Security Working Group - Wednesday April 1

Anton Kachalov rnouse at google.com
Thu Apr 23 22:10:00 AEST 2020


Hi, Brad.

AppArmor is upstreamed. I just enabled apparmor config for aspeed kernel.

Furthermore, Ubuntu's kernel has additional not upstreamed patches for
AppArmor. E.g. patch from:
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/linux/5.4.0-26.30/linux_5.4.0-26.30.diff.gz

is adding new routines like:
 -- apparmor_unix_stream_connect to check perms before making unix domain
connection
 -- apparmor_unix_may_send to check perms before conn or sending unix dgrams

and various new hooks for LSM.

Without those patches we wouldn't have all the benefits for DBus hardening.
Plus, the dbus-broker doesn't support all that stuff and needs to have
features to be ported from Freedesktop/DBus.

I'm also looking into 3rd LSM alternative: KRSI

https://lkml.org/lkml/2019/12/20/641

Nevertheless which LSM we're going to use at the end, we can define rules
in phosphor-dbus-interfaces:

https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/xyz/openbmc_project/Control/Host.interface.yaml

to white list daemons / processes that might talk to specific methods or
query specific properties and so on.

Those definitions will be used to generate appropriate rules for underlying
LSM (besides general system-wide rules) at build time.

On Wed, 22 Apr 2020 at 14:33, Brad Bishop <bradleyb at fuzziesquirrel.com>
wrote:

> at 5:57 AM, Anton Kachalov <rnouse at google.com> wrote:
>
> > Once such dependencies were dropped, I got a working AppArmor-enabled
> > system with only a 2MB increase.
>
> Hi Anton!
>
> General question about AppArmor - would it require kernel patches to
> deploy
> it in OpenBMC?
>
> thx - brad
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200423/fdc0616c/attachment.htm>


More information about the openbmc mailing list