'linux-hardened' questions

IrvineHimself · 2017-05-15 14:56:58

I am very interested in the new ‘linux-hardened’ kernel, which I have installed for compatibility testing. While understandable, currently the wiki entries for this kernel are spartan, and, as a consequence, I am struggling to find hard answers to a number of specific questions.

1) Excluding Selinux and the normal hardening techniques described in the Wiki; after installing the kernel, does the rest of the Os require any further configuration or optimisation?

2) For day to day activities, I use a custom Apparmor enabled kernel, (for which I am well set up.) I have compiled a custom ‘linux-hardened’ kernel with Apparmor as the default security. It seems to work okay, without anything untoward being reported by ‘dmesg’. So, does ‘linux-hardened’ actually require Selinux capabilities to be compiled into the kernel, or is this just an easily configured option that is being offered by the developers? (Note, although the default kernel has been compiled with Selinux, the required boot parameter is not set and the default security is still ‘discretionary access control’)

3) If this next one seems stupid, I refer you to the new SubGraphOs, which applied/enabled the Grsecurity patches but set the default security as Apparmor. With this in mind, should I consider doing something similar with my custom version. Ie, enable Apparmor as the default access control, while while also compiling the Selinux modules?

4) Linux name spaces is enabled, but patched to disable it for non-root users. How can I enable this for Firejail? (Note: I use a custom compilation of Firejail to enable very tight integration with Apparmor.)

5) When compiling my customised kernel, I get a few dozen warnings in the nature of: ‘warning: objtool: ProcedureA() falls through to next function ProcedureB()’ Is this something I should report? Or is it more likely to be caused by something stupid on my part?

6) Finally, bizarrely, the stock hardened kernel breaks Nvidia-Dkms, yet my custom version has no problems with compiling the module. (Or at least it does now that Upstream has patched 4.11.1 to fix the GPL symbol thingy.) Should I report this?

Thanks for your thoughts
Irvine

PS
I should emphasise here that none of my questions are meant as a criticism. I am fully aware that the hardening project is still very much in it’s infancy, and, (due to the abrupt departure of Grsecurity,) is trying to fill a large void on very short notice.

GSF1200S · 2017-05-16 09:25:55

IrvineHimself wrote:

For day to day activities, I use a custom Apparmor enabled kernel, (for which I am well set up.) I have compiled a custom ‘linux-hardened’ kernel with Apparmor as the default security. It seems to work okay, without anything untoward being reported by ‘dmesg’. So, does ‘linux-hardened’ actually require Selinux capabilities to be compiled into the kernel, or is this just an easily configured option that is being offered by the developers? (Note, although the default kernel has been compiled with Selinux, the required boot parameter is not set and the default security is still ‘discretionary access control’)

I cant help you with most of your reply as I am adapting to this kernel as well. However, I run Apparmor just as you, and like you I also don't build in SELinux support. Can I ask what you mean by "without anything untoward being reported by dmesg"? Do you mean that dmesg (and also journalctl) is failing to log audit messages? If so, I'm having the same issue. It seems that something somehow is setting audit=0 on the kernel boot line... despite what is set on the bootloader.

What do you get when you run:

cat /proc/cmdline

For me, I get audit=0 at the very front of the output despite having audit=1 in my bootloaders 'linux' line. Further, I cant get systemd to start auditd as it too recognizes the audit=0 being set. If I try:

auditctl -e 1

I get:

Error - audit support not in kernel
Cannot open netlink audit socket

AppArmor seems to work properly- all profiles load as they should, directory access is blocked as it should be, etc. Daniel is a busy man, and I know he wants the focus to be on SELinux (as its the most capable), so kinks will happen. If you could report to me whether your results are the same as mine, perhaps I can catch him on IRC and find out what we're missing.

