Open Besanon opened 4 weeks ago
Thanks for your PR.
It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using?
I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:
/tmp/**
is generally useless and open door for an attacker to leak outside the confinement@{HOME}/** rw
or user-write
but user-write-strict
@{sys}/devices/@{pci_bus}/**/**/**
they can be restricted a lot./usr/share/qt{5,6}/ r,
) it get hard to read, please remove them.<abstractions/video>
is needed as much as you use it in these profiles.include if exists <local/-profile-name->
Regarding runit
profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it.
Hello Alex,
I am using Archlinux 6/2024 Image and Void Linux. I will have a look at all your replies and add/alter the statements, havent followed all rules so far. The confinement isnt this close, i agree - although the processes except runit-init are indeed already confined. Yes, you have to rebuild a lot . Runit is a very condensed init system and it took me several days to construct the few profiles to work with all the others - including some hundred from you. The statements are differnt if you choose sddm or just use dbus-run-session to start the desktop.. The confinement of a whole init system is perhaps a bit too much for me, but step by step will do a good wotrk over time. Today i have read about your advice not to confine some basic programs - we should use toolbx instead. Sadly... toolbx depends on systemd(!) Is there any alternative to be used on non-systemd environments? Would be great to have another software for these other init environments. Well, most of the differences regarding the init systems are in the dbus and init programs handling of the Desktop. The session profiles have to be altered. But thats it. Everything else in yur profiles is by far (>95%) working. A severe difference is udiskd which works enforced in Arch but not in Void. I think i will open up another repository which will offer only all profiles which have to be different from your collection to run ALL profiles in the runit init context (so far about 700...750 profiles are running).
Thank you very much for your attention and comments! It will be very useful even for the profiles which will be used in anther init context!
Regards
Am 05.06.2024 um 18:23, Alex @.***> schrieb:
Thanks for your PR. It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using? I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:Ensure you respect the profile guidelines on all your profileSome access need to be restricted. For example:For instance, allowing /tmp/ is generally useless and open door for an attacker to leak outside the confinementNever use @{HOME}/ rw or user-write but user-write-strict@{sys}/devices/@{pci_bus}/// they can be restricted a lot.You need to use the dbus base abstraction (see https://apparmor.pujol.io/development/dbus/#base) instead of upstream oneYou always get a few various spaces between the rule and the access,(eg: /usr/share/qt{5,6}/ r,) it get hard to read, please remove them.All profiles need to end with the following rule: include if exists <local/-profile-name-> Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>
--
Sent with https://mailfence.com
Secure and private email
Hello Alex,
there are two points i noticed right from the start in Arch linux (hardened kernel) setup:
dbus wants to exec dbus-update-activation-environment sddm-greeter wants to receive signal from sddm
Regards
Am 05.06.2024 um 18:23, Alex @.***> schrieb:
Thanks for your PR. It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using? I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:Ensure you respect the profile guidelines on all your profileSome access need to be restricted. For example:For instance, allowing /tmp/ is generally useless and open door for an attacker to leak outside the confinementNever use @{HOME}/ rw or user-write but user-write-strict@{sys}/devices/@{pci_bus}/// they can be restricted a lot.You need to use the dbus base abstraction (see https://apparmor.pujol.io/development/dbus/#base) instead of upstream oneYou always get a few various spaces between the rule and the access,(eg: /usr/share/qt{5,6}/ r,) it get hard to read, please remove them.All profiles need to end with the following rule: include if exists <local/-profile-name-> Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>
--
Sent with https://mailfence.com
Secure and private email
Good Morning,
the falkon and elogind profile are adapted.
I have added the formal statements for the other profiles lxqt* and added some more relevant profiles. As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd. All other profiles run without issues after the apatation of the include-statements. aa-log.txt is the result when running everything in complain mode. aa-log2.txt is the result when disabling lxqt-notifiicationd. aa-log3.txt the result when disabling startlxqt (successful login possible). continue testing...
Regards,
Am 06.06.2024 um 12:44, Alex @.***> schrieb:
@roddhjav commented on this pull request. In apparmor.d/groups/lxqt/lxqt-session:> + dbus receive+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.DBus.Introspectable"+ peer=(name=":[0-9].[0-9]"),+ dbus send+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.Notifications"+ peer=(name="org.freedesktop.DBus"),+ dbus receive+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.Notifications"+ peer=(name=":[0-9].[0-9]"), Forgot to add the comment, it should be: #aa:dbus own bus=session name=org.freedesktop.Notifications — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
--
Sent with https://mailfence.com
Secure and private email
[1;32mALLOWED[0m [34mauditd[0m [33mcapable[0m info="optional: no audit" comm=auditd error=-1 capname=fowner capability=3
[1;32mALLOWED[0m [34mxorg[0m [33mcapable[0m info="optional: no audit" comm=Xorg capname=fowner error=-1 capability=3
[1;32mALLOWED[0m [34munix-chkpwd[0m [33mfile_mmap[0m[35m owner[0m [35m[0m info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m error=-13
[1;32mALLOWED[0m [34msddm//systemctl[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=systemctl requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m
[1;32mALLOWED[0m [34mlxqt-notificationd[0m [33mfile_receive[0m [35mrun/systemd/inhibit/2.ref[0m info="Failed name lookup - disconnected path" comm=QDBusConnection requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m error=-13
[1;32mALLOWED[0m [34mauditd[0m [33mcapable[0m info="optional: no audit" comm=auditd error=-1 capability=3 capname=fowner [1;32mALLOWED[0m [34mxorg[0m [33mcapable[0m info="optional: no audit" comm=Xorg error=-1 capability=3 capname=fowner [1;32mALLOWED[0m [34munix-chkpwd[0m [33mfile_mmap[0m[35m owner[0m [35m[0m info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m error=-13 [1;32mALLOWED[0m [34msddm//systemctl[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=systemctl requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m [1;32mALLOWED[0m [34msddm[0m [33mexec[0m [35m@{bin}/dbus-update-activation-environment[0m -> [35msddm//null-@{bin}/dbus-update-activation-environment[0m comm=bash requested_mask=[1;31mx[0m denied_mask=[1;31mx[0m [1;32mALLOWED[0m [34msddm//null-@{bin}/dbus-update-activation-environment[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=dbus-update-act requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m [1;32mALLOWED[0m [34msddm//null-@{bin}/dbus-update-activation-environment[0m [33mfile_mmap[0m [35m@{bin}/dbus-update-activation-environment[0m comm=dbus-update-act requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m [1;32mALLOWED[0m [34mstartlxqt[0m [33mexec[0m [35m@{bin}/lxqt-session[0m -> [35m@{bin}/lxqt-session[0m info="profile transition not found" comm=startlxqt requested_mask=[1;31mx[0m denied_mask=[1;31mx[0m error=-13 [1;32mALLOWED[0m [34msddm-greeter[0m [33msignal[0m comm=sddm-helper requested_mask=[1;31mreceive[0m denied_mask=[1;31mreceive[0m signal=term peer=sddm
[1;32mALLOWED[0m [34mauditd[0m [33mcapable[0m info="optional: no audit" comm=auditd error=-1 capability=3 capname=fowner [1;32mALLOWED[0m [34mxorg[0m [33mcapable[0m info="optional: no audit" comm=Xorg error=-1 capability=3 capname=fowner [1;32mALLOWED[0m [34munix-chkpwd[0m [33mfile_mmap[0m[35m owner[0m [35m[0m info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m error=-13 [1;32mALLOWED[0m [34msddm//systemctl[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=systemctl requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m [1;32mALLOWED[0m [34msddm[0m [33mexec[0m [35m@{bin}/dbus-update-activation-environment[0m -> [35msddm//null-@{bin}/dbus-update-activation-environment[0m comm=bash requested_mask=[1;31mx[0m denied_mask=[1;31mx[0m [1;32mALLOWED[0m [34msddm//null-@{bin}/dbus-update-activation-environment[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=dbus-update-act requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m [1;32mALLOWED[0m [34msddm//null-@{bin}/dbus-update-activation-environment[0m [33mfile_mmap[0m [35m@{bin}/dbus-update-activation-environment[0m comm=dbus-update-act requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m [1;32mALLOWED[0m [34mgeoclue[0m [33mfile_inherit[0m[35m owner[0m [35m@{user_share_dirs}/sddm/xorg-session.log[0m comm=agent requested_mask=[1;31mw[0m denied_mask=[1;31mw[0m [1;32mALLOWED[0m [34mdbus-accessibility[0m [33mopen[0m[35m owner[0m [35m/tmp/xauth_jcSShq[0m comm=at-spi-bus-laun requested_mask=[1;31mr[0m denied_mask=[1;31mr[0m [1;32mALLOWED[0m [34mxfs_spaceman[0m [33mcapable[0m comm=xfs_spaceman capability=2 capname=dac_read_search
Hi,
you put the activated processes here, runsv will not claim any more simple, but you have to track this. I will put a comment in this profile to explain this
Am 07.06.2024 um 13:52, Alex @.***> schrieb:
@roddhjav commented on this pull request. In apparmor.d/groups/runit/runsv:> + @{bin}/sv rPx,+ @{bin}/vlogger rPx,+ @{bin}/udevadm rCx -> udevadm, + @{bin}/tlp rPx,+ @{bin}/readlink rix,+ @{bin}/ethtool rix,+ @{bin}/agetty rPx,+ @{bin}/id rPx,+ @{bin}/rsyslogd rPx,+ @{bin}/iw rPx,+ @{bin}/cupsd rPx,+ @{bin}/dhcpcd rPx,+ @{bin}/udevd rPx,+ @{bin}/dbus-daemon rPx,+ @{bin}/auditd rPx,+ @{bin}/chronyd rPx,+ @{bin}/NetworkManager rPx,+ @{bin}/mount rPx,+ @{bin}/sddm rPx,+ @{bin}/pause rix,+ @{bin}/install rix,+ @{bin}/chpst rPx,+ @{bin}/mkdir rix,+ @{bin}/mktemp rix,+ @{bin}/dbus-send rix, # alt: rix+ @{bin}/utmpset rix, # alt: rix+ @{lib}exec/elogind/elogind rPx,+ @{lib}exec/elogind/elogind.wrapper rPx, # alt: rix+ @{bin}/bash rPx, # alt: rix+ @{bin}/tr rPx, # alt:rix+ @{bin}/rm rix,+ @{bin}/touch rix,+ @{bin}/flock rix,+ @{bin}/cat rix,+ @{bin}/grep rPx, # alt:rix+ @{bin}/mountpoint rix,+ @{bin}/systemctl rCx -> systemctl, I don't know runit. Therefore I can't says which process is doing what. But looking at this list, to me it looks like the list of service started by your system. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
--
Sent with https://mailfence.com
Secure and private email
ok, replaced
Am 07.06.2024 um 13:42, Alex @.***> schrieb:
@roddhjav commented on this pull request. In apparmor.d/groups/browsers/falkon:> + network inet dgram, # essential+ network inet stream, # essential++ network inet6 stream, # Not needed+ network inet6 dgram, # Not needed+ network inet raw, # Not needed+ network inet6 raw, # Not needed+ network netlink raw, # Not needed+ network packet dgram, # Not needed If there are not needed, then do not put them... The following int6 are needed for IPV6: network inet6 dgram, network inet6 stream, — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
--
Sent with https://mailfence.com
Secure and private email
Regarding the restriction I asked you (such as @{sys}/devices/@{pci_bus}/**/**/**
, /tmp/**
...) I would encourage you to first ensure fix your abstractions as a lot of rules are already handled in abstraction such as lxqt
, graphics
, audio-client
, dbus-*
, authentication
...
dbus wants to exec dbus-update-activation-environment
What dbus
profile? there is no such thing as a dbus
profile (see https://apparmor.pujol.io/development/dbus/#profiles).
Usually this is more found as a subprofile, and it is quite common. See for example: https://github.com/roddhjav/apparmor.d/blob/b66274b2ca4a36873cdf9f7ae5f7ef2133e94b9d/apparmor.d/groups/display-manager/x11-xsession#L109
sddm-greeter wants to receive signal from sddm
This seems normal
the falkon profile is adapted.
Some rules seems taken from firefox/chromium whereas falkon does not seems to be based on either of them.
As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd.
According to your logs. startlxqt and lxqt-notificationd need the attach_disconnected
flag.
Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it.
Regarding runit profiles (same for elogind), as I have said, I am not going to merge them.
Also, I would highly recommend you to edit the profile on your system and to push your changes and not directly edit the files on Github. (see "How to contribute" on https://apparmor.pujol.io/development/). It will allow you to add, remove, edit without having to create a commit for every file changed.
DBUS:
well, ich have send 3 aa-log files with the exact statements i got. sddm, lxqt-session and lxqt-notificationd demanded sometimes
SDDM-Greeter ...complains about this - update of the profiile?
I will put attach_disconnected flag. in the respective profiles.
Ok i am putting elogind in another repository, all well. To my knowledge there is a chromium engine in QtWebkit. I try to restrict the profile more. sorry for the awkward beginning, its my first use of github
Am 07.06.2024 um 14:12, Alex @.***> schrieb:
dbus wants to exec dbus-update-activation-environment What dbus profile? there is no such thing as a dbus profile (see https://apparmor.pujol.io/development/dbus/#profiles). Usually this is more found as a subprofile, and it is quite common. See for example: https://github.com/roddhjav/apparmor.d/blob/b66274b2ca4a36873cdf9f7ae5f7ef2133e94b9d/apparmor.d/groups/display-manager/x11-xsession#L109 sddm-greeter wants to receive signal from sddm This seems normal the falkon profile is adapted. Some rules seems taken from firefox/chromium whereas falkon does not seems to be based on either of them. As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd. According to your logs. startlxqt and lxqt-notificationd need the attach_disconnected flag. Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. Regarding runit profiles (same for elogind), as I have said, I am not going to merge them. Also, I would highly recommend you to edit the profile on your system and to push your changes and not directly edit the files on Github. (see "How to contribute" on https://apparmor.pujol.io/development/). It will allow you to add, remove, edit without having to create a commit for every file changed. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
--
Sent with https://mailfence.com
Secure and private email
Like already said: abstractions and tunables aren't leveraged, /tmp/{,**}
, @{sys}
and @{user_config_dirs}/lxqt/**
access are too broad.
And please edit files of such quantity - in batch locally with git commits. Web edits produce to much notification spam.
Good Morning,
i have spent some hours to remove the /tmp{,**}, and yes i tried to get into working with github cli but i didn`t succeed so far
xbps-install -S github-cli
mkdir projekte/Besanon cd projekte/Besanon gh repo clone Besanon/apparmor.d cd apparmor.d gh repo set-default Besanon/apparmor.d git checkout -b BesanonLocal
... do some editing in console ...
git commit -a -m "Test" gh auth login --with-token < /opt/mytoken.txt # mytoken.txt created in github profile git commit -a -m "Test" git push origin Besanonlocal -> requests user & pw but didn`t accept my credentials (=token???]
Should this be the way to commit changes? Its a very embarassing description in github doku.
Am 09.06.2024 um 20:31, nobody43 @.***> schrieb:
Like already said: abstractions and tunables aren't leveraged, /tmp/{,} access is too broad. And please edit files of such quantity - in batch locally with git commits. Web edits produce to much notification spam. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>
--
Sent with https://mailfence.com
Secure and private email
Adding the lxqt desktop with related programs und falkon browser. Add some initial support for runit init system programs