Go back to topic: Apparmor profile for Qubes available!
| So after many test and reading documentation about the syntax for apparmor i finally create some apparmor profiles specially for **Qubes**. | So after many test and reading documentation about the syntax for apparmor i finally create some apparmor profiles specially for **Qubes**. https://codeberg.org/dkzkz/apparmor-qubes |
| include <tunables/global>
| include <tunables/global> |
| capability sys_ptrace,
| capability sys_ptrace, network inet dgram, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{PROC}/pressure/* r, deny /* r, deny @{HOME}/ r, deny @{HOME}/*/ r, deny @{HOME}/.* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/ w, owner @{HOME}/Downloads/** r, owner @{HOME}/Downloads/** w, |
| @{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/route r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner /run/user/1000/dconf/* rw, |
| deny owner /home/user/.xsession-errors r,
| deny owner /home/user/.xsession-errors r, |
| Edit 2 : Added a explanation to tell the users to not use firejail | Edit 2 : Added a explanation to tell the users to not use firejail Edit 3 : I removed the "deny network" rule it make nautilus doesn't work at all i will find a another way |
| "**Can i use firejail with your profiles ?**" You **shouldn't do it** in fact using firejail will only [increase the possibility of an attack](https://www.kicksecure.com/wiki/Dev/Firejail) the creator of Firejail has said himself this > Don't use this on enterprise servers, or any other multiuser system. Firejail was built for single-user desktops. Maybe you could use firejail with my apparmor profiles but i didn't test to see if it works and **i will never do it** because i've tested firejail for a long time with Qubes and some applications wasn't properly starting with firejail so it was running without any protection which make firejail **useless** for example Nautilus wasn't launching with firejail so i have to find a trick to force Nautilus to run under firejail which is frustrating to do. **There is a good reason why Tails , Whonix or Secureblue do not rely on firejail** to secure a system they rely only on Apparmor or Selinux or Secureblue. | |
| Nautilus do not have internet access and can't access to the root filesystem nautilus can only | Nautilus do not have internet access and can't access to the root filesystem nautilus can only access to all folder inside the home directory. |
| Edit : Just to make sure your appvm and dispvm is really using apparmor go to the **settings** of both vm and click on "**Services**" then select "**apparmor**" and click on "**apply**". It might be possible the apparmor service doesn't appear in the list of Services in that case click on "(**custom...)**" and click on "**Add**" then type "**apparmor**" and apply. | Edit : Just to make sure your appvm and dispvm is really using apparmor go to the **settings** of both vm and click on "**Services**" then select "**apparmor**" and click on "**apply**". It might be possible the apparmor service doesn't appear in the list of Services in that case click on "(**custom...)**" and click on "**Add**" then type "**apparmor**" and apply. Edit 2 : Added a explanation to tell the users to not use firejail |
| I think i will create a github repo in the future for the future apparmor profiles and maintain those profiles as long QubesOS survive. The next profile i'm planning to add will be Network-Manager and Brave and Thunar. But first i need to see if people have some issue with the firefox and nautilus profile. | I think i will create a github repo in the future for the future apparmor profiles and maintain those profiles as long QubesOS survive. The next profile i'm planning to add will be Network-Manager and Brave and Thunar. But first i need to see if people have some issue with the firefox and nautilus profile. Edit : Just to make sure your appvm and dispvm is really using apparmor go to the **settings** of both vm and click on "**Services**" then select "**apparmor**" and click on "**apply**". It might be possible the apparmor service doesn't appear in the list of Services in that case click on "(**custom...)**" and click on "**Add**" then type "**apparmor**" and apply. |
| ```sudo apt-get -y install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure``` | ``` sudo apt-get -y install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure ``` |
| ```qvm-prefs x kernelopts "swiotlb=2048 security=apparmor"``` | ``` qvm-prefs x kernelopts "swiotlb=2048 security=apparmor" ``` |
| `sudo aa-enabled` | ``` sudo aa-enabled ``` |
| deny owner /home/user/.xsession-errors r, | deny owner /home/user/.xsession-errors r, deny network, |
| 9. Then | 9. Then run ``` sudo aa-enforce /etc/apparmor.d/nautilus && sudo aa-enforce /etc/apparmor.d/firefox ``` 12. If a error appear about a protocol you can ignore this error i don't know why exactly it happen but run the 9 commands again until it stop complaining i had to run it 2 or 3 times to work 13. It's done now firefox and nautilus is running under apparmor with strict permissions |