review apparmor profiles by Kicksecure / Whonix

adrelanos commented 9 months ago

As mentioned in https://github.com/roddhjav/apparmor.d/issues/250

Not sure how useful it is to create such a list. Links might change over the years (do to file name changes, removed profiles, added profiles).

Might be more useful within derivative-maker source code folder to run something like this:

find . -type f -not -iwholename '*.git*' | grep apparmor.d

Here is the list:

adrelanos commented 9 months ago

Most of these profiles were developed outside the full apparmor profile threat model, i.e. with the classic per-application viewpoint.

https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/whonix-firewall https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/abstractions/whonix-firewall

This actually was only added towards full apparmor profile. Otherwise very low attack surface and not something that normally would be apparmor confined.

https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/system_tor.anondist > https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/usr.bin.obfsproxy.anondist

Not sure what should happen with these. Ideally upstreamed but not easy for me.

https://github.com/Whonix/onion-grater/tree/master/etc/apparmor.d/usr.lib.onion-grater

This actually has relevant attack surface and is important.

https://github.com/Whonix/kloak/tree/master/etc/apparmor.d/usr.sbin.kloak

Not sure how kloak could be attacked (locally running only reacting on keyboard press) so not one of the most important profiles.

https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.sdwdate https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.url_to_unixtime https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/abstractions/url_to_unixtime

Relevant attack surface.

https://github.com/Kicksecure/bootclockrandomization/tree/master/etc/apparmor.d/bootclockrandomization https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/usr.bin.tor-circuit-established-check https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/abstractions/tor-circuit-established-check

Only for full apparmor profile threat model.

https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/anondist

Maybe should be moved to the uwt package?

https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/live-mode

Maybe should be moved to the grub-live package?

https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist

Maybe should be moved to the qubes-whonix package?

https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure

These probably all should be moved to their respective packages now that AppArmor base.d is supported?

If all done, then apparmor-profile-dist would be no longer needed.

https://github.com/Kicksecure/security-misc/tree/master/etc/apparmor.d/tunables/home.d/security-misc

Probably ok as is.

https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.libexec.systemcheck.canary

Low but relevant attack surface.

https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.bin.systemcheck

Probably low attack surface. It uses

include <abstractions/totem>

which is inappropriate as this gives too much permissions. Probably added by mistake by using sudo aa-logprof.

https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/usr.bin.timesanitycheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/abstractions/timesanitycheck

Only for full apparmor profile threat model.

https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/sandbox-app-launcher https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/abstractions/sandbox-app-launcher

Not sure. Development stalled.

https://github.com/Kicksecure/apparmor-profile-thunderbird/tree/master/etc/apparmor.d/local/usr.bin.thunderbird

Mostly Qubes specific additions. Not sure how to best handle this.

https://github.com/Kicksecure/apparmor-profile-torbrowser/tree/master/etc/apparmor.d/home.tor-browser.firefox

Most important profile for Whonix. Supports the browser component only. Not the full TBB package (Tor component of the bundle). Profile might be more hardened than other Tor Browser AppArmor profiles.

Dunno if it is suitable to be upstreamed somewhere.

https://github.com/Kicksecure/apparmor-profile-hexchat/tree/master/etc/apparmor.d/usr.bin.hexchat

Also important for users for hexchat. This would be great if it could be upstreamed to apparmor.d, Debian or hexchat upstream.

A lot profiles were initially contribute. Once/if contributors are MIA, it's hard for me to maintain / harden these profiles. I therefore focused on profiles with most attack surface under the classic per-application threat model.

roddhjav commented 9 months ago

Thanks for the sum up profile to review/update. I will test them, but after the full system policy is setup, and once I get some time for it (so probably not before 2024).

I had a quick look at the profiles and some notes went to my mind:

Most of the content from https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure should probably not be in a base profile, but moved in the few profiles that need it.
Most of the profile seems to have old structure (no profile name, no abi definition, former filename scheme (usr.bin.timesanitycheck instead of timesanitycheck)...). Do you mind if I update this?
Once apparmor.d is used, I could use additional variables & abstraction in these profile. This would mean that apparmor.d would become a dep of these pakages (as they already have apparmor-profiles as dep). Is it fine with you?

adrelanos commented 9 months ago

I had a quick look at the profiles and some note went to my mind:

Most of the content from https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure should probably not be in a base profile, but moved in the few profiles that need it.

Yes.

Most of the profile seems to have old structure (no profile name, no abi definition, former filename scheme (usr.bin.timesanitycheck instead of timesanitycheck)...). Do you mind if I update this?

Sure thing. Happy if these are brought up to modern standards.

Once apparmor.d is used, I could use additional variables & abstraction in these profile. This would mean that apparmor.d would become a dep of these pakages (as they already have apparmor-profiles as dep). Is is fine with you?

If apparmor.d is stable enough, sure. Not a problem.

An alternative would be (not required for Kicksecure necessarily) for wider compatibly to have separate packages for abstractions and profiles. Dunno if there are other cases where this would help.

roddhjav commented 9 months ago

An alternative would be (not required for Kicksecure necessarily) for wider compatibly to have separate packages for abstractions and profiles. Dunno if there are other cases where this would help.

These additional variables & abstraction are actually being upstreamed, so at some point they will be available for everyone.

monsieuremre commented 9 months ago

@adrelanos the .deb package produced with the 'whonix' make target also has to be tested. Especially on Qubes Whonix probably. If something breaks, we should open pulls here to add the necessary profiles to unbreak Whonix/Qubes.

I did some testing for Kicksecure alone, and it works. For Qubes unfortunately I am in no position to do testing.

But yes. Also there should be roadmap to provide the whonix target as a package under the kicksecure repositories. Not requiring testers to manually build the package is a net positive that would make it easier to test.

adrelanos commented 9 months ago

Big task. Separate ticket would be better.

monsieuremre commented 9 months ago

I think this might require more than just a ticket. And I am not sure this would be the place to open that ticket. Pujol won't do the packaging for kicksecure. Kicksecure will on its own package the whonix deb target and distribute it on its repo. I don't know where would be the appropriate place for issues relating to kicksecure packaging.

adrelanos commented 9 months ago

That would be the Kicksecure forums.

roddhjav commented 9 months ago

You might want to have a look at the whonix group, there is a brand new torbrowser profile. For now it has some new or newly rewritten profile that aim to be moved in Kicksecure repo.

Side node, I have tested apparmor.d on whonix. It works fine, but there are a few concern:

The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the rix rule in the abstraction. They will have to be (carefully) removed.
Compiling the profiles on the Whonix vm is very slow (yes, I added a lot of vCPU).

monsieuremre commented 9 months ago

Hey this is very very good. I see massive improvements over the tor browser profile in whonix. I know I'm not the target of this post but I would still like to ask: why do you think the compilation is particularly slow on whonix? Do you think it is related to whonix itself or rather virtual box? I think it is likely the second one, because a kicksecure debian has no problems on kvm.

The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the rix rule in the abstraction. They will have to be (carefully) removed.

This can also be solved if whonix just makes its own abstraction and imports it after migrating the porblematic lines to it instead of extending the base. But I think your approach is essential for better integration between the two projects. Especially when considering the possibility of whonix directly providing this project in its repos.

For now it has some new or newly rewritten profile that aim to be moved in Kicksecure repo.

I don't know if @adrelanos is open to this yet but I have to say I'm really excited and this would also help apparmor.d be tested on a broader level.

roddhjav commented 9 months ago

Yes, the current base abstraction issue will get fixed with a better integration. Furthermore, I think none of the rule in this file should be in the base abstraction at all.

Do you think it is related to whonix itself or rather virtual box? I think it is likely the second one, because a kicksecure debian has no problems on kvm.