Last edited by GSF1200S (2017-05-16 09:26:33)

loqs · 2017-05-16 10:53:35

GSF1200S wrote:

It seems that something somehow is setting audit=0 on the kernel boot line... despite what is set on the bootloader.

https://git.archlinux.org/svntogit/comm … fa3ac#n635

IrvineHimself · 2017-05-16 15:49:09

I am glad to hear from a fellow user of Apparmor, I sometimes feel like an endangered species around here. If you are intending to contact the developers, I have included a moderately detailed report.

Firstly, I should explain that what I meant by “...without anything untoward being reported by ‘dmesg’...” was that everything was working okay, and nothing alarming seemed to stand out.

Like most Archers, I keep a very tight track of errors and warnings. I have two recurring warnings which I tracked down as being benign with people working on the problem. With the new kernel, there are about half a dozen “blk_update_request: I/O errors” and another half dozen warnings about a missing ACPI package. These are all new warnings unique to the “linux-hardened” kernel. Everything seems to work, so I am not particularly concerned about them per se. This is particularly true for the ACPI warning, since, apparently having no real need for it, I never installed the ACPID daemon.

For completeness, here is a filtered dmesg output for the new kernel. (Apparmor enabled.)

Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit
Enter dmesg filter string
error
[sudo] password for root: 
[    1.916179] iwlwifi 0000:02:00.0: Direct firmware load for iwlwifi-7265D-28.ucode failed with error -2
[    4.620913] blk_update_request: I/O error, dev sr0, sector 13776128
[    4.682260] blk_update_request: I/O error, dev sr0, sector 13776368
[    5.069373] blk_update_request: I/O error, dev sr0, sector 13776176
[    5.069386] Buffer I/O error on dev sr0, logical block 3444044, async page read
[    5.139716] blk_update_request: I/O error, dev sr0, sector 13776180
[    5.139733] Buffer I/O error on dev sr0, logical block 3444045, async page read
[    6.677056] blk_update_request: I/O error, dev sr0, sector 13776128
[    6.740164] blk_update_request: I/O error, dev sr0, sector 13776368
[    6.914286] blk_update_request: I/O error, dev sr0, sector 13776176
[    6.914300] Buffer I/O error on dev sr0, logical block 3444044, async page read
[    6.984840] blk_update_request: I/O error, dev sr0, sector 13776180
[    6.984853] Buffer I/O error on dev sr0, logical block 3444045, async page read
Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit
Enter dmesg filter string
warning
[   45.178325] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.178519] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.178641] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.178811] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.178925] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.179237] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.179354] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   45.216351] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
[   57.884235] ACPI Warning: \_SB.PCI0.RP01.PXSX._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20170119/nsarguments-95)
Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit

Similarly, Apparmor seems to be working without problems. Here is the Apparmor status output from the new kernel:

Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit
[sudo] password for root: 
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /usr/bin/avahi-daemon
   /usr/bin/nscd
   /usr/{bin/traceroute,bin/traceroute.db}
   firejail-default
   ping
0 profiles are in complain mode.
7 processes have profiles defined.
7 processes are in enforce mode.
   firejail-default (966) 
   firejail-default (1192) 
   firejail-default (1224) 
   firejail-default (1233) 
   firejail-default (1241) 
   firejail-default (1258) 
   firejail-default (1277) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit

As far as the Auditd package goes, I only install it when I am updating the Apparmor meta-package or have an urgent need to hand write a profile. Basically, I can get all the audit info from dmesg.

