5

I decided to harden security on my primary workstation a bit. Before I used to use firejail for certain less trusted apps (all apps with internet access) but it's kind of toy. Didn't work really well for me. So I tried to read about real tools which is SELinux and AppArmor.

Whereas lets say I get how it might be beneficial for server - it runs just few, well known apps with well known profiles, you need to enable profile and it works. Cool. But I completely don't see how it's supposed to work for workstation or desktop. I'm not sure if it's truth or I'm missing something but If I understood well both AppArmor and SELinux require profiles to secure apps. And those profiles need to be pre-prepared. By someone. For every app.

Okay, so I'm using OpenSUSE on my workstation. It runs a lot of apps so I chose to install full DVD. It's around 16gb of software out of box. As I'm using it also for web development I additionally installed dozen of web browsers etc, flashplayer so on, so on.

lapsio@linux-6o92 ~> ll /usr/bin/ | grep -vc "^l"
4225
lapsio@linux-6o92 ~> ls /etc/apparmor.d/ | wc -l
46

Of course not every app in /usr/bin is full standalone application but lets even say there's around 100-300 big, potentially vulnerable and dangerous apps - because that includes pretty much every single app that operates on files from some untrusted place - images may use exploits in libmagic, documents some macros, svg files with javascript, even blender allows running python scripts embedded in 3d file, of course all browsers, all apps with any web capabilities, so on, so on. So out of those 300 apps... in apparmor rules I see maybe 5 that actually belong to list of those big vulnerable apps.

The point is - it's pretty much impossible to create profile for every single app in OS. Blacklist approach is pretty much always bad when we talk about security. So is there any whitelist solution? I'm not saying that Android is super secure but on the other hand - it seems to really separate all apps from each other.

Ideal solution would be to allow every app by default to access only own files (determined by package manager) and no internet access. Then to give explicit permission to any other path or internet access just to certain apps. While second goal can be easily achieved by appropriate iptables rules first one sounds like something that should be achieved by SELinux or AppArmor. But I don't see how.

Lapsio
  • 217
  • 1
  • 9

1 Answers1

4

I did. You need a plan, and you need to master the tools. You need to be able to compromise where you can and where you have to compromise. You need to work to make it reality.

Access control is part of the bigger picture. There is trust involved inevitably. Knowledge about your environment and threats. Trade-offs. Common sense, a healthy dose of paranoia. Basically awareness in general.

But on a more practical note. It starts by only installing what you need. The more you have the more that can break. So you do not have to target every process imaginable. You target what you have to target to get the job done.

This is the security policy that i currently use. It is tailored to my environment and to my requirements. It has trade-offs, compromises. Because without that it would'nt be possible. Security is never absolute, but you can make the best of it, and that should be the goal.

Need inspiration?

This is DSSP my personal SELinux security policy:

https://github.com/DefenSec/dssp

dac.override
  • 56
  • 1
  • well whitelists are just always easier to deal with. You don't need to know threat when you use whitelist. If something doesn't work - it means you screwed up and you need to tune. When using blacklists there's no indication that something is wrong. Or if there is - it's probably too late. Like I said i used to run browsers in firejail. Now I'm honestly considering cutting computer off from the internet on firewall at all and build separate LiveCD machine just for internet. But still there are some offline threats. I'm using too much software to know all of it in depth. I need to 'block all' – Lapsio Dec 13 '16 at 20:29
  • 1
    SELinux is a "deny" by default framework. So one essentially does white list. However it is not as black and white. In DSSP it boils down to this. With the exception on coreutilities nothing will work. Simply because the shell have too little permissions to run anything that needs significant permission. A program needs network access and it is not targeted? Won't be able to run. – dac.override Dec 13 '16 at 21:48
  • That sounds like what i was looking for. A bit sad that configuration is so complex but tbh considering my tangled storage structure inode tracking is much more reliable for me than paths and significant advantage so i guess i'd need to go with SEL at some point anyways. At least I can start learning early :D – Lapsio Dec 14 '16 at 06:31
  • The flexibility, customize-ability (which could, but does not have to, result in complexity) is actually what makes this possible. We are talking about complex systems. Linux itself is complex, and then we also often have a complex desktop environment layer sitting between the system and the user shell. Computer systems are complex, SELinux is not complex, SELinux is flexible – dac.override Dec 14 '16 at 11:26
  • You should probably explain the fact that SELinux does not confine X11 applications, which makes it largely useless for many workstation applications. – forest Dec 11 '17 at 05:56