Experiences with various mandatory access control systems

Lately I've been taking a look at MAC systems for Linux. Firefox with Noscript is all well and good, but it won't protect you from getting compromised through Skype or IM, or if a trusted website gets hacked... And with Linux getting more popular I think this stuff bears thinking about.

So far I've tried out two, AppArmor and Tomoyo 2. Both of them work very much like Geswall on Windows. The following is just my experience with them and some opinions on their usability. I am not a security expert, so I won't criticize their security, which I didn't do any tests of.

AppArmor

Tried on Bodhi Linux (i.e. Ubuntu).

Procedure: run 'aa-genprof firefox' as root. Start Firefox 6.0.2. Do stuff with Firefox. Type 'a' for 'allow' a bunch of times. Close Firefox, save profile, and restart Firefox to see what happens.

Results: Firefox crashes on start, no matter what I do when profiling. It seems that AppArmor isn't getting that Firefox needs access to stuff in /tmp, for some reason. Midori has the same issue.

Further results: the default usr.bin.firefox profile, while designed for Firefox 3.6, worked fine with 6.0.2. Groovy.

Conclusion: AppArmor seems to have some problems with generating profiles easily... Maybe because it's a bit paranoid? I don't know. OTOH the default profiles that ship with Ubuntu seem to work okay. I'll mess around with it some more and see where I get.

Tomoyo 2

Tried on Debian 6.

Procedure: Run Firefox 3.5. Run tomoyo-editpolicy, set Firefox's profile level to 1 (learning). Do stuff in Firefox. Set Firefox's profile level to 3 (enforcing). Do more stuff in Firefox.

Results: After the first time I set Firefox to enforcing mode, Firefox stopped rendering Javascript and CSS stuff. This was a result of the MAC system functioning properly - resetting the profile level to 1 and playing a video on Youtube, followed by resetting the level to 3, resulted in Firefox working just fine. So as a bonus, I know Tomoyo 2 actually does something.

Further results: I also tried sandboxing Skype. This time I briefly set Skype to level 2 (complaining). No complaints were issued when I started it from a terminal. On setting Skype to level 3 everything still seemed to work perfectly well.

Conclusion: Tomoyo 2 is quite good at automatic profile generation. However, the developers say it's a lot more primitive right now than version 1, and provides less protection; so the ease of use could have something to do with it not being that effective. Still, I wonder if it might be good as the default MAC framework for a desktop distro. It's certainly very easy to use, assuming I read the instructions right.

Further thoughts

- I wonder if either of the above frameworks could be ported to Windows. Particularly to XP, which is still very popular. That would be interesting.

(I did hear that the original developer of AppArmor is now with Microsoft, but I really don't expect them to backport any MAC systems to XP...)

- I haven't tried SELinux yet. Does it support this kind of profile generation? I know that's not really in the full paranoid spirit of SELinux, but it would be pretty cool.