Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[musl done] Apparmor
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Sat Apr 21, 2018 11:55 am    Post subject: [musl done] Apparmor Reply with quote

I'm sharing today a testing ebuild of apparmor for musl profile. This work ins't ready for a general use. Any help regarding the cleanup / rewrite of those ebuild or anything that can help to improve apparmor on musl is welcome.

Thanks to alpine linux which made 99% of the work
https://git.alpinelinux.org/cgit/aports/tree/testing/apparmor


Ebuild available at : https://github.com/g3ngr33n/apparmor-musl-gentoo

--------------------------
Update :

- Ebuild and patch cleaned
- Add sys-libs/libapparmor, sys-app/apparmor-utils
- Fix init file of sys-app/appamor
- Patch for firejail with the useflag apparmor enabled
- Ebuild for dev-libs/libintl

Update (2) :

- Dynamic linking is now working
- Patch cleaned
- Manual mode should work without problem (not fully tested)

Todo :

- Test the ebuild on systemd / dbus system
- Make a hardened profile for firejail, firefox...
- Fix the need of dev-libs/libintl (as musl have intl integrated....)

Note

:!: All good


Last edited by gengreen on Thu Apr 26, 2018 1:23 am; edited 15 times in total
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Wed Apr 25, 2018 11:28 am    Post subject: Reply with quote

Repo updated.

Ebuild should be alright, I still need tests / feedbacks to improve this work

Thanks !
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Wed Apr 25, 2018 1:14 pm    Post subject: Reply with quote

Good work, gengreen!

I was amazed (and impressed) to see you attacking the base first.

Still not got a musl install, but I should get some time to play around in the next couple of months.

Keep it up. :-)
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Wed Apr 25, 2018 2:17 pm    Post subject: Reply with quote

Thanks for this feeback, I will keep it up until it's good enough to be pull on the official musl Gentoo
Back to top
View user's profile Send private message
_j
n00b
n00b


Joined: 05 Jan 2018
Posts: 9

PostPosted: Thu Apr 26, 2018 8:05 pm    Post subject: Reply with quote

gengreen wrote:
Thanks for this feeback, I will keep it up until it's good enough to be pull on the official musl Gentoo

Hi there,

Thank you for doing this! Between grsec being gone and not liking selinux (cough 3-letter agency cough; even if it is fine I wouldn't touch it with a 10-foot pole) another MAC implementation is quite needed!

I have one qualm for which I wasn't sure to bring up here or on the github tracker - it seems that dev-util/libintl collides with the one that musl provides.

Quite a few things didn't build until I one-shotted musl again (cryptsetup, alsa-utils, and I'm sure others)... What does libintl do in relation to apparmor anyways?
Back to top
View user's profile Send private message
_j
n00b
n00b


Joined: 05 Jan 2018
Posts: 9

PostPosted: Sun Apr 29, 2018 9:56 pm    Post subject: Reply with quote

Cheers for sorting it! ;-)
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Tue May 01, 2018 10:08 pm    Post subject: Reply with quote

Hey j !

You are welcome, I wanted too apparmor to harden my system since the lost of Grsec and do not feel nsaseLinux... :p

I'm sharing today the apparmor profile for firejail that I actually use :

https://github.com/g3ngr33n/apparmor-musl-gentoo/blob/master/apparmor.d/firejail-default

And some profiles of Firejail :

https://github.com/g3ngr33n/apparmor-musl-gentoo/tree/master/firejail-profile

I would like to have feedback about it :

I only use a single apparmor profile. I'm trying to restrict as much as possible the firejail-default (apparmor) allowing the minimum needed for each of my app to run with firejail.

Each app have their "own" firejail profile (much more harden than the default one). Only fluxbox and urxvt aren't using firejail.

Is that a good strategy of security ? Or should I write an apparmor profile for each of those app ?
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Sun Jun 03, 2018 12:29 pm    Post subject: Reply with quote

Hello,

Just an update about apparmor 2.13, to be release soon

musl should be supported as they already merged the proposed patch of Patrick S. I tested today the build available at https://gitlab.com/pks-t/apparmor/tree/pks/musl-2.13.0, it worked nicely.

Waiting now for the official release !
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Tue Jul 03, 2018 12:40 pm    Post subject: Reply with quote

Following the thread https://github.com/netblue30/firejail/issues/1973

I start to write some apparmor profiles. For now Firefox and Torbrowser are available at :

https://github.com/g3ngr33n/emergeless/tree/master/apparmor-profiles-hardened

Any feedback/suggestion will be appreciated
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum