Security advice on mandatory access control

Knusperkeks · 2014-03-28 23:16:24

Hi,

i'm trying to optimize my arch setup and also want to improve my security so i came across the MAC-stuff and would like to hear your oppinion.
My usercase is normal browsing/coding/multimedia stuff so nothing so special.
I try to maintain my system with care and and only install/run stuff i really need and trust somehow.
Now reading the wiki i found articles about these MAC-solutions, but i couldn't figure out how much these could improve my system considering the fact,
i have to somehow configure all the stuff more or less. - Is it really worth dealing with them as a normal user and if yes, which one?
Unfortunately neither the wiki nor google helped me with general recommendations so i put my hope in your experiences

Greetings
Knusperkeks

Gcool · 2014-03-29 08:03:00

I think you're going to have to be a bit more specific than "MAC stuff". What are you referring to exactly?

As far as general security/improvement of your sytem goes, I would suggest giving this a read.

brebs · 2014-03-29 10:12:12

Knusperkeks wrote:

Is it really worth dealing with them as a normal user

"Normal" users are sadly clueless about security.

Browsers, especially when combined with flash & java, are being pwned constantly.

I use, and recommend, AppArmor.

Knusperkeks · 2014-03-29 20:42:08

@Gcool: By "MAC stuff" is was refering to these mandatory access control solutions like apparmor, tomoyo and grsecurity.

@brebs: Is there a practical or technical reason you prefer apparmor over tomoyo and grsecurity?
Your absolutly right, many users tend to ignore security aspects but finding useful AND understandable information is although not the easyiest task sometimes.
I found quite a lot stuff even here in our wiki however i miss somethink like a comparison and/or advice.

R00KIE · 2014-03-29 22:22:21

From my personal experiece with tomoyo I'd say that if you use your machine as a desktop machine, it will not be easy to come up with policies that provide a good balance between security and usability. It will be even harder if your machine has more than one user, which it can have if for some reason you create a test account for debugging problems.

By all means do read about the different MAC systems and try the one you think you will be most comfortable with, but I'd say to pick the low hanging fruit first and then give MAC a try.

brebs · 2014-03-29 22:26:00

AppArmor files use a convenient BASH-like syntax, and can have common requirements grouped for easy specification.

It's used by Ubuntu and OpenSuse, so has big distro players behind it, and development is active.

Oh, just see pf thread.

The only disadvantage of AppArmor that I see is that it needs a kernel patch (or two, depending on the kernel version).

0strodamus · 2014-03-29 23:58:35

I like TOMOYO. Developing policy using tomoyo-queryd is pretty straightforward. I use it to control network access for all applications, with Wine, Firefox, and Thunderbird being the only programs with full restrictions applied. My suggestion would be to take each one for a spin in Virtualbox and see what you like best.

R00KIE · 2014-03-30 14:08:43

I can only talk about tomoyo because I'm not familiar with other mac systems. My reason for choosing it was that everything needed was already on the repos.

brebs wrote:

AppArmor files use a convenient BASH-like syntax, and can have common requirements grouped for easy specification.

Tomoyo's syntax can be a little tricky since it requires a good amount of escaping and it can get tiresome after a while so I guess apparmor might be easier in that regard. Tomoyo does allow you to make permission groups that you can use how many times you want, or you can specify it as global permissions, it all depends on how common certain things are.

I don't know about apparmor but tomoyo allows you to get into the nitty gritty details of what each program can do, up to the point where it can get tiresome. I didn't elaborate much on it in my last post because I don't want to discourage anyone from trying it or any other mac system.

With tomoyo you can specify if a program is allowed to read/write/unlink/truncate/rename files, mkdir/rmdir directories, which chmod values it can use, which values it can use with chown, if you allow it to use tcp/udp/unix sockets, which ioclts it can use, just to name a few common things that will show up in policy files.

Tomoyo can learn all this by recording what a program accesses, then you want to use an utility (tomoyo-patternize) to reduce the amount of rules. Many things can be reduced to a simple rule (image access to a program's config directory). This is where the trouble starts because the config file tomoyo-patternize uses is very bare. You will also find that you may need to take into account not only the program itself but also the toolkit it uses and other things like fontconfig.

One problem that might be common to both tomoyo and apparmor is that if a program's behavior changes slightly, then things will break in subtle ways and you will only find out when you are short on time and really need things to work, unless you are more lax where you allow programs to have free reign, and then you may be leaving some security whole open.

I'm not using tomoyo now but it can be a nice tool to use when you want to find out what a program is doing. Like I said in my previous post, pick the low hanging fruit first, there are other things that can be set and almost forgotten and will not break anything, then give mac a try and be sure to check regularly if you have to update the security policy.

Arch Linux

#1 2014-03-28 23:16:24

Security advice on mandatory access control

#2 2014-03-29 08:03:00

Re: Security advice on mandatory access control

#3 2014-03-29 10:12:12

Re: Security advice on mandatory access control

#4 2014-03-29 20:42:08

Re: Security advice on mandatory access control

#5 2014-03-29 22:22:21

Re: Security advice on mandatory access control

#6 2014-03-29 22:26:00

Re: Security advice on mandatory access control

#7 2014-03-29 23:58:35

Re: Security advice on mandatory access control

#8 2014-03-30 14:08:43

Re: Security advice on mandatory access control

Board footer