AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

The issue was closed and he said:

I’d recommend just linking those programs against it. I don’t want to add this.

Linking programs against it is something that is done at compile time AFAIK which isn’t a viable solution for most apps so we can’t have both environment scrubbing and hardened_malloc. Unless we add it to /etc/ld.so.preload and use hardened_malloc globally (with exceptions added for broken programs).

1 Like

Add a way to whitelist variables from environment scrubbing (#66) · Issues · AppArmor / apparmor · GitLab getting worse news. (Bold added by me.)

John Johansen commented:

So not that @setharnold is wrong current environment scrubbing is handled by the loader as Seth described, and it is entirely insufficient.

However there are indeed plans for apparmor to pick up environment variable scrubbing. It can be done in the kernel, and we actually have a basic prototype for it but it isn’t a prioritized work item and there is still a lot of work to do on before it can land.

1 Like

Could you fix these please?

user@host:~$ sudo journalctl -b | grep -i denied
Nov 25 14:04:40 host audit[1533]: AVC apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1533 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”
Nov 25 14:04:40 host kernel: audit: type=1400 audit(1574690680.014:19): apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1533 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”
Nov 25 14:04:44 host audit[1830]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host kernel: audit: type=1400 audit(1574690684.266:20): apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host kernel: audit: type=1400 audit(1574690684.266:21): apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host kernel: audit: type=1400 audit(1574690684.266:22): apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host kernel: audit: type=1400 audit(1574690684.266:23): apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host audit[1830]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host audit[1830]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:44 host audit[1830]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1830 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:04:47 host audit[2295]: AVC apparmor=“DENIED” operation=“capable” profile=“/usr/bin/apt-get” pid=2295 comm=“(sd-askpwagent)” capability=24 capname=“sys_resource”
Nov 25 14:04:47 host kernel: audit: type=1400 audit(1574690687.514:24): apparmor=“DENIED” operation=“capable” profile=“/usr/bin/apt-get” pid=2295 comm=“(sd-askpwagent)” capability=24 capname=“sys_resource”


user@host:~$ sudo journalctl -b | grep -i denied
Nov 25 14:06:43 host audit[1549]: AVC apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1549 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”
Nov 25 14:06:45 host audit[1837]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1837 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:06:45 host audit[1837]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1837 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:06:45 host audit[1837]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1837 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:06:45 host audit[1837]: AVC apparmor=“DENIED” operation=“file_inherit” profile=“/usr/lib/security-misc/permission-lockdown” name=“/dev/pts/1” pid=1837 comm=“permission-lock” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Nov 25 14:06:48 host audit[2300]: AVC apparmor=“DENIED” operation=“capable” profile=“/usr/bin/apt-get” pid=2300 comm=“(sd-askpwagent)” capability=24 capname=“sys_resource”

1 Like

Seems very unlikely.

Users could boot into admin mode (without apparmor-profile-everything) and configure /etc/ld.so.preload?

We could allow root to run a yet to be invented script which copies a file /etc/ld.so.preload_template to /etc/ld.so.preload.

/etc/ld.so.preload_template would have the following contents:

/usr/lib/libhardened_malloc.so/libhardened_malloc.so

That way while apparmor-profile-everything is enabled, root could enable hardened malloc but not configure an arbitrary (malicious) /etc/ld.so.preload?

1 Like

Yes, but we should rely on booting without apparmor as little as possible.

That sounds like a good idea.

2 Likes
1 Like

Thanks, merged. :slight_smile:

2 Likes

sudo journalctl -b | grep -i denied
Dec 06 15:35:06 host audit[1538]: AVC apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1538 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”
Dec 06 15:35:06 host kernel: audit: type=1400 audit(1575646506.818:19): apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1538 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”

Could you fix this one please?

1 Like

I’m not sure what the issue is. Apt already has access to all of /usr/lib.

It just can’t lock (the k permission) files it isn’t an owner of. Maybe try adding the k permission to line 51.

1 Like

We should look into pam_apparmor. From what I can see, it allows us to give specific users their own apparmor profile. So, as soon as the user user logs in, we can make them switch to their own, more restrictive profile.

1 Like

I could work on pam integration. Package? apparmor-profile-everything?

1 Like

Done in git master. That didn’t fix it. This issue is only happening when upgrading pacakge security-misc. Cannot reproduce with sudo apt install --reinstall security-misc. Only only reproduce through sudo apt dist-upgrade when there is an upgrade for security-misc.

To reproduce could you please download a version of security-misc?
(This is required because apt cannot write to user home.)

cd /tmp
apt dowload security-misc

Maybe move to home folder.

Then produce a newer version. Or I produce a newer version. Then downgrade / upgrade among them? Not yet tested. Can apt install from file? I usually used dpkg. But perhaps for debugging we’ll just make the APT profile match DPKG?

Are you sure that line

/{,usr/,usr/local/}lib{,32,64}/** rwmixlk,

matches

/usr/lib/security-misc/pam_tally2-info.dpkg-tmp

?

apparmor=“DENIED” operation=“link” info=“link not subset of target” error=-13 profile=“/usr/bin/apt-get” name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp” pid=1523 comm=“dpkg” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/security-misc/pam_tally2-info”

Trying to wrap my head around it. I always got confused by AppArmor. Maybe now it’s time to ask.

profile=“/usr/bin/apt-get”

Alright so it can only be fixed in that profile. That’s the profile causting the error.

operation=“link”

Why operation link?

info=“link not subset of target”

Does looking at the apparmor source around that link help?

comm=“dpkg”

It’s APT which called DPKG. While it’s the APT profile, it’s DPKG attempting to run this operation. Doesn’t get us any closer.

denied_mask=“x”

Execute? apparmor profile apt-get missing flag x for line /{,usr/,usr/local/}lib{,32,64}/** rwmixlk,? But that line already includes x. Maybe it’s some other line that is triggering this?

name=“/usr/lib/security-misc/pam_tally2-info.dpkg-tmp”

target=“/usr/lib/security-misc/pam_tally2-info”

I am confused by name vs target. What means name, what means target?


Why is it only happening for /usr/lib/security-misc/pam_tally2-info but not for /usr/lib/security-misc/pam-abort-on-locked-password? Neither file changed on disk. Only other parts of security-misc changed. Yet, only pam_tally2-info is throwing the error. Which indicates that the issue is not in apt-get apparmor profile but elsewhere?

1 Like

To find out what’s special about pam_tally2-info I grepped whole Whonix source code for pam_tally2-info.

Found this:

apparmor-profile-anondist/etc/apparmor.d/abstractions/base.anondist: /usr/lib/security-misc/pam_tally2-info rpx

https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/abstractions/base.anondist#L237

And /etc/apparmor.d/apt-get uses #include <abstractions/base>. Could that be the cause?

1 Like

Yes. It should be part of apparmor-profile-everything.

Probably for symlinks.

Probably means the name of the file you’re symlinking and the target is where you want to symlink it to.

1 Like

https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remove-system.map and https://github.com/Whonix/helper-scripts/blob/master/usr/lib/helper-scripts/first-boot-skel need their own apparmor profiles too.

remove-system.map needs access to /boot and first-boot-skel needs access to home directories.

1 Like

Instead of creating profiles for every shell script that needs extra permissions, we might be able to create a whonix-shell-script profile and make all our scripts run under that.

It would be far easier to manage.

1 Like

That was the issue.

I fixed that and a few other things Fixes by madaidan · Pull Request #9 · Kicksecure/apparmor-profile-everything · GitHub

1 Like

I did that. Dunno the best way to make all the scripts run under it so I just created a generic abstraction and a profile with each script that includes the abstraction.

whonix-shell-script profile: Debian paste error

whonix-shell-script abstraction: Debian paste error

1 Like

haveged.service, onion-grater.service, sdwdate.service and kloak.service are all failing when apparmor-profile-everything is being used.

This isn’t an issue with the apparmor profile. Some of those services even have their own profile. This is caused by the systemd sandboxing in those services. If you disable the sandboxing and reboot, they work fine.

The only explanation I can find for this is grsecurity forums • View topic - denied access to hidden file /dev/urandom by /usr/bin/tor

It would be because that option causes Tor to be run with a private mount namespace created on demand, so any inode associated with /dev/urandom inside that namespace isn’t knowable from the point where RBAC is loaded. That option shouldn’t be enabled with RBAC.

I don’t know how to fix this except disabling the sandboxing which would worsen security.

We could ask the upstream apparmor and systemd devs.

1 Like

Yes, please ask.

1 Like