Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Chrysolite Azalea
Level 1
Level 1
Posts: 25
Joined: Mon Jul 04, 2022 8:59 am

Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Post by Chrysolite Azalea »

Hello everyone!

I'm thinking of enabling the whole system AppArmor protection? As far as I understand, to do this, the init system needs to do the following:
  • Load AppArmor profiles into the kernel
  • Switch into the AppArmor profile
  • Remove CAP_MAC_ADMIN from capability bounding set

If I understand this correctly, after this, all processes would be confined by AppArmor and no process will be able to disable it (since even logging in as root won't give the user the CAP_MAC_ADMIN permission needed to change AppArmor settings since it's removed from capability bounding set).

I'm asking this, because I've already did it in container (particularly, proposed a pull request to Waydroid project that would enable it for the container). However, in those cases, it was done by the container manager -- not by init process. I wonder, whether it's required to modify the init to do this, or it's possible to achieve this in initramfs, by loading the profiles (and removing CAP_MAC_ADMIN) first and then executing the systemd confined by AppArmor.
Last edited by LockBot on Fri Jan 13, 2023 11:00 pm, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Top
Chrysolite Azalea
Level 1
Level 1
Posts: 25
Joined: Mon Jul 04, 2022 8:59 am

Re: Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Post by Chrysolite Azalea »

As far as I understand, it can be done by a "pre-init" program that would load AppArmor profiles to the kernel, perform a domain transition, drop CAP_MAC_ADMIN and then do an execve to the actual init (like systemd). I'm currently trying to implement it.
Top
Chrysolite Azalea
Level 1
Level 1
Posts: 25
Joined: Mon Jul 04, 2022 8:59 am

Re: Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Post by Chrysolite Azalea »

I've found a guide on AppArmor wiki how to do this. It can be done by adding statically linked apparmor_parser and policy files to the initramfs.
Top
Chrysolite Azalea
Level 1
Level 1
Posts: 25
Joined: Mon Jul 04, 2022 8:59 am

Re: Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Post by Chrysolite Azalea »

I've managed to do that. Firstly, you need to compile the AppArmor parser statically and put it in the initramfs (but I should note that apparmor_parser needs such directories as /etc/apparmor and /etc/appamor.d, so they should be in the initramfs). Then, you need to add the script to the initramfs that will load the profile to the kernel. I'm attaching an example of the /etc/initramfs-tools directory that is configured to add AppArmor to the initramfs.
initramfs_tools.tar.xz
Configuration example
(1.65 KiB) Downloaded 16 times
Top
Chrysolite Azalea
Level 1
Level 1
Posts: 25
Joined: Mon Jul 04, 2022 8:59 am

Re: Is it possible to enable "permanent" (until reboot) whole-system AppArmor protection?

Post by Chrysolite Azalea »

P.S.:

1. This was done with initramfs-tools. I don't know how it works with dracut

2. I decided not to disable CAP_MAC_ADMIN, as there are software that depend on loading profiles after boot, such as Snap. However, on some servers it may be a good idea to deny CAP_MAC_ADMIN anywhere and enable the "No New Privileges" restriction for all processes (man systemd-system.conf).
Top
Locked

Return to “Other topics”