I have been keeping up with @madaidan’s and @Patrick’s ongoing development of apparmor-profile-everything. So far, their efforts have led to a system of total confinement aptly named apparmor-profile-everything.
This is not simply a single profile but a series of profiles, system files, and related scripting. Together these elements work as one to confine the user’s system starting from init onward. The confinements include: the systemd init process and any children it spawns, the apt-get processes through a wrapper named rapt, and a lockdown of files and directories that could pose significant security risks if they were to be exploited.
The initramfs is made aware through a hook so that the init-systemd AppArmor profile is executed right before systemd starts parsing. This is proven through simple examination of the boot log information (journalctl).
This was tested on a Debian Buster host with kernel 4.19.0-6-amd64 fully updated. Since Debian ships AppArmor as default, and it is already active, no kernel boot parameter is necessary. There is a very convenient way to add this profile to your system by simply obtaining it from the official Whonix repository.
sudo apt-get install apparmor-profile-everything
That will install the package onto your machine.
The rapt application was very interesting because it completely confined apt-get while at the same time allowing for normal use. It acts as a wrapper for apt, similar in function to how uwt acts as a wrapper for torsocks in Whonix. rapt protects your system and a review of the code shows that it specifically works with and for apparmor-profile-everything to make sure an attacker or malicious script cannot simply remove packages to bypass protections.
The initramfs-tools hook is simple enough to understand. Its purpose is to make sure that the initramfs knows to initiate the init-systemd AppArmor profile before systemd. The log confirms this:
Dec 19 00:16:08 host kernel: audit: type=1400 audit(1576714567.608:2): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“init-systemd” pid=211 comm=“apparmor_parser”
then immediately after:
Dec 19 00:16:08 host systemd[1]: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP
the /usr/bin/rapt profile parses as well:
Dec 19 00:16:08 host kernel: audit: type=1400 audit(1576714568.800:4): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“/usr/bin/rapt” pid=308 comm=“apparmor_parser”
Now, it is important to note that this particular system is a torified and hardened workstation. No clearnet allowed. My permissions are not identical to those of Whonix, but they are similar. I can only report on my own system, so your mileage may vary. That would not be a problem though, because (if you know what you are doing) AppArmor is very flexible and still very secure. If my testing continues as smoothly as it has so far, my plan is to implement apparmor-profile-everything on all my systems.
There are no errors with System Tor (4.1.6) or the Tor Browser (9.02).
I have not tested UDP, but TCP is fine OpenVPN works. Both as openvpn@server and as a client connecting to that server. No interruptions or permissions issues found. Performance is as expected. OpenVPN works both with TCP and UDP, and ports are flexible. Used in TCP mode, no errors are experienced.
Monero cli wallet works. Electrum works.
Normal day to day tasks also work with no issue. Specifically: browsing, coding and compiling (with minor tweaks),
There was an error regarding GPG that wanted access to /proc/sys/crypto/fips_enabled. It was not an impediment however. I did not adjust any permissions, and the error proved harmless. (This error was generated by the /usr/bin/rapt profile and recorded by audit in dmesg)
Other than that, there have been no issues!
Apparmor is a versatile and powerful system that can provide formidable protections and be a substantial if not insurmountable obstacle to any misbehaving program or malware. Profiles are straightforward and rely on absolute paths. Some commands to get you started in AppArmor:
with sudo privileges:
sudo aa-status
shows you the list of profiles on the system. Shows you how many are loaded, being enforced, are complaining, active processes and associated profiles, and unconfined but with a profile.
sudo aa-enforce
make a new profile go into “enforce” mode right away
This command needs the apparmor-utils package.
sudo systemctl status apparmor
shows if AppArmor is active, when it was started and its process ID number
sudo systemctl restart apparmor
restarts AppArmor and its profiles.
Edit by Patrick:
Formatting changes.
