6a21d96214
Running qTox under AppArmor confinement produces these `DENIED` messages: ``` type=AVC msg=audit(1589897925.045:793): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.aspell.en.pws" pid=36671 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 ``` ``` type=AVC msg=audit(1589897925.045:794): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.aspell.en.prepl" pid=36671 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 ``` ``` type=AVC msg=audit(1589996245.245:1193): apparmor="DENIED" operation="file_lock" profile="qtox" name="/home/vincas/.aspell.en.pws" pid=53202 comm="qtox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 ``` ``` type=AVC msg=audit(1589996245.245:1194): apparmor="DENIED" operation="file_lock" profile="qtox" name="/home/vincas/.aspell.en.prepl" pid=53202 comm="qtox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 ``` Add file rule to allow reading and locking Aspell-specific user files [0]. [0] http://aspell.net/man-html/Format-of-the-Personal-and-Replacement-Dictionaries.html |
||
---|---|---|
.. | ||
2.12.1 | ||
2.13.2 | ||
2.13.3 | ||
README.md |
Hardening qTox with AppArmor
qTox can be confined with AppArmor on Linux to reduce attack vectors in case remote code execution exploit is being used. Please note that MAC's (of course) does not guarantee perfect security, but it will:
- Deny access to your
~/.bashrc
,~/.ssh/*
~/.config/path/to/your/password/manager/file
, etc. - Deny creating autostart entries (in
~/.config/autostart
, etc). - Deny launching random executables (like
sudo
,su
, etc...). - And more.
Consider using additional security measures like Firejail to improve security even more.
Please also note that not all distributions have full AppArmor feature set
available. For example, Debian (at least up to Debian 10 (buster)) does not have
network, DBus mediation available. Also, X Server, shared user configuration
files (like ~/.config/QtProject.conf
, caches, etc), opening web links via
unconfined browsers introduces additional attack vectors, too. So please be
cautious even with number of security measures applied.
AppArmor profile attaches only to /usr/bin/qtox
and /usr/local/bin/qtox
executables by default. See Tuning permissions for
custom setups.
Installing profile
Select AppArmor profile from appropriate security/apparmor/X
subdirectory
depending on what AppArmor version is available for your Linux distribution
release:
- 2.13.3
- Debian 11 (bullseye) (or newer)
- Ubuntu 19.10 (or newer)
- openSUSE Tumbleweed
- 2.13.2
- Debian 10 (buster)
- Ubuntu 19.04 (Disco Dingo)
- 2.12.1
- Debian 9 (stretch) or older
- Ubuntu 18.10 or older
To enable AppArmor profile on your system, run prepared install script:
sudo security/apparmor/x.y.z/install.sh
Restart qTox
if it was already running before enabling AppArmor profile.
Checking if qTox is actually confined
Run aa-status
command line utility and check if qTox
is listed within X processes are in enforced mode.
list:
sudo aa-status
...
21 processes are in enforce mode.
/usr/lib/ipsec/charon (2421)
/usr/sbin/cups-browsed (839)
...
/usr/bin/qtox (16315) qtox
...
Alternatively, use ps
and grep
:
ps auxZ | fgrep qtox
qtox (enforce) vincas 16315 2.0 1.1 1502292 180220 ? SLl 12:21 0:38 /usr/bin/qtox
If OK it's marked as (enforce)
. unconfined
means AppArmor profile is not
attached to the process, no confinement is being applied.
Troubleshooting
If you believe that some feature is unavailable, or some files you need access to are inaccessible due to enforced AppArmor profile, check system logs for the hints.
On Debian/Ubuntu:
sudo fgrep DENIED /var/log/syslog
On openSUSE, OR if you have auditd
daemon installed:
sudo fgrep DENIED /var/log/audit/audit.log
You will see messages like this:
type=AVC msg=audit(1549793273.269:149): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/klanguageove
rridesrc" pid=3037 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
This means that r
ead access was denied to the file
/home/vincas/.config/klanguageoverridesrc
, owned by you (ouid 1000), by
AppArmor profile qtox
(available in /etc/apparmor.d/usr.bin.qtox
).
Please create issue if you detect new AppArmor DENIED
messages and you believe
that these denials are relevant for other users too. Meanwhile, workaround by
adding manual rule. DO NOT modify /etc/apparmor.d/usr.bin.qtox
directly! See
Tuning permissions for fixing access issues.
Tuning permissions
If you need access to files (for file sharing) other than from your $HOME
or
mounted media, create/modify /etc/apparmor.d/tunables/usr.bin.qtox.d/local
file and append writable path variable:
@{qtox_additional_rw_dirs} += /path/to/some/directory
Alternatively, if you need more custom/advanced rules (not only for file
access), create/modify /etc/apparmor.d/local/usr.bin.qtox
file.
Rule example for reading only, recursively (note the comma!):
/path/to/directory/** r,
For reading and writing, recursively:
/path/to/directory/** rw,
Restart AppArmor to reload profiles after modifications:
sudo systemctl restart apparmor
If AppArmor restart fails, check syntax errors by invoking AppArmor parser directly:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.qtox
For custom installations, when qTox
executable is not /usr/bin/qtox
or
/usr/local/bin/qtox
:
- create
/etc/apparmor.d/tunables/usr.bin.qtox.d/local
, adding@{qtox_prefix} += /path/to/your/custom/install/prefix
line. - modify
/etc/apparmor.d/usr.bin.qtox
profile attachement path:profile qtox /{usr{,local}/bin/qtox,path/to/your/qtox_executable} {
Restart AppArmor and check if qTox
process under custom path is actually confined.
Other resources
Check Debian, Ubuntu, Upstream AppArmor Wiki pages for more info.