For example, doing a few things which I know will generate denied actions in my day to day kernel:

Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit
Apparmor search string:
[sudo] password for root: 
[    0.000000] Linux version 4.10.15-zen-zen-apparmor-localmod+ (memyself@mine) (gcc version 6.3.1 20170306 (GCC) ) #1 ZEN SMP PREEMPT Tue May 16 09:55:41 BST 2017
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-linux-zen-apparmor-localmod root=UUID=7504bbf8-3e9a-4107-b6e6-35e1f88a6170 rw quiet
[    0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-linux-zen-apparmor-localmod root=UUID=7504bbf8-3e9a-4107-b6e6-35e1f88a6170 rw quiet
[    0.035046] AppArmor: AppArmor initialized
[    0.680029] AppArmor: AppArmor Filesystem Enabled
[    0.801094] AppArmor: AppArmor sha1 policy hashing enabled
[    1.518915] systemd[1]: systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[   27.055456] audit: type=1400 audit(1494945217.727:31): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=947 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   27.055480] audit: type=1400 audit(1494945217.727:32): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=947 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   27.136321] audit: type=1400 audit(1494945217.807:33): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/6/net/route" pid=944 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   54.314667] audit: type=1400 audit(1494945277.457:34): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1055 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   54.314696] audit: type=1400 audit(1494945277.457:35): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1055 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   58.011537] audit: type=1400 audit(1494945281.153:36): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/6/net/route" pid=944 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   97.065321] audit: type=1400 audit(1494945320.213:37): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1100 comm="vlc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   97.065326] audit: type=1400 audit(1494945320.213:38): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1100 comm="vlc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  129.656304] audit: type=1400 audit(1494945352.804:39): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1137 comm="digikam" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  129.656312] audit: type=1400 audit(1494945352.804:40): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1137 comm="digikam" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Audit search string
[    0.783737] audit: initializing netlink subsys (disabled)
[    0.783802] audit: type=2000 audit(1494948713.776:1): initialized
[    1.518915] systemd[1]: systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[    1.587470] systemd[1]: Listening on Journal Audit Socket.
[    1.659620] audit: type=1325 audit(1494945115.352:2): table=filter family=2 entries=0
[    1.659712] audit: type=1300 audit(1494945115.352:2): arch=c000003e syscall=175 success=yes exit=0 a0=7fb887b0b010 a1=1e60 a2=41aada a3=0 items=0 ppid=124 pid=210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" key=(null)
[    1.659713] audit: type=1327 audit(1494945115.352:2): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F66696C746572
[    1.679305] audit: type=1325 audit(1494945115.372:3): table=filter family=10 entries=0
[    1.679560] audit: type=1300 audit(1494945115.372:3): arch=c000003e syscall=175 success=yes exit=0 a0=7fe3c39de010 a1=1e30 a2=41aada a3=0 items=0 ppid=124 pid=220 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" key=(null)
[    1.679561] audit: type=1327 audit(1494945115.372:3): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006970367461626C655F66696C746572
[    1.682367] audit: type=1325 audit(1494945115.376:4): table=filter family=2 entries=4
[    1.682369] audit: type=1300 audit(1494945115.376:4): arch=c000003e syscall=54 success=yes exit=0 a0=3 a1=0 a2=40 a3=1ad4640 items=0 ppid=204 pid=222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/usr/bin/xtables-multi" key=(null)
[    1.682370] audit: type=1327 audit(1494945115.376:4): proctitle=69707461626C65732D726573746F7265002D6E
[   17.527739] kauditd_printk_skb: 72 callbacks suppressed
[   17.527745] audit: type=1006 audit(1494945208.197:29): pid=511 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=1 res=1
[   17.565973] audit: type=1006 audit(1494945208.237:30): pid=583 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=2 res=1
[   27.055456] audit: type=1400 audit(1494945217.727:31): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=947 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   27.055467] audit: type=1300 audit(1494945217.727:31): arch=c000003e syscall=5 success=no exit=-13 a0=5 a1=7ffe5b9af7a0 a2=7ffe5b9af7a0 a3=5e9 items=0 ppid=944 pid=947 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox/firefox" key=(null)
[   27.055472] audit: type=1327 audit(1494945217.727:31): proctitle="/usr/lib/firefox/firefox"
[   27.055480] audit: type=1400 audit(1494945217.727:32): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=947 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   27.055487] audit: type=1300 audit(1494945217.727:32): arch=c000003e syscall=5 success=no exit=-13 a0=5 a1=7ffe5b9af8e0 a2=7ffe5b9af8e0 a3=a0 items=0 ppid=944 pid=947 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox/firefox" key=(null)
[   27.055493] audit: type=1327 audit(1494945217.727:32): proctitle="/usr/lib/firefox/firefox"
[   27.136321] audit: type=1400 audit(1494945217.807:33): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/6/net/route" pid=944 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   27.136323] audit: type=1300 audit(1494945217.807:33): arch=c000003e syscall=2 success=no exit=-13 a0=7f8e5742ef0f a1=0 a2=1b6 a3=0 items=0 ppid=938 pid=944 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=4C696E6B204D6F6E69746F72 exe="/usr/lib/firefox/firefox" key=(null)
[   27.136324] audit: type=1327 audit(1494945217.807:33): proctitle="/usr/lib/firefox/firefox"
[   54.314667] audit: type=1400 audit(1494945277.457:34): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1055 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   54.314680] audit: type=1300 audit(1494945277.457:34): arch=c000003e syscall=5 success=no exit=-13 a0=7 a1=7ffdf5cdfe10 a2=7ffdf5cdfe10 a3=5e9 items=0 ppid=1054 pid=1055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="soffice.bin" exe="/usr/lib/libreoffice/program/soffice.bin" key=(null)
[   54.314687] audit: type=1327 audit(1494945277.457:34): proctitle=2F7573722F6C69622F6C696272656F66666963652F70726F6772616D2F736F66666963652E62696E002D2D73706C6173682D706970653D35
[   54.314696] audit: type=1400 audit(1494945277.457:35): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1055 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   54.314707] audit: type=1300 audit(1494945277.457:35): arch=c000003e syscall=5 success=no exit=-13 a0=7 a1=7ffdf5cdff50 a2=7ffdf5cdff50 a3=374 items=0 ppid=1054 pid=1055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="soffice.bin" exe="/usr/lib/libreoffice/program/soffice.bin" key=(null)
[   54.314713] audit: type=1327 audit(1494945277.457:35): proctitle=2F7573722F6C69622F6C696272656F66666963652F70726F6772616D2F736F66666963652E62696E002D2D73706C6173682D706970653D35
[   58.011537] audit: type=1400 audit(1494945281.153:36): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/6/net/route" pid=944 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   58.011540] audit: type=1300 audit(1494945281.153:36): arch=c000003e syscall=2 success=no exit=-13 a0=7f8e5742ef0f a1=0 a2=1b6 a3=0 items=0 ppid=938 pid=944 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=4C696E6B204D6F6E69746F72 exe="/usr/lib/firefox/firefox" key=(null)
[   58.011541] audit: type=1327 audit(1494945281.153:36): proctitle="/usr/lib/firefox/firefox"
[   97.065321] audit: type=1400 audit(1494945320.213:37): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1100 comm="vlc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   97.065323] audit: type=1300 audit(1494945320.213:37): arch=c000003e syscall=5 success=no exit=-13 a0=13 a1=7fe1e8132150 a2=7fe1e8132150 a3=5e9 items=0 ppid=1091 pid=1100 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="vlc" exe="/usr/local/bin/vlc" key=(null)
[   97.065324] audit: type=1327 audit(1494945320.213:37): proctitle="vlc"
[   97.065326] audit: type=1400 audit(1494945320.213:38): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1100 comm="vlc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   97.065327] audit: type=1300 audit(1494945320.213:38): arch=c000003e syscall=5 success=no exit=-13 a0=13 a1=7fe1e8132290 a2=7fe1e8132290 a3=a0 items=0 ppid=1091 pid=1100 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="vlc" exe="/usr/local/bin/vlc" key=(null)
[   97.065328] audit: type=1327 audit(1494945320.213:38): proctitle="vlc"
[  129.656304] audit: type=1400 audit(1494945352.804:39): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1137 comm="digikam" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  129.656306] audit: type=1300 audit(1494945352.804:39): arch=c000003e syscall=5 success=no exit=-13 a0=d a1=7ffd585cca10 a2=7ffd585cca10 a3=5e9 items=0 ppid=1134 pid=1137 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="digikam" exe="/usr/bin/digikam" key=(null)
[  129.656307] audit: type=1327 audit(1494945352.804:39): proctitle=646967696B616D002D7177696E646F777469746C65002563
[  129.656312] audit: type=1400 audit(1494945352.804:40): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="firejail-default" name="dev/dri/card0" pid=1137 comm="digikam" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  129.656320] audit: type=1300 audit(1494945352.804:40): arch=c000003e syscall=5 success=no exit=-13 a0=d a1=7ffd585ccb50 a2=7ffd585ccb50 a3=374 items=0 ppid=1134 pid=1137 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="digikam" exe="/usr/bin/digikam" key=(null)
[  129.656321] audit: type=1327 audit(1494945352.804:40): proctitle=646967696B616D002D7177696E646F777469746C65002563
Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit

Funnily enough, I was beginning to suspect that something was up because, although Apparmor appears to be up and running, I was never seeing any denied actions. (Not that I check that often.)

For example, here is a similar test as above in my ‘linux-hardened-apparmor’ kernel, (Note, the key entry, which I only just noticed after reading your post, is: [ 0.000000] audit: disabled (until reboot))

Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit
Apparmor search string:
[sudo] password for root: 
[    0.000000] Linux version 4.11.1-hardened-apparmor-localmod (memyself@mine) (gcc version 6.3.1 20170306 (GCC) ) #1 SMP PREEMPT Tue May 16 14:30:01 BST 2017
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-linux-hardened-apparmor-localmod root=UUID=7504bbf8-3e9a-4107-b6e6-35e1f88a6170 rw quiet
[    0.000000] Kernel command line: audit=0 BOOT_IMAGE=/boot/vmlinuz-linux-hardened-apparmor-localmod root=UUID=7504bbf8-3e9a-4107-b6e6-35e1f88a6170 rw quiet
[    0.041923] AppArmor: AppArmor initialized
[    0.651421] AppArmor: AppArmor Filesystem Enabled
[    0.774523] AppArmor: AppArmor sha1 policy hashing enabled
[    1.477567] systemd[1]: systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)

Audit search string
[    0.000000] Kernel command line: audit=0 BOOT_IMAGE=/boot/vmlinuz-linux-hardened-apparmor-localmod root=UUID=7504bbf8-3e9a-4107-b6e6-35e1f88a6170 rw quiet
[    0.000000] audit: disabled (until reboot)
[    1.477567] systemd[1]: systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Commands: (S)tatus, (E)nable/Disable, (C)omplain/Enforce, (R)eload, (L)ist disabled, (D)mesg, or (Q)uit

As you can see, I rely heavily on integrating Firejail directly with Apparmor. So, I was glad to hear you confirm: “…. AppArmor seems to work properly- all profiles load as they should, directory access is blocked as it should be, etc….”.

Personally, I was relying on the fact that

Firejail-Apparmor doesn’t work without Apparmor
It blocks executables from running in the $HOME directory, something the normal Firejail does not do.

I think the thing that most concerns me though, is the compiler warnings. A procedure overflowing into the next procedure just sounds so ominously bad news. If anyone would care to put my mind to rest about this, I would be extremely grateful.

Good to hear from you,

Irvine

GSF1200S · 2017-05-18 00:45:10

Sorry for the delay OP. I will investigate the other things you mention, but I can get your Audit working again. Edit the build config to disable CONFIG_CMDLINE which is actually currently set "audit=0" on linux-hardened (thus automatically disabling Audit). Of course then also enable AppArmor and disable SELinux (if thats what you want).

If you go the menuconfig route like I do, CONFIG_CMDLINE is found under "Processor type and features."

In terms of the mismatch errors... its been my experience that /dev/sr0 is usually used for cdrom drives. I dont use my cdrom hardly at all, and I dont see those messages in dmesg via grep or journalctl at all. Is /dev/sr0 something else on your system? It would help others to know.

According to journalctl I dont have any errors at all except "audit: kauditd hold queue overflow" which I believe is related to some directories I'm blocking from some of my applications that really really want access there. I think the kernel itself is working without issue. FWIW, the dev of linux-hardened is a really talented guy and did a great job with linux-grsec while grsecurity was open for use; I think I would try to troubleshoot the individual issues. Given all the changes recently in the kernel, your errors might be more related to the kernel version rather than the hardening patches. Just my thoughts..

Out of curiosity what method are you using to filter dmesg there? Aside from grepping dmesg or using journalctl (where I'm more versed in filtering) I didnt know of any other ways to filter.

IrvineHimself · 2017-05-18 06:21:57

Well, I got the Audit messages working, although I have some queries?

Firstly, I have tried "menuconfig", but I vaguely recall having problems with it, so I switched to "nconfig". Anyway, it arranges things slightly differently. Entering "Processor type and features.", I couldn’t find the relevant configuration, so I did a search, (F8,) for “CONFIG_CMDLINE”, and got a pop up telling me about the location.

Before:

 [*] Built-in kernel command line 
                 (audit=0) Built-in kernel command string

When changing it, I got a popup asking for a new value, and guessed at 1?

After:

 [*] [*] Built-in kernel command line
                 (audit=1) Built-in kernel command string

The upshot is I am getting audit messages. The confusing thing is, I am also getting a similar messages about "audit: kauditd hold queue overflow", which I don’t get in my day-to-day kernel. Also, maybe I misread you, but could you clarify whether you are seeing an error tag attached to the relevant lines.

Here is mine from journalctl, (though I get similar output in dmesg):

***kernel: kauditd_printk_skb: 1 callbacks suppressed
***kernel: audit: type=1400 audit(1495082151.663:37): apparmor="DENIED" operation="getattr" 
***kernel: audit: audit_lost=66 audit_rate_limit=0 audit_backlog_limit=64
***kernel: audit: kauditd hold queue overflow
***kernel: audit: type=1300 audit(1495082151.663:37): arch=c000003e syscall=5 success=no 
***kernel: audit: audit_lost=67 audit_rate_limit=0 audit_backlog_limit=64
***kernel: audit: kauditd hold queue overflow

Like I say, in my day-to-day kernel, I never see anything about kauditd in dmesg, so if someone could clarify that I am using the correct value for “(audit=1) Built-in kernel command string”, I would be grateful, (Note, I don’t actually use the audit daemon, I just need the correct flag to parse Apparmor denied actions.)

The device “/dev/sr0” is something that has been causing me minor irritations for quite a while. At the time of writing, I have no idea what it is? When playing DVD’s, VLC seems to think it’s my cdrom, which, in actuality, is, (surprisingly,) “/dev/cdrom”

I am going to have to spend time tracking this down, (sigh.)

As an aside, I am in the middle of a creative streak, and, for the last month or so, have been inspired by SubGrapOs to try and create something similar. At the moment my main focus is intrusion and malicious software detection. After some experimentation with various off-the-shelf HIDS applications, I decided to write a real time application suitable for a desktop user like myself. With native Linux capabilities like inotify, it’s actually a lot simpler than you might think. Anyway, as an Asperger with obsessive-compulsive disorder, I currently see this as a minor distraction that is only tolerable because of how it fits into the overall goals of my project.

By the way, I use the same grep filters as you do. I arrived at Arch Linux, (via a couple of month with Ubuntu,) after the introduction of Windows-10. As a recent-windows user, (and more or less a novice with Linux,) I was missing my mouse and having problems remembering all the different bash commands. So, I wrote a collection of scripts that let me monitor and control things like Apparmor and Udev, along with a couple of other shells which simulate things like the search/replace GUI’s commonly found in the Microsoft world. Hence the strange search commands.

Edit:
I forgot to mention that setting (Audit=1), cured the warning about a missing ACPI package! I will probably never understand the connection, but I am not complaining.(smile)

Last edited by IrvineHimself (2017-05-18 09:05:20)

Lone_Wolf · 2017-05-18 09:46:51

I do remember the disabling of audit in stock kernel had to do with audit spamming logs if it was enabled, check arch-dev-public ML archives.
The kauditd message could be related to that.

The device “/dev/sr0” is something that has been causing me minor irritations for quite a while. At the time of writing, I have no idea what it is? When playing DVD’s, VLC seems to think it’s my cdrom, which, in actuality, is, (surprisingly,) “/dev/cdrom”

In actuality /dev/cdrom is a symlink to the first optical device found in the system.
/dev/sr0 is a block device that points to the first SCSI optical device.

In the past (before libata kernel driver) optical drives connected through IDE were called hdx , while optical drives connected through scsi-cables were called srx .
Recent kernels (since 5 years or has it been longer ? ) use libata and only use /dev/srx for optical drives.
(That is valid for cd & dvd drives, including burners and I assume bluray drives are handled the same).

IrvineHimself · 2017-05-18 10:25:21

Lone_Wolf wrote:

I .....In actuality /dev/cdrom is a symlink to the first optical device found in the system.
/dev/sr0 is a block device that points to the first SCSI optical device....

Thanks for that, I was just in the process of tracking it down. Some creative filtering of dmesg tied /dev/sr0 to my cdrom. I was in the middle of running some tests, when I received your post. Basically, the problem is caused when I leave a read only DVD in the external rom drive.

For the record, the tests were fairly simple, first I tried booting with the drive unplugged, and then I booted twice more with and without a DVD in the player. With the drive unplugged, (or without a DVD,) the only error is the iwlwifi thingy, (which it self corrects by loading an alternative driver.) When I leave a DVD in the player, evidently(?), it appears to be trying to allocate blocks of read only memory. (That is just a guess, but it makes sense.)

Your comment about Audit spamming logs also makes sense. Since I can run it quite successfully without the daemon, the enable audit flag is one my biggest gripes about Apparmor. I am going to have to spend some time trying to figure out why I don't have the kauditd message in my day-to-day Apparmor enabled kernel.

Edit: I should also add that recent events indicate that, (if you don't mind losing systemd notifications of denied actions,) then you don't actually need the audit flag enabled for day-to-day usage either . End Edit

I also need to figure out why I am noticing a couple of dozen compiler warnings about "ProcedureA over flowing into ProcedureB"

Thanks for your input
Irvine

Last edited by IrvineHimself (2017-05-18 10:32:02)

IrvineHimself · 2017-05-18 17:39:14

I updated my day-to-day Apparmor kernel to 4.11.1, (which, by the way, is based on ‘linux-zen’,) and have a little bit more information which may be of general use.

Firstly, I didn’t notice any compilation warnings. I didn’t give it my full attention, but then I don’t give my full attention to the compilation of my ‘linux-hardened’ kernel either.

More interesting though, was, after booting in to the new compilation and doing a few things with my usual applications, I grepped dmesg for ‘kaudit’, There was only one entry:

Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit
Enter dmesg filter string
kaudit
[sudo] password for root:
[   25.036856] kauditd_printk_skb: 72 callbacks suppressed
Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit

I found this quite interesting, because in my ‘linux-hardened’ kernel, the same search after a similar time interval produced:

Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit
Enter dmesg filter string
kaudit
[sudo] password for root: 
[   18.044650] kauditd_printk_skb: 168 callbacks suppressed
[   18.044654] audit: kauditd hold queue overflow
[   18.058336] audit: kauditd hold queue overflow
[   28.815863] audit: kauditd hold queue overflow
[   28.815868] audit: kauditd hold queue overflow
[   28.815871] audit: kauditd hold queue overflow
[   58.001258] kauditd_printk_skb: 23 callbacks suppressed
[   58.001275] audit: kauditd hold queue overflow
[   58.001302] audit: kauditd hold queue overflow
[   58.001319] audit: kauditd hold queue overflow
[  303.171506] audit: kauditd hold queue overflow
[  313.760529] audit: kauditd hold queue overflow
[  313.760535] audit: kauditd hold queue overflow
[  313.760537] audit: kauditd hold queue overflow
[  381.916280] kauditd_printk_skb: 1 callbacks suppressed
[  381.916284] audit: kauditd hold queue overflow
[  381.916287] audit: kauditd hold queue overflow
[  381.916289] audit: kauditd hold queue overflow
[  397.111696] audit: kauditd hold queue overflow
[  397.149877] audit: kauditd hold queue overflow
[  397.149883] audit: kauditd hold queue overflow
[ 1146.654693] kauditd_printk_skb: 5 callbacks suppressed
[ 1146.654701] audit: kauditd hold queue overflow
[ 1146.654711] audit: kauditd hold queue overflow
[ 1146.654718] audit: kauditd hold queue overflow
Press 'D' to search dmesg, 'S' to search inside files, 'R' to search and replace text or 'Q' to quit

Investigating further, I made copies of the respective ‘config.gz’ archives to check for differences in how audit was configured.

Zen-Apparmor-LocalMod:

....
# CONFIG_USELIB is not set
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
...
# CONFIG_LEGACY_VSYSCALL_NONE is not set
# CONFIG_CMDLINE_BOOL is not set
CONFIG_MODIFY_LDT_SYSCALL=y
CONFIG_HAVE_LIVEPATCH=y
....

Hardened-Apparmor-LocalMod:

....
# CONFIG_USELIB is not set
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
....
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="audit=1"
# CONFIG_CMDLINE_OVERRIDE is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set
CONFIG_HAVE_LIVEPATCH=y
....

As you can see, the difference is not in the configuration of audit, but in the command line boolean.

Finally, I have been giving the problem of audit spamming the logs some thought, and, in my particular usage case, I may actually better off leaving the command line boolean at ‘(audit=0)’. Yes, I am curious about ‘Apparmor denied actions’, and I am very curious about how all this all fits together; but, without installing the Audit package and taking the extra bloat and additional performance hit, any knowledge to be gained about a potential attack would be long after the fact.

To put it another way, once I get the kinks out of my HIDS project, I will have much more detailed, real time knowledge about what any potential malicious software, (or intruder,) has been up to than I could ever hope to get from ‘Apparmor denied actions’.

As it stands, I have a basic working prototype, and it’s now mainly a case of deciding what to watch, at what level of scrutiny. There are a few other interesting problems, like, for example, hiding and locking the ‘kill switch’, but essentially, it boils down to finding a balance that avoids spamming the desktop with alerts, but still maintains good coverage.

I look forward to hearing expert input
Irvine

Arch Linux

#1 2017-05-15 14:56:58

'linux-hardened' questions

#2 2017-05-16 09:25:55

Re: 'linux-hardened' questions

#3 2017-05-16 10:53:35

Re: 'linux-hardened' questions

#4 2017-05-16 15:49:09

Re: 'linux-hardened' questions

#5 2017-05-18 00:45:10

Re: 'linux-hardened' questions

#6 2017-05-18 06:21:57

Re: 'linux-hardened' questions

#7 2017-05-18 09:46:51

Re: 'linux-hardened' questions

#8 2017-05-18 10:25:21

Re: 'linux-hardened' questions

#9 2017-05-18 17:39:14

Re: 'linux-hardened' questions

Board footer