apparmor.d
apparmor.d copied to clipboard
roddhjav
review apparmor profiles by Kicksecure / Whonix
As mentioned in https://github.com/roddhjav/apparmor.d/issues/250
Not sure how useful it is to create such a list. Links might change over the years (do to file name changes, removed profiles, added profiles).
Might be more useful within derivative-maker source code folder to run something like this:
find . -type f -not -iwholename '*.git*' | grep apparmor.d
Here is the list:
https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/whonix-firewall https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/abstractions/whonix-firewall https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/system_tor.anondist https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/usr.bin.obfsproxy.anondist https://github.com/Whonix/onion-grater/tree/master/etc/apparmor.d/usr.lib.onion-grater https://github.com/Whonix/kloak/tree/master/etc/apparmor.d/usr.sbin.kloak https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.sdwdate https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.url_to_unixtime https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/abstractions/url_to_unixtime https://github.com/Kicksecure/bootclockrandomization/tree/master/etc/apparmor.d/bootclockrandomization https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/usr.bin.tor-circuit-established-check https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/abstractions/tor-circuit-established-check https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/anondist https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/live-mode https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure https://github.com/Kicksecure/security-misc/tree/master/etc/apparmor.d/tunables/home.d/security-misc https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.libexec.systemcheck.canary https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.bin.systemcheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/usr.bin.timesanitycheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/abstractions/timesanitycheck https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/sandbox-app-launcher https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/abstractions/sandbox-app-launcher https://github.com/Kicksecure/apparmor-profile-thunderbird/tree/master/etc/apparmor.d/local/usr.bin.thunderbird https://github.com/Kicksecure/apparmor-profile-torbrowser/tree/master/etc/apparmor.d/home.tor-browser.firefox https://github.com/Kicksecure/apparmor-profile-hexchat/tree/master/etc/apparmor.d/usr.bin.hexchat
Most of these profiles were developed outside the full apparmor profile threat model, i.e. with the classic per-application viewpoint.
https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/whonix-firewall https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/abstractions/whonix-firewall
This actually was only added towards full apparmor profile. Otherwise very low attack surface and not something that normally would be apparmor confined.
https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/system_tor.anondist > https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/usr.bin.obfsproxy.anondist
Not sure what should happen with these. Ideally upstreamed but not easy for me.
https://github.com/Whonix/onion-grater/tree/master/etc/apparmor.d/usr.lib.onion-grater
This actually has relevant attack surface and is important.
https://github.com/Whonix/kloak/tree/master/etc/apparmor.d/usr.sbin.kloak
Not sure how kloak could be attacked (locally running only reacting on keyboard press) so not one of the most important profiles.
https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.sdwdate https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.url_to_unixtime https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/abstractions/url_to_unixtime
Relevant attack surface.
https://github.com/Kicksecure/bootclockrandomization/tree/master/etc/apparmor.d/bootclockrandomization https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/usr.bin.tor-circuit-established-check https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/abstractions/tor-circuit-established-check
Only for full apparmor profile threat model.
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/anondist
Maybe should be moved to the uwt package?
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/live-mode
Maybe should be moved to the grub-live package?
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
Maybe should be moved to the qubes-whonix package?
https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure
These probably all should be moved to their respective packages now that AppArmor base.d is supported?
If all done, then apparmor-profile-dist would be no longer needed.
https://github.com/Kicksecure/security-misc/tree/master/etc/apparmor.d/tunables/home.d/security-misc
Probably ok as is.
https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.libexec.systemcheck.canary
Low but relevant attack surface.
https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.bin.systemcheck
Probably low attack surface. It uses
include <abstractions/totem>
which is inappropriate as this gives too much permissions. Probably added by mistake by using sudo aa-logprof.
https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/usr.bin.timesanitycheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/abstractions/timesanitycheck
Only for full apparmor profile threat model.
https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/sandbox-app-launcher https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/abstractions/sandbox-app-launcher
Not sure. Development stalled.
https://github.com/Kicksecure/apparmor-profile-thunderbird/tree/master/etc/apparmor.d/local/usr.bin.thunderbird
Mostly Qubes specific additions. Not sure how to best handle this.
https://github.com/Kicksecure/apparmor-profile-torbrowser/tree/master/etc/apparmor.d/home.tor-browser.firefox
Most important profile for Whonix. Supports the browser component only. Not the full TBB package (Tor component of the bundle). Profile might be more hardened than other Tor Browser AppArmor profiles.
Dunno if it is suitable to be upstreamed somewhere.
https://github.com/Kicksecure/apparmor-profile-hexchat/tree/master/etc/apparmor.d/usr.bin.hexchat
Also important for users for hexchat. This would be great if it could be upstreamed to apparmor.d, Debian or hexchat upstream.
A lot profiles were initially contribute. Once/if contributors are MIA, it's hard for me to maintain / harden these profiles. I therefore focused on profiles with most attack surface under the classic per-application threat model.
Thanks for the sum up profile to review/update. I will test them, but after the full system policy is setup, and once I get some time for it (so probably not before 2024).
I had a quick look at the profiles and some notes went to my mind:
- Most of the content from https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure should probably not be in a base profile, but moved in the few profiles that need it.
- Most of the profile seems to have old structure (no profile name, no abi definition, former filename scheme (
usr.bin.timesanitycheckinstead oftimesanitycheck)...). Do you mind if I update this? - Once apparmor.d is used, I could use additional variables & abstraction in these profile. This would mean that apparmor.d would become a dep of these pakages (as they already have
apparmor-profilesas dep). Is it fine with you?
I had a quick look at the profiles and some note went to my mind:
- Most of the content from https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure should probably not be in a base profile, but moved in the few profiles that need it.
Yes.
- Most of the profile seems to have old structure (no profile name, no abi definition, former filename scheme (
usr.bin.timesanitycheckinstead oftimesanitycheck)...). Do you mind if I update this?
Sure thing. Happy if these are brought up to modern standards.
- Once apparmor.d is used, I could use additional variables & abstraction in these profile. This would mean that apparmor.d would become a dep of these pakages (as they already have
apparmor-profilesas dep). Is is fine with you?
If apparmor.d is stable enough, sure. Not a problem.
An alternative would be (not required for Kicksecure necessarily) for wider compatibly to have separate packages for abstractions and profiles. Dunno if there are other cases where this would help.
An alternative would be (not required for Kicksecure necessarily) for wider compatibly to have separate packages for abstractions and profiles. Dunno if there are other cases where this would help.
These additional variables & abstraction are actually being upstreamed, so at some point they will be available for everyone.
@adrelanos the .deb package produced with the 'whonix' make target also has to be tested. Especially on Qubes Whonix probably. If something breaks, we should open pulls here to add the necessary profiles to unbreak Whonix/Qubes.
I did some testing for Kicksecure alone, and it works. For Qubes unfortunately I am in no position to do testing.
But yes. Also there should be roadmap to provide the whonix target as a package under the kicksecure repositories. Not requiring testers to manually build the package is a net positive that would make it easier to test.
I think this might require more than just a ticket. And I am not sure this would be the place to open that ticket. Pujol won't do the packaging for kicksecure. Kicksecure will on its own package the whonix deb target and distribute it on its repo. I don't know where would be the appropriate place for issues relating to kicksecure packaging.
You might want to have a look at the whonix group, there is a brand new torbrowser profile. For now it has some new or newly rewritten profile that aim to be moved in Kicksecure repo.
Side node, I have tested apparmor.d on whonix. It works fine, but there are a few concern:
- The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the
rixrule in the abstraction. They will have to be (carefully) removed. - Compiling the profiles on the Whonix vm is very slow (yes, I added a lot of vCPU).
Hey this is very very good. I see massive improvements over the tor browser profile in whonix. I know I'm not the target of this post but I would still like to ask: why do you think the compilation is particularly slow on whonix? Do you think it is related to whonix itself or rather virtual box? I think it is likely the second one, because a kicksecure debian has no problems on kvm.
The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the rix rule in the abstraction. They will have to be (carefully) removed.
This can also be solved if whonix just makes its own abstraction and imports it after migrating the porblematic lines to it instead of extending the base. But I think your approach is essential for better integration between the two projects. Especially when considering the possibility of whonix directly providing this project in its repos.
For now it has some new or newly rewritten profile that aim to be moved in Kicksecure repo.
I don't know if @adrelanos is open to this yet but I have to say I'm really excited and this would also help apparmor.d be tested on a broader level.
Yes, the current base abstraction issue will get fixed with a better integration. Furthermore, I think none of the rule in this file should be in the base abstraction at all.
Do you think it is related to whonix itself or rather virtual box? I think it is likely the second one, because a kicksecure debian has no problems on kvm.
I use KVM, so it is definitely not virtualbox. I commented most grub hardening settings from security-misc and edit some setting in the KVM VM (under <clock> and <features>). It helped, but is stays slower than a VM on Debian. It might a security feature, so it is not a big deal, as long as there is a dev mode that speed it up.
I don't know if @adrelanos is open to this yet but I have to say I'm really excited and this would also help apparmor.d be tested on a broader level.
Yes.
First step I want to go for is support sudo apt install apparmor.d from within Kicksecure, Whonix. For that, I need to learn how to build apparmor.d, integrate it into derivative-maker, which I didn't find time for yet.
Side node, I have tested apparmor.d on whonix. It works fine, but there are a few concern:
- The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the
rixrule in the abstraction. They will have to be (carefully) removed.
Yes. That's for sure. /etc/apparmor.d/abstractions/base.d/kicksecure is totally awful and needs to be gone. Help welcome.
@roddhjav 's own profiles for whonix are much more restricted and fine-grained. Some profiles are still missing here in the project, like kloak. I think having the missing one's also here in apparmor.d will simplify the burden of maintenance. All profiles in one place. Kicksecure won't need to deal with abstractions and compatibility in that case, it will just package this repo and everything will be good. That wouldn't be a terrible idea IMO.
First step I want to go for is support sudo apt install apparmor.d from within Kicksecure, Whonix. For that, I need to learn how to build apparmor.d, integrate it into derivative-maker, which I didn't find time for yet.
Once you installed the deps, it should be as simple as (See dists/build.sh) :
dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1"
dpkg-buildpackage -b -d --no-sign
To force the build for Whonix (useful if you are building from a debian box), you may want to export the env: export DISTRIBUTION=whonix
Fell free to propose improvement of the current debian packaging :)
Also: when testing, you need to remove /etc/apparmor.d/abstractions/base.d/kicksecure, otherwise the profiles will not compile.
I think having the missing one's also here in apparmor.d will simplify the burden of maintenance.
As they are pretty much a WIP, and as they are still going to change quite a lot, and as they are expected to work together is way easier to have a central repository for all profiles. However, once they are more stable this repo does not have to be apparmor.d. I mean, whonix could maintain it own mono repo for whonix specific profile.
Whonix is now fully functionally under apparmor.d. I have also added support for xfce such as all long running desktop processes should be confined too. New whonix specific profiles are available in the whonix group. Later we could move them under a Kicksecure project.
To install apparmor.d in Whonix, you need first to remove apparmor-profiles-extra as it fully conflict with it:
sudo dpkg -P --force-depends apparmor-profiles-extra
Other smaller conflicts are handled with debian/apparmor.d.hide. See: https://github.com/roddhjav/apparmor.d/blob/4a27c92d53f58e2df9cc6cb99bef0837b26909a3/pkg/prebuild/prebuild.go#L41-L51
Note: if apparmor.d is ready for whonix, please do not ship it with FSP enabled for now. Let's move step by step here.
The reason, blocker why I haven't progressed with apparmor.d for Kicksecure, Whonix yet is this:
- https://github.com/roddhjav/apparmor.d/issues/304
- https://github.com/roddhjav/apparmor.d/issues/305
I've always been careful about dependency security / supply chain attacks but especially in light of the recent xz backdoor this seems too risky.
Yea, that's a pity. Ideally the only missing dep should be updated on debian salsa. Meanwhile, I can include it in the repo, so it would solve the issue.
These profiles are very well written and fine-grained, leages ahead of what whonix has now as default. Hope any blockers get resolved.