review apparmor profiles by Kicksecure / Whonix #251
Comments
|
Most of these profiles were developed outside the full apparmor profile threat model, i.e. with the classic per-application viewpoint.
This actually was only added towards full apparmor profile. Otherwise very low attack surface and not something that normally would be apparmor confined.
Not sure what should happen with these. Ideally upstreamed but not easy for me.
This actually has relevant attack surface and is important.
Not sure how kloak could be attacked (locally running only reacting on keyboard press) so not one of the most important profiles.
Relevant attack surface.
Only for full apparmor profile threat model. Maybe should be moved to the uwt package? Maybe should be moved to the grub-live package? Maybe should be moved to the qubes-whonix package? These probably all should be moved to their respective packages now that AppArmor If all done, then apparmor-profile-dist would be no longer needed.
Probably ok as is.
Low but relevant attack surface.
Probably low attack surface. It uses which is inappropriate as this gives too much permissions. Probably added by mistake by using
Only for full apparmor profile threat model.
Not sure. Development stalled. Mostly Qubes specific additions. Not sure how to best handle this. Most important profile for Whonix. Supports the browser component only. Not the full TBB package (Tor component of the bundle). Profile might be more hardened than other Tor Browser AppArmor profiles. Dunno if it is suitable to be upstreamed somewhere.
Also important for users for hexchat. This would be great if it could be upstreamed to apparmor.d, Debian or hexchat upstream. A lot profiles were initially contribute. Once/if contributors are MIA, it's hard for me to maintain / harden these profiles. I therefore focused on profiles with most attack surface under the classic per-application threat model. |
|
Thanks for the sum up profile to review/update. I will test them, but after the full system policy is setup, and once I get some time for it (so probably not before 2024). I had a quick look at the profiles and some notes went to my mind:
|
|
I had a quick look at the profiles and some note went to my mind:
- Most of the content from https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure should probably not be in a base profile, but moved in the few profiles that need it.
Yes.
- Most of the profile seems to have old structure (no profile name, no abi definition, former filename scheme (`usr.bin.timesanitycheck` instead of `timesanitycheck`)...). Do you mind if I update this?
Sure thing. Happy if these are brought up to modern standards.
- Once apparmor.d is used, I could use additional variables & abstraction in these profile. This would mean that apparmor.d would become a dep of these pakages (as they already have `apparmor-profiles` as dep). Is is fine with you?
If apparmor.d is stable enough, sure. Not a problem.
An alternative would be (not required for Kicksecure necessarily) for
wider compatibly to have separate packages for abstractions and
profiles. Dunno if there are other cases where this would help.
|
These additional variables & abstraction are actually being upstreamed, so at some point they will be available for everyone. |
|
@adrelanos the .deb package produced with the 'whonix' make target also has to be tested. Especially on Qubes Whonix probably. If something breaks, we should open pulls here to add the necessary profiles to unbreak Whonix/Qubes. I did some testing for Kicksecure alone, and it works. For Qubes unfortunately I am in no position to do testing. But yes. Also there should be roadmap to provide the whonix target as a package under the kicksecure repositories. Not requiring testers to manually build the package is a net positive that would make it easier to test. |
|
Big task. Separate ticket would be better. |
|
I think this might require more than just a ticket. And I am not sure this would be the place to open that ticket. Pujol won't do the packaging for kicksecure. Kicksecure will on its own package the whonix deb target and distribute it on its repo. I don't know where would be the appropriate place for issues relating to kicksecure packaging. |
|
That would be the Kicksecure forums.
|
|
You might want to have a look at the whonix group, there is a brand new torbrowser profile. For now it has some new or newly rewritten profile that aim to be moved in Kicksecure repo. Side node, I have tested apparmor.d on whonix. It works fine, but there are a few concern:
|
|
Hey this is very very good. I see massive improvements over the tor browser profile in whonix. I know I'm not the target of this post but I would still like to ask: why do you think the compilation is particularly slow on whonix? Do you think it is related to whonix itself or rather virtual box? I think it is likely the second one, because a kicksecure debian has no problems on kvm.