I use KVM, so it is definitely not virtualbox. I commented most grub hardening settings from security-misc and edit some setting in the KVM VM (under <clock> and <features>). It helped, but is stays slower than a VM on Debian. It might a security feature, so it is not a big deal, as long as there is a dev mode that speed it up.

adrelanos commented 7 months ago

I don't know if @adrelanos is open to this yet but I have to say I'm really excited and this would also help apparmor.d be tested on a broader level.

Yes.

First step I want to go for is support sudo apt install apparmor.d from within Kicksecure, Whonix. For that, I need to learn how to build apparmor.d, integrate it into derivative-maker, which I didn't find time for yet.

Side node, I have tested apparmor.d on whonix. It works fine, but there are a few concern:

The base addition breaks the compilation of the profile: there are conflict between the rules in this project and the rix rule in the abstraction. They will have to be (carefully) removed.

Yes. That's for sure. /etc/apparmor.d/abstractions/base.d/kicksecure is totally awful and needs to be gone. Help welcome.

monsieuremre commented 7 months ago

@roddhjav 's own profiles for whonix are much more restricted and fine-grained. Some profiles are still missing here in the project, like kloak. I think having the missing one's also here in apparmor.d will simplify the burden of maintenance. All profiles in one place. Kicksecure won't need to deal with abstractions and compatibility in that case, it will just package this repo and everything will be good. That wouldn't be a terrible idea IMO.

roddhjav commented 7 months ago

First step I want to go for is support sudo apt install apparmor.d from within Kicksecure, Whonix. For that, I need to learn how to build apparmor.d, integrate it into derivative-maker, which I didn't find time for yet.

Once you installed the deps, it should be as simple as (See dists/build.sh) :

dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1"
dpkg-buildpackage -b -d --no-sign

To force the build for Whonix (useful if you are building from a debian box), you may want to export the env: export DISTRIBUTION=whonix

Fell free to propose improvement of the current debian packaging :)

Also: when testing, you need to remove /etc/apparmor.d/abstractions/base.d/kicksecure, otherwise the profiles will not compile.

I think having the missing one's also here in apparmor.d will simplify the burden of maintenance.

As they are pretty much a WIP, and as they are still going to change quite a lot, and as they are expected to work together is way easier to have a central repository for all profiles. However, once they are more stable this repo does not have to be apparmor.d. I mean, whonix could maintain it own mono repo for whonix specific profile.

roddhjav commented 5 months ago

Whonix is now fully functionally under apparmor.d. I have also added support for xfce such as all long running desktop processes should be confined too. New whonix specific profiles are available in the whonix group. Later we could move them under a Kicksecure project.

To install apparmor.d in Whonix, you need first to remove apparmor-profiles-extra as it fully conflict with it:

sudo dpkg -P --force-depends apparmor-profiles-extra

Other smaller conflicts are handled with debian/apparmor.d.hide. See: https://github.com/roddhjav/apparmor.d/blob/4a27c92d53f58e2df9cc6cb99bef0837b26909a3/pkg/prebuild/prebuild.go#L41-L51

Note: if apparmor.d is ready for whonix, please do not ship it with FSP enabled for now. Let's move step by step here.

adrelanos commented 4 months ago

The reason, blocker why I haven't progressed with apparmor.d for Kicksecure, Whonix yet is this:

I've always been careful about dependency security / supply chain attacks but especially in light of the recent xz backdoor this seems too risky.

roddhjav commented 4 months ago

Yea, that's a pity. Ideally the only missing dep should be updated on debian salsa. Meanwhile, I can include it in the repo, so it would solve the issue.

adrelanos commented 4 months ago

Yes. That would be good.

monsieuremre commented 4 months ago

These profiles are very well written and fine-grained, leages ahead of what whonix has now as default. Hope any blockers get resolved.

roddhjav / apparmor.d

review apparmor profiles by Kicksecure / Whonix #251