The easiest way to install and configure AppArmor + grsec in archlinux?

Discussion in 'all things UNIX' started by zorro zorrito, Aug 9, 2016.

  1. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    149
    Hi all, I got back to archlinux in my 2 pc's, because in this OS there is not problem to install everything. So that I want to know how to install and configure if necessary AppArmor+grsec. Thanks for your help.
    :)
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Haven't you looked in the Arch wiki? You'll find everything needed therein. :thumb:
     
  3. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    And do you need it? Linux is secure enough without AppArmor.+
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    Linux is VERY unsecure by default. See this page for what GRSec can protect Linux from.

    AppArmor is very basic and doesn't do much in regards to exploits. I wouldn't even use it.
     
  5. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    I think AppArmor has its place in security, especially with relation to the web browser. Mandatory Access Control should not be seen as a comprehensive security technology, but rather as one piece of the overall security strategy.

    Grsecurity (and the linux kernel devs are starting to bring security to the forefront now) is a great piece to add into a security strategy- good at preventing various exploits of the kernel and processes via memory. A sandbox like firejail can help lock a process down providing ptrace restrictions, a custom filesystem within a chroot container (which grsecurity automatically hardens), etc. AppArmor can provide a means of damage control in case the Firefox process has been exploited (or chromium, etc); assuming grsecurity has protected the kernel from the exploit, Apparmor can then protect one from the exploit getting read/write/execute permissions to various locations on disk directly determined by a policy file (instead of Linux's default discretionary access control [DAC] model).

    AppArmor is a different approach. Linux's default DAC model says that if Firefox is loaded by user Anonfame1, read/write/execute permissions are all determined by what rights that user has in terms of the filesystem. AppArmor instead looks at a policy file, and determines what rights that process has in relation to the filesystem. IMO this is good, but im no security expert and am open to debate.

    OP, take a look at this link: https://www.wilderssecurity.com/threads/arch-apparmor-grsec.387118/
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    @Anonfame1 That was very informative. Thanks.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Adding to what @Anonfame1 said, I'd like to mention that Subgraph OS - a distro designed for high security (and privacy) - uses AppArmor in addition to grsecurity. There must be a reason why. I don't think they implemented it just for fun ;)

    Oh, please! Grsecurity offers more security - no doubt about it. But that doesn't mean that the mainline kernel is very unsecure! And Linux is definitely more secure than Windows anyhow. Besides, the Kernel Self-Protection Project is adding more and more security features from grsecurity.

    I think you're making your paranoia the yardstick even for Linux newbies, my friend, with the possible result that they might ultimately shy away from Linux completely. Not good if I may mention it!
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    It's interesting that Spengler has commented on Github in a SubgraphOS bug thread. I can't wait till they allow networking without Tor as an option during install and Chromium. Their use of a default grsec kernel and the way they can sandbox everything are a big draw.
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    I think AppArmor makes it easier to configure certain things. I remember on OpenSUSE being able to harden the OS a bit just by one click of the mouse :D

    That was probably my fault. I mean that, in comparison with a GRSecurity-patched Kernel, the Linux Kernel is very unsecure. And it is, just look at that comparison list :p In addition, you can see that most GRSec patches for the current Kernel are accepted into linux-git. So if Linux is secure, that has a lot to to with GRSec's patches.

    Absolutely.

    My apologies if that's how I looked. You know I can look a bit extreme sometimes :)
     
  10. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    :) I try, but remember I'm no expert...
    Oh I know.. I definitely am looking forward to trying it out as well... Once they give us control of what uses Tor- and hopefully offer a few other options for DEs even if only a window manager- I'll be all over it.
    I agree in that Linux has fundamentally a better security design than Windows likely ever will. But I do think GRsecurity, firejail and a MAC option fill in any security gaps.
    To be fair, I should note that Spengler and others have firmly attacked AppArmor and other MAC options, and it is likely the least powerful MAC option- it has a very specific purpose, and it makes compromises to ease administration. Spengler specifically developed RBAC to address the weaknesses of other MAC options, and it is a pretty sweet piece of kit. Unfortunately, Spengler- and thank the holy penguin for him for sure- nonetheless is a rigid idealist who will not consider comprimises. For example, I dont have time to constantly tweak an RBAC policy every 2 days on a rolling release system since RBAC is system wide (and Arch constantly changes, thus processes constantly need different access points on the filesystem). If he would just create an option to only enforce those apps in the policy file, I would switch tomorrow.