This can also be solved if whonix just makes its own abstraction and imports it after migrating the porblematic lines to it instead of extending the base. But I think your approach is essential for better integration between the two projects. Especially when considering the possibility of whonix directly providing this project in its repos.
I don't know if @adrelanos is open to this yet but I have to say I'm really excited and this would also help apparmor.d be tested on a broader level. |
|
Yes, the current base abstraction issue will get fixed with a better integration. Furthermore, I think none of the rule in this file should be in the base abstraction at all.
I use KVM, so it is definitely not virtualbox. I commented most grub hardening settings from security-misc and edit some setting in the KVM VM (under |
Yes. First step I want to go for is support
Yes. That's for sure. |
|
@roddhjav 's own profiles for whonix are much more restricted and fine-grained. Some profiles are still missing here in the project, like kloak. I think having the missing one's also here in apparmor.d will simplify the burden of maintenance. All profiles in one place. Kicksecure won't need to deal with abstractions and compatibility in that case, it will just package this repo and everything will be good. That wouldn't be a terrible idea IMO. |
Once you installed the deps, it should be as simple as (See dists/build.sh) : dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1"
dpkg-buildpackage -b -d --no-signTo force the build for Whonix (useful if you are building from a debian box), you may want to export the env: Fell free to propose improvement of the current debian packaging :) Also: when testing, you need to remove
As they are pretty much a WIP, and as they are still going to change quite a lot, and as they are expected to work together is way easier to have a central repository for all profiles. However, once they are more stable this repo does not have to be |
|
Whonix is now fully functionally under To install apparmor.d in Whonix, you need first to remove sudo dpkg -P --force-depends apparmor-profiles-extraOther smaller conflicts are handled with apparmor.d/pkg/prebuild/prebuild.go Lines 41 to 51 in 4a27c92 Note: if apparmor.d is ready for whonix, please do not ship it with FSP enabled for now. Let's move step by step here. |
|
The reason, blocker why I haven't progressed with apparmor.d for Kicksecure, Whonix yet is this: I've always been careful about dependency security / supply chain attacks but especially in light of the recent xz backdoor this seems too risky. |
|
Yea, that's a pity. Ideally the only missing dep should be updated on debian salsa. Meanwhile, I can include it in the repo, so it would solve the issue. |
|
Yes. That would be good.
|
|
These profiles are very well written and fine-grained, leages ahead of what whonix has now as default. Hope any blockers get resolved. |
As mentioned in #250
Not sure how useful it is to create such a list. Links might change over the years (do to file name changes, removed profiles, added profiles).
Might be more useful within derivative-maker source code folder to run something like this:
Here is the list:
https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/whonix-firewall
https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/abstractions/whonix-firewall
https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/system_tor.anondist
https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/usr.bin.obfsproxy.anondist
https://github.com/Whonix/onion-grater/tree/master/etc/apparmor.d/usr.lib.onion-grater
https://github.com/Whonix/kloak/tree/master/etc/apparmor.d/usr.sbin.kloak
https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.sdwdate
https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.url_to_unixtime
https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/abstractions/url_to_unixtime
https://github.com/Kicksecure/bootclockrandomization/tree/master/etc/apparmor.d/bootclockrandomization
https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/usr.bin.tor-circuit-established-check
https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/abstractions/tor-circuit-established-check
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/anondist
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/live-mode
https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure
https://github.com/Kicksecure/security-misc/tree/master/etc/apparmor.d/tunables/home.d/security-misc
https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.libexec.systemcheck.canary
https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.bin.systemcheck
https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/usr.bin.timesanitycheck
https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/abstractions/timesanitycheck
https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/sandbox-app-launcher
https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/abstractions/sandbox-app-launcher
https://github.com/Kicksecure/apparmor-profile-thunderbird/tree/master/etc/apparmor.d/local/usr.bin.thunderbird
https://github.com/Kicksecure/apparmor-profile-torbrowser/tree/master/etc/apparmor.d/home.tor-browser.firefox
https://github.com/Kicksecure/apparmor-profile-hexchat/tree/master/etc/apparmor.d/usr.bin.hexchat
The text was updated successfully, but these errors were encountered: