apparmor-profile-everything is an experimental AppArmor policy which confines all user space processes on the system. It is still currently in development and requires testing.
Install it by executing:
sudo apt-get install apparmor-profile-everything
Then reboot.
apparmor-profile-everything supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It is highly recommended to stick to the default boot mode.
It also contains a wrapper to restrict apt as apt requires permissions that may be abused to circumvent the policy. When updating or installing applications, you must use the rapt command.
Please report any issues you face while using this so they can be resolved.
Both kloak and vboxadd-service units fail after installing apparmor-profile-everything.
Is it enough to post only journalctl log?
I am sorry for the noob question but I know nothing.
We could slightly relax the restrictions to allow reading /sys/devices/pci**/block/{s,v}da/dev however, this could potentially allow an attacker to bypass some restrictions and read sensitive files e.g. System.map which can aid further exploitation. Is there another way to implement this check?
Seems to be the same issue as we had with sdwdate, haveged and onion-grater. Might need to subtract some systemd hardening.
Would it help if instead that was /path/to/some/wrapper and sudo --non-interactive /path/to/some/wrapper? Happy to implement that too. Even such a wrapper being allowed to run wouldn’t be good enough?
(That wrapper would then run /bin/lsblk --noheadings --all --raw --output RO.)
We could just create a profile directly for /bin/lsblk since it doesn’t appear to include any functionality that is especially dangerous (if it does, we can create a rapt-like wrapper). This would also allow using lsblk for other purposes.
I attempted to run this policy in Kicksecure and once I start lightdm to login to Kicksecure, I display a black screen. I can go into a virtual console with CTRL+ALT+F1 and I attempted to uninstall
apparmor-profile-everything and reboot, another black screen.
I then uinstalled apparmor and I’m able to login to lightDM then XFCE no problem.
What log should I look for that is hindering me from successfully running apparmor-profile-everything?