1
1
Fork
You've already forked bootc
1

security hardening #32

Open
opened 2024年10月19日 19:19:08 +02:00 by boredsquirrel · 5 comments

The secureblue project has done a lot of testing, following a "if it may be insecure or we dont know how to fix it, we turn it off" approach.

This results in an often worse UX, but the benefits are there.

Big issues are especially

  • removals of base packages, which cannot be layered again, due to how OCI container builds work
  • firewall rules being all removed, