Page MenuHomePhabricator

make /boot and /lib/modules unreadable even for root
Closed, ResolvedPublic

Description

Similar to T937 but this is for defense in depth and even preventing root from getting access to kernel symbols.

Details

Impact
Normal

Event Timeline

Patrick triaged this task as Normal priority.Dec 7 2019, 9:13 AM
Patrick created this task.
Patrick renamed this task from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.Dec 7 2019, 9:14 AM

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Patrick closed this task as Resolved.Dec 24 2019, 4:49 PM

Awesome!

Would an audit denyrule for /boot be useful for the sake of audit?

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.