor-profile-torbrowser as that's needed for TB to work when only a few things are executable in the home dierctory

Patrick · October 31, 2019, 4:47pm

Still not using apparmor-profile-everything. bootclockrandomization apparmor issues.

Oct 31 16:45:00 host start[547]: /usr/share/bootclockrandomization/shared: line 87: /usr/bin/date: Permission denied
Oct 31 16:45:00 host start[547]: /usr/share/bootclockrandomization/shared: line 23: /usr/bin/touch: Permission denied
Oct 31 16:45:00 host start[547]: /usr/share/bootclockrandomization/shared: line 23: /usr/bin/touch: Permission denied

Patrick · October 31, 2019, 4:49pm

Fixed.

madaidan · November 1, 2019, 6:56pm

How do we get rid of the init-systemd//null-/ profiles?

If you look at aa-status, you see there’s a bunch of them. These are problematic as the ptrace and signal restrictions only apply to the init-systemd profile and not the init-systemd//null-/ profiles so I get a bunch of errors.

I did add ptrace and signal rules for some of those profiles but I keep getting more errors so I want to find the cause of these profiles and fix it.

haveged.service, onion-grater.service, proc-hidepid.service and kloak.service are failing for some reason. I can’t figure out why. onion-grater, haveged and kloak even have their own apparmor profiles that should suit them.

madaidan · November 1, 2019, 8:01pm

These hats are the result of a profile in complain mode. They will accumulate, but you can clear them with a restart. Once the profile is in enforce mode, they will stop being created.

I think the issue might be in apparmor-profile-everything/etc/initramfs-tools/scripts/init-bottom/apparmor-profile-everything at master · Kicksecure/apparmor-profile-everything · GitHub

echo "profile init-systemd /lib/systemd/systemd flags=(complain) {}" | /sbin/apparmor_parser -a

It uses the “complain” flag. Everything I’ve tried to get rid of this has resulted in a kernel panic or not everything being confined.

HulaHoop · November 2, 2019, 10:41pm

Continuing to eat my dog food since I’m the only tester. I get this harmless error whenever typing any command in the terminal. It doesn’t seem relevant to anything I do, but it is annoying and probably alarming to noobs:

sudo su
mkdir: cannot create directory '/var/cache/security-misc': Permission denied
/usr/lib/security-misc/permission-lockdown: chmod o-rwx "/home/user"
touch: cannot touch '/var/cache/security-misc/state-files/user': No such file or directory

Patrick · November 3, 2019, 9:38am

This commit might fix it. Untested.

Patrick · November 10, 2019, 1:26pm

Nov 10 08:25:16 work sudo[4183]: user : TTY=pts/1 ; PWD=/home/user/sourcesother/lkrg-0.7 ; USER=root ; COMMAND=/bin/cat
Nov 10 08:25:16 work sudo[4183]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Nov 10 08:25:16 work sudo[4184]: pam_exec(sudo:session): Calling /usr/lib/security-misc/permission-lockdown …
Nov 10 08:25:16 work audit[4184]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4184 comm=“permission-lock” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4185]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4185 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4186]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4186 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: kauditd_printk_skb: 16 callbacks suppressed
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.336:146): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4184 comm=“permission-lock” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.336:147): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4185 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.336:148): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4186 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4187]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4187 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4188]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4188 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4189]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4189 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.340:149): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4187 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.340:150): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4188 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.340:151): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4189 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4190]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4190 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4191]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4191 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4192]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4192 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4193]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4193 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.344:152): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4190 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.344:153): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4191 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.344:154): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4192 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work kernel: audit: type=1400 audit(1573392316.344:155): apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4193 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4194]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4194 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4195]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4195 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Nov 10 08:25:16 work audit[4196]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/security-misc/permission-lockdown” name=“/etc/ld.so.preload” pid=4196 comm=“basename” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Patrick · November 10, 2019, 1:29pm

Patrick · November 10, 2019, 1:30pm

madaidan · November 10, 2019, 2:13pm

The base abstraction isn’t needed if it’s just a few files causing errors. Just add those files to it.

I never added it as it might cause conflicts with the /usr/lib/security-misc/permission-lockdown rule in usr.lib.security-misc.permission-lockdown and the /usr/lib/security-misc/permission-lockdown rule in the base abstraction.