StarMirror/qTox
1
0
Fork 0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00
Code Issues Projects Releases Wiki Activity

docs(apparmor): Fix line lengths

Browse Source 
Wrap text to 80 chars per line to conform to qTox documentation
guidelines.
This commit is contained in:
Vincas Dargis 2019-03-25 20:01:29 +02:00
parent 52883bbbe3
commit 0df815fd2c
1 changed files with 48 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
security/apparmor/README.md
View File

@ -1,20 +1,33 @@
# Hardening qTox with AppArmor
qTox can be confined with AppArmor on Linux to reduce attack vectors in case remote code execution exploit is being used. Please note that [MAC's] (of course) does not guarantee perfect security, but it will:
- Deny access to your `~/.bashrc`, `~/.ssh/*` `~/.config/path/to/your/password/manager/file`, etc.
qTox can be confined with AppArmor on Linux to reduce attack vectors in case
remote code execution exploit is being used. Please note that [MAC's] (of
course) does not guarantee perfect security, but it will:
- Deny access to your `~/.bashrc`, `~/.ssh/*`
`~/.config/path/to/your/password/manager/file`, etc.
- Deny creating autostart entries (in `~/.config/autostart`, etc).
- Deny launching random executables (like `sudo`, `su`, etc...).
- And more.
Consider using additional security measures like [Firejail] to improve security even more.
Consider using additional security measures like [Firejail] to improve security
even more.
Please also note that not all distributions has full AppArmor feature set available. For example, Debian (at least up to Debian 10 (buster)) does not have network, DBus mediation available. Also, X Server, shared user configuration files (like `~/.config/QtProject.conf`, caches, etc), opening web links via unconfined browsers introduces additional attack vectors, too. So please be cautious even with number of security measures applied.
Please also note that not all distributions has full AppArmor feature set
available. For example, Debian (at least up to Debian 10 (buster)) does not have
network, DBus mediation available. Also, X Server, shared user configuration
files (like `~/.config/QtProject.conf`, caches, etc), opening web links via
unconfined browsers introduces additional attack vectors, too. So please be
cautious even with number of security measures applied.
**AppArmor profile attaches only to `/usr/bin/qtox` and `/usr/local/bin/qtox` executables by default**. See [Tuning permissions](#tuning-permissions) for custom setups.
**AppArmor profile attaches only to `/usr/bin/qtox` and `/usr/local/bin/qtox`
executables by default**. See [Tuning permissions](#tuning-permissions) for
custom setups.
## Installing profile
Select AppArmor profile from appropriate `security/apparmor/X` subdirectory depending on what AppArmor version is available for your Linux distribution release:
Select AppArmor profile from appropriate `security/apparmor/X` subdirectory
depending on what AppArmor version is available for your Linux distribution
release:
- 2.13.2
- Debian 10 (buster) (or newer)
@ -32,7 +45,8 @@ Restart `qTox` if it was already running before enabling AppArmor profile.
## Checking if qTox is actually confined
Run `aa-status` command line utility and check if `qTox` is listed within `X processes are in enforced mode.` list:
Run `aa-status` command line utility and check if `qTox` is listed within `X
processes are in enforced mode.` list:
```
sudo aa-status
...
@ -51,11 +65,14 @@ ps auxZ | fgrep qtox
qtox (enforce) vincas 16315 2.0 1.1 1502292 180220 ? SLl 12:21 0:38 /usr/bin/qtox
```
If OK it's marked as `(enforce)`. `uncofined` means AppArmor profile is not attached to the process, no confinement is being applied.
If OK it's marked as `(enforce)`. `uncofined` means AppArmor profile is not
attached to the process, no confinement is being applied.
## Troubleshooting
If you believe that some feature is unavailable, or some files you need access to are inaccessible due to enforced AppArmor profile, check system logs for the hints.
If you believe that some feature is unavailable, or some files you need access
to are inaccessible due to enforced AppArmor profile, check system logs for the
hints.
On Debian/Ubuntu:
@ -74,19 +91,27 @@ type=AVC msg=audit(1549793273.269:149): apparmor="DENIED" operation="open" profi
rridesrc" pid=3037 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
```
This means that `r`ead access was denied to the file `/home/vincas/.config/klanguageoverridesrc`, owned by you (ouid 1000), by AppArmor profile `qtox` (available in `/etc/apparmor.d/usr.bin.qtox`).
This means that `r`ead access was denied to the file
`/home/vincas/.config/klanguageoverridesrc`, owned by you (ouid 1000), by
AppArmor profile `qtox` (available in `/etc/apparmor.d/usr.bin.qtox`).
Please create issue if you detect new AppArmor `DENIED` messages and you believe that these denials are relevant for other users too. Meanwhile, workaround by adding manual rule. DO NOT modify `/etc/apparmor.d/usr.bin.qtox` directly! See [Tuning permissions](#tuning-permissions) for fixing access issues.
Please create issue if you detect new AppArmor `DENIED` messages and you believe
that these denials are relevant for other users too. Meanwhile, workaround by
adding manual rule. DO NOT modify `/etc/apparmor.d/usr.bin.qtox` directly! See
[Tuning permissions](#tuning-permissions) for fixing access issues.
## Tuning permissions
If you need access to files (for file sharing) other than from your `$HOME` or mounted media, create/modify `/etc/apparmor.d/tunables/usr.bin.qtox.d/local` file and append writable path variable:
If you need access to files (for file sharing) other than from your `$HOME` or
mounted media, create/modify `/etc/apparmor.d/tunables/usr.bin.qtox.d/local`
file and append writable path variable:
```
@{qtox_additional_rw_dirs} += /path/to/some/directory
```
Alternatively, if you need more custom/advanced rules (not only for file access), create/modify `/etc/apparmor.d/local/usr.bin.qtox` file.
Alternatively, if you need more custom/advanced rules (not only for file
access), create/modify `/etc/apparmor.d/local/usr.bin.qtox` file.
Rule example for reading only, recursively (note the comma!):
@ -105,17 +130,22 @@ Restart AppArmor to reload profiles after modifications:
sudo systemctl restart apparmor
```
If AppArmor restart fails, check syntax errors by invoking AppArmor parser directly:
If AppArmor restart fails, check syntax errors by invoking AppArmor parser
directly:
```
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.qtox
```
For custom installations, when `qTox` executable is not `/usr/bin/qtox` or `/usr/local/bin/qtox`:
1. create `/etc/apparmor.d/tunables/usr.bin.qtox.d/local`, adding `@{qtox_prefix} += /path/to/your/custom/install/prefix` line.
2. modify `/etc/apparmor.d/usr.bin.qtox` profile attachement path: `profile qtox /{usr{,local}/bin/qtox,path/to/your/qtox_executable} {`
For custom installations, when `qTox` executable is not `/usr/bin/qtox` or
`/usr/local/bin/qtox`:
1. create `/etc/apparmor.d/tunables/usr.bin.qtox.d/local`, adding
`@{qtox_prefix} += /path/to/your/custom/install/prefix` line.
2. modify `/etc/apparmor.d/usr.bin.qtox` profile attachement path: `profile qtox
/{usr{,local}/bin/qtox,path/to/your/qtox_executable} {`
Restart AppArmor and [check](#checking-if-qtox-is-actually-confined) if `qTox` process under custom path is actually confined.
Restart AppArmor and [check](#checking-if-qtox-is-actually-confined) if `qTox`
process under custom path is actually confined.
## Other resources