Untrusted Root - improve Security by Restricting Root

For ordinary use cases, probably not.

A step into the direction of untrusted root:

It restricts root pretty well already. Only 26 capabilities out of 38 are permitted and I’ve plans to restrict this even further.

stackexchange bounty posted here:

forest is the author or linux - Methods root can use to elevate itself to kernel mode - Information Security Stack Exchange. Contacted forest.

Quote [Whonix-devel] untrusted root

On 2019-10-29 03:36 PM, Patrick Schleizer wrote:

Hi forest,

we are working on software packages towards untrusted root. Please
kindly consider joining our efforts.

linux - Methods root can use to elevate itself to kernel mode - Information Security Stack Exchange>
Untrusted Root - improve Security by Restricting Root>
GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy>
Kind regards,
Patrick

forest forestmerge@airmail.cc relied:

I’m not able to assist full-time but I may be available for consultancy over email. There are a few things that I should mention about untrusted root that are necessary prerequisites for doing so securely, though:

1. A solid formal threat model is a must. It’s the only way to ensure all developers are on the same page. It’s even better if it includes data flow diagrams for at-risk processes. Threat modeling becomes more complex if privesc is in-scope, but for a serious project, it’s worth the investment in the long run.

2. AppArmor is probably not going to cut it. Although there are hacky ways to get it to work with PID 1, you’d be much better off with SELinux or, even better, Grsecurity’s RBAC (requires subscription, but provides overwhelmingly better security than possible with vanilla Linux).

3. There’s no safe way to run Xorg with multiple mutually-distrusting users at the same time (e.g. a regular user and a root shell). The same is true with other utilities like tmux, but Xorg is the most common culprit of bypasses for a desktop system.

Forwarded here with permission.

It’s great forest agreed to help us.

AppArmor is probably not going to cut it. Although there are hacky ways to get it to work with PID 1, you’d be much better off with SELinux or, even better, Grsecurity’s RBAC (requires subscription, but provides overwhelmingly better security than possible with vanilla Linux).

SELinux would be preferred but I have no experience in writing SELinux policies so I can’t work with it.

Grsec RBAC isn’t really a viable option. We’d need to pay grsec a large amount of money to be able to distribute it in Whonix, if they’d even let us at all.

forest not gonna read forums. Only means of communication is e-mail or mailinglist (public, better).

Untrusted root is being worked on.

• AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy
• Kernel Hardening - security-misc

Thanks to GitHub - Kicksecure/apparmor-profile-everything: AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening. untrusted root comes closer. And thanks to untrusted root, we could generated signing keys on the user’s machine which untrusted root has no access to. These could then be used for various good things:

• Verified Boot - Kicksecure (sign kernel images, perhaps initrd), and
• enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

Once my newest pull requests are merged, this will go down to 22 out of 38.