The Chakra Project - Forums

iruel

Cherimoya Developer

From: Los Angeles, CA

Registered: 2011-04-24

Posts: 136

Website

Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

I think it's high time that Chakra get some sort of Mandatory Access Control system (MAC). A MAC system increases security by preventing applications from doing or accessing anything that they were not advertised to need, greatly limiting the damage done by a zero-day exploit, or a backdoor. It would work even if the root user is compromised. Since Chakra grabs the newest programs and updates before they are subject to peer review as high as stable editions, a MAC system would hedge against unseen exploits, backdoors, and security flaws.

Since it's important to me to have something of that sort, I'm going to try and get something working on my own system.

When it comes to MAC, there are 4 major ones:

NOTE: For a better comparison, see this table: http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison

Label-based

SELinux: "All access must be explicitly granted"

The king of MAC, it offers high security conforming to US Department of Defense standards. It is the default on Fedora, Red Hat, and CentOS. Unfortunately, this means that it is probably overkill for desktop users, and even for many administrators. The result of that is greater difficulty, more problems, and a requirement to use only supported filesystems. It seems to be well-supported on Arch, however. https://wiki.archlinux.org/index.php/SELinux

Smack: Seems to be a simplified version of SELinux, although documentation is sparse.

--------------------------------------------------------------------------------------------------------------------------

Profile-based

Apparmor: "only confines processes that the AppArmor policy says it should confine"

Apparmor uses custom "profile" files to define boundaries for each program. The profiles end up being more modular, readable, and redistributable. Profiles can also be installed with the programs. It is the default in Ubuntu and SUSE.

Apparmor ends up being critical for applications such as Firefox (with it's huge permissions and security flaws) and Skype (which "phones home" without reason) Unlike other solutions, Apparmor works per-program rather than automatically with each one.

AppArmor, implemented along with Tomoyo Linux ends up being a powerful security solution for MAC. A con is that it may need a bit of work to get it to run well out of the box like in Ubuntu. Specifically, Ubuntu (or Slackware's) Apparmor profile-loading init script needs to be ported.  https://wiki.archlinux.org/index.php/AppArmor

Tomoyo Linux: "All access must be explicitly granted"

Profile-based like Apparmor, it is able to coexist with AppArmor and provide a more customized layer of security. Rather than having prebuilt profiles, Tomoyo Linux learns about the system, requiring programs to declare behaviors and resources required to achieve their purpose. It can double as a system analysis tool. And with a little bit of editing, Tomoyo can restricts the programs do or use nothing more than their declared resources.

It is already implemented since Linux Kernel 2.6.30 as "Tomoyo Linux 2.x", but this patch lacks some features of the original. The "Tomoyo Linux 1.x" kernel patch can be applied to regain all of those features, or simply installing the program "AKARI" will extend 2.x to regain some of them.

The project is well supported on Arch Linux. https://wiki.archlinux.org/index.php/TOMOYO_Linux

-------------------------------------------------------------------------------------------------

Chroot Sandboxing

Sandfox: Although it's not a MAC control system per se, it acts in the same field: The defense of your system from zero-day exploits, backdoors, and suspicious (non-free) programs. True to it's name, it was originally made for Firefox, but can be extended to any program, such as Skype.

It works by defining a chroot's permissions and available resources in an Apparmor-like profile. The program specified then is made a chroot with that profile, and runs entirely from it.

It may be useful to implement Sandfox in Chakra's Bundlesystem, as it also runs on chroots. That way, the bundles can be individually subject to different policies, which would be harder to do in Tomoyo/Apparmor.

Using sandfox requires little more than installing it from AUR here: https://aur.archlinux.org/packages.php?ID=34261, creating and editing it's chroot profiles, and just typing "sandfox <command>".

There's more info about that here: https://igurublog.wordpress.com/downloa … t-sandfox/

----------------------------------------------------------------------------------------------------------------------------

For me, MAC is one of the biggest and most important missing feature in Chakra (well, Arch too in general). Firefox, Skype, and many other programs can get to be big security liabilities, where they may be used as a gateway to your data by attackers, applications "phoning home" some unknown information, or a bug causing data damage.

With Chakra being a partially rolling-release system, and it's retrieval of the newest updates and programs before they are proven to be free of such problems, a MAC system can make up the difference in security and reduce the damage.

Last edited by iruel (2011-07-01 12:06:51)

franz1789

Enthusiast

Registered: 2009-07-11

Posts: 102

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

I'm sorry, I am totally against it. I'm also against firewall (how many people surf with a usb modem on linux, or disable router firewall??), but MAC to me is lame. What kind of porn site or what kind of script you should visit/run to get malware on linux? and since perhaps three guys in a thousand usually download and run script without reading it, should I have my computer bloated with these pieces of software? Seriously: how many time you ran amarok, or vlc and find an exploit blowing up your pc?

iruel

Cherimoya Developer

From: Los Angeles, CA

Registered: 2011-04-24

Posts: 136

Website

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

I'm sorry, I am totally against it. I'm also against firewall (how many people surf with a usb modem on linux, or disable router firewall??), but MAC to me is lame.

If you're totally against that, it is fine. For me, and many of my colleagues, it is not. I don't really feel like getting into a debate about it, either. We all have different needs, but I see Chakra as a multipurpose distro.

What kind of porn site or what kind of script you should visit/run to get malware on linux? and since perhaps three guys in a thousand usually download and run script without reading it, should I have my computer bloated with these pieces of software? Seriously: how many time you ran amarok, or vlc and find an exploit blowing up your pc?[

You seem to think that MAC would be forced upon you if it was finished. I didn't say I wanted it to be default, and in fact it should not be. It should only be optional, post-install packages. Sorry if you misconstrued it that way.

Not really about software destroy my system, it's about "Is there a good reason why it deserves unlimited access to all my files in my home folder (which includes my GPG/SSH keys, other application's data, my personal system settings, my Bitcoin wallet)?" In the case of Firefox, it is an application posing a major security threat, and others like Skype send encrypted data to Skype servers even while I have not used it in weeks. It's an issue of trust, really.

----------------------------------------------

Meh, it seems that I'll just implement this myself and contribute the results to Chakra if they ever get useful. Forget that this post was ever made.

jmc

[Chakra Developer]

From: Roma, Italy

Registered: 2010-09-26

Posts: 1,550

Website

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

Meh, it seems that I'll just implement this myself and contribute the results to Chakra if they ever get useful. Forget that this post was ever made.

Why say so? I'm not against a MAC implementation, but I'm ignorant in this regard. I'd obviously like to see it done some day, and if you can be the one helping us, it'd be really appreciated.

franz1789

Enthusiast

Registered: 2009-07-11

Posts: 102

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

iruel, I'm not a dev of the distro, just said that I don't want it default, I simply expressed my opinion, and also, I didn't mean to insult you in any way...

abveritas

Core-Team Admin

From: GA, USA

Registered: 2010-01-11

Posts: 6,051

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

It was time this whole situation was thoroughly looked at.  Chakra needs to implement some hardening options for the users to set.
The good thing, the kernel has been build with tomoyo security set for quite some time, so implementing MAC hardening is not a difficult task.  See settings line 5070 and down:
http://gitorious.org/chakra-packages/co … fig.x86_64 
Tomoyo-tools will be added to the repo's, and hopefully we'll have a comprehensive wiki page up soon too.  So any user interested can implement tomoyo.

Iruel, a big thanks for doing so much groundwork for this, it took some time to get around to work on this.....

dogbert0360

Member

Registered: 2011-10-05

Posts: 65

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

I'm also for Chakra to have some strong security too. Iruel, you would be a great asset to help  improve and strengthen Chakra and if you can do this you have my hardy thumbs up.

manutortosa

Core-Team - SysAdmin

From: Reus - Spain

Registered: 2009-03-22

Posts: 1,882

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

That's already on progress. The Chakra kernel have the needed support for Tomoyo and AppArmor built in the Kernel.

[manutortosa@chakra-pc ~]$ pacman -Ss tomoyo
testing/tomoyo-tools 2.4.0.20111025-1
    TOMOYO Linux 2.3.x userspace tools for Linux kernel 2.6.36 and later

In testing there is available Tomoyo-tools. You can play around it. Probably we will add Akari too and we will play around integrate Tomoyo inside systemsettings using a KCM.

SELinux is not a choice to us, Is too much complex and overkill for a normal desktop user while Tomoyo is easy to use, powerfull and friendly.

Stay tunned, we never forget the security here but a feature like this need some time and testing.

iruel

Cherimoya Developer

From: Los Angeles, CA

Registered: 2011-04-24

Posts: 136

Website

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

Ah, good to hear. My Chakra install is kind of messed up now, so I've switched to Fedora, and haven't been back in a while.

Although it somehow works faster and better with KDE than Chakra (Hopefully that was only due to misconfiguration on my part), the awesomeness of the CCR, bundle manager & pacman were too good to pass.

Really, that's the greatest thing about this system: the CCR. No more attempting to install old RPMs or dump binaries compiled from source all over your computer.

philm

Manjaro Linux Developer

From: Germany, Garching

Registered: 2009-04-16

Posts: 4,508

Website

Re: Mandatory Access Control (Apparmor, Tomoyo, SELinux) for Chakra Edn

We will get to it. Step by step. Hardening your system should be supported. Creating a working KCM would be nice to have. That will ease it up alot.