[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Untrusted Root - improve Security by Restricting Root

For ordinary use cases, probably not.

1 Like

A step into the direction of untrusted root:

1 Like

It restricts root pretty well already. Only 26 capabilities out of 38 are permitted and I’ve plans to restrict this even further.

2 Likes

stackexchange bounty posted here:

2 Likes

forest is the author or https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode. Contacted forest.

Quote https://www.whonix.org/pipermail/whonix-devel/2019-October/001471.html

On 2019-10-29 03:36 PM, Patrick Schleizer wrote:

Hi forest,

we are working on software packages towards untrusted root. Please
kindly consider joining our efforts.

https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode>
Untrusted Root - improve Security by Restricting Root>
https://github.com/Whonix/security-misc

AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy>
Kind regards,
Patrick

forest forestmerge@airmail.cc relied:

I’m not able to assist full-time but I may be available for consultancy over email. There are a few things that I should mention about untrusted root that are necessary prerequisites for doing so securely, though:

  1. A solid formal threat model is a must. It’s the only way to ensure all developers are on the same page. It’s even better if it includes data flow diagrams for at-risk processes. Threat modeling becomes more complex if privesc is in-scope, but for a serious project, it’s worth the investment in the long run.

  2. AppArmor is probably not going to cut it. Although there are hacky ways to get it to work with PID 1, you’d be much better off with SELinux or, even better, Grsecurity’s RBAC (requires subscription, but provides overwhelmingly better security than possible with vanilla Linux).

  3. There’s no safe way to run Xorg with multiple mutually-distrusting users at the same time (e.g. a regular user and a root shell). The same is true with other utilities like tmux, but Xorg is the most common culprit of bypasses for a desktop system.

Forwarded here with permission.

2 Likes

It’s great forest agreed to help us.

AppArmor is probably not going to cut it. Although there are hacky ways to get it to work with PID 1, you’d be much better off with SELinux or, even better, Grsecurity’s RBAC (requires subscription, but provides overwhelmingly better security than possible with vanilla Linux).

SELinux would be preferred but I have no experience in writing SELinux policies so I can’t work with it.

Grsec RBAC isn’t really a viable option. We’d need to pay grsec a large amount of money to be able to distribute it in Whonix, if they’d even let us at all.

2 Likes

forest not gonna read forums. Only means of communication is e-mail or mailinglist (public, better).

2 Likes

Untrusted root is being worked on.

1 Like

Thanks to https://github.com/Whonix/apparmor-profile-everything untrusted root comes closer. And thanks to untrusted root, we could generated signing keys on the user’s machine which untrusted root has no access to. These could then be used for various good things:

2 Likes

Once my newest pull requests are merged, this will go down to 22 out of 38.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]