    AppArmor does do its one job well, but it needs help
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    Regardless of being an expert or not (few here are, and I certainly don't qualify for that :argh:), your writting is done in a very clear form and it's easy to understand. You go directly to the point and in a very logical and explanatory way :D

    That's why I don't use RBAC, it's so much maintenance for me. I'd definitely take a look at AppArmor to help GRSec here on Arch, but I don't have time for that either right now. In fact, I was thinking of going back to Windows again, because I'm so disapointed with how much tinker Linux is for an advanced user. Either that or give up my 3D Designer dream.

    Cheers.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Yes, it's certainly good what the Kernel Self-Protection Project is doing. Regarding that table: I don't know how up-to-date it is and how much of those features have been implemented in the mainline kernel since. And I don't know the practical relevance of every feature mentioned. What I do know is that Spencer badmouthes anything that is not invented by himself :D

    I know, indeed :D:D:D Peace :thumb::thumb::thumb:
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    I couldn't find it. Can you point me to this thread, please?
     
  14. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    With quite some good points, though :argh:

    Cheers mate! :thumb:
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    Windows has actually improved a lot with the last few versions. Yes, it doesn't have gpg signed repos, but regarding exploit mitigations it is doing a good job, while on Linux many distro's still fail to enable techniques by default.
    See also slide #30 here:
    https://events.yandex.com/events/ruBSD/2013/talks/103/
     
  16. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Yup, im sure it has improved on the privacy/anonymity/security front except.. well you know.. anything to do with privacy (telemetry that cannot be turned off without enterprise edition), anonymity (unique advertising IDs pushed), user choice (disabling ad disabling in Home and Pro versions, forced updates), your rights in terms of what your operating system does (strengthening of DRM controls, the focus of the OS on the corporate rights of those services you use), and anything to do with the fact that it lacks a built in concept of ownership (in the sense of Linux's discretionary access control). I think Windows 10 looks like a sweet piece of kit (and I mean that despite my preference for Linux), but at what cost??

    In terms of exploit control, im pretty sure grsecurity/pax/[a MAC option] is more than anything Microsoft even has on the drawing board for Windows. I could be entirely wrong on this, but grsecurity/pax and all the MAC options have been in development for a long time and in cases where used have a demonstrable track record of containing and isolating exploits far better than any Windows box...

    There are many things Windows does better than Linux- not the least of which is the fact its model has developed a significantly more robust proprietary software ecosystem- but citing some link and suggesting it somehow means Windows has trumped in a few releases what Linux has focused on its entire existence seems a bit overly hopeful (seriously, no offense intended). A step in the right direction in terms of security? Sure. A panacea for all of Windows ills, including the aforementioned ones in regards to privacy? Not even close.

    This is all IMHO, YMMV, FWIW and all that jazz...
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    I agree with you there, but I was talking about security, not privacy/anonimity/user choice etc. I'm not moving beyond Win7 and am slowly moving away from Windows completely :p
    Linux has some great security options, but that doesn't protect all the average Joe's out there, though the Kernel Self Protection Project is a step in the right direction.
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Well, you've certainly noticed that those slides are from 2013. A lot has changed since then, new and improved explot mitigations technoligies have been implemented in the kernel. Package hardening has also become more important for many distros. And there is seccomp-bpf for which there is no alternative in Windows, AFAIK: When the Chrome sandbox on Windows was hacked in the past this was mostly due to a flaw in the Windows kernel. On Linux this is much harder as seccomp-bpf filters syscalls which in turn diminishes the attack surface of the kernel. Hence, potential security flaws in the kernel are much harder to exploit.

    EDIT: An example of what is not mentioned in those slides (aside from the improvements in the recent kernel versions, of course) is Yama which was introduced some years ago.
     
    Last edited: Aug 13, 2016
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    Thanks for the information. I was indeed aware of that, but of course Windows has improved as since then well with Control Flow Guard, Truetype/Opentype font rendering no longer in the kernel etc.

    I'm also wondering if anyone knows if package hardening like PIE, Relro etc still offers any advantage when Grsecurity is being used?
     
Loading...