Actions

apparmor-profile-everything

From Whonix



Mandatoryaccesscontrol.jpg

Introduction[edit]

apparmor-profile-everything is an AppArmor policy to confine all user space processes on the system. This allows users to enforce a strong security model and follow the principle of least privilege. An AppArmor policy for the init and systemd is loaded in the initramfs, which then applies to all other processes. Specific policies for many system services/applications are also enforced.

Design[edit]

Info Note: apparmor-profile-everything is still in development and breakage is likely. It is currently only recommended for developers.

This full system AppArmor policy imitates design ideas that are already present in other operating systems such as Android and attempts to make something similar available on desktop Linux.

In addition to locking down user space, this also protects the kernel as it restricts access to kernel interfaces like /proc or /sys, thereby making kernel pointer and other leaks much less likely. However, this does not and cannot confine the kernel or initramfs.

This AppArmor policy is expected to be used in combination with other security technologies such as a hardened kernel, strong sandboxing architecture, verified boot and so on.

apparmor-profile-everything supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It is highly recommended to stick to the default boot mode.

It also contains a wrapper to restrict apt, as apt requires permissions that may be abused to circumvent the policy. When updating or installing applications, the rapt command must be used.

Platform Support[edit]

apparmor-profile-everything is currently broken in Qubes-Whonix ™. Whonix ™ developer madaidan has only developed it for Non-Qubes-Whonix ™.

Nobody is working on Qubes-Whonix ™ support at present, see: Qubes-Whonix Security Disadvantages - Help Wanted! [archive]

References[edit]



Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.