Page MenuHomePhabricator
Create Task
Maniphest T943

make /boot and /lib/modules unreadable even for root
Closed, ResolvedPublic
Actions

Description

Similar to T937 but this is for defense in depth and even preventing root from getting access to kernel symbols.

Details

Impact
Normal

Related Objects

Event Timeline

Patrick triaged this task as Normal priority.Dec 7 2019, 8:13 AM
Patrick created this task.
Herald added a project: Whonix. · View Herald TranscriptDec 7 2019, 8:13 AM
Herald added a subscriber: entr0py. · View Herald Transcript
Patrick renamed this task from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.Dec 7 2019, 8:14 AM
madaidan added a comment.Dec 23 2019, 8:27 PM

/boot/ is already unreadable.

https://github.com/Whonix/apparmor-profile-everything/pull/31

Patrick added a comment.Dec 24 2019, 11:17 AM

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

madaidan added a comment.Dec 24 2019, 3:37 PM

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Patrick closed this task as Resolved.Dec 24 2019, 3:49 PM

Awesome!

Would an audit denyrule for /boot be useful for the sake of audit?

madaidan added a comment.Dec 24 2019, 4:07 PM

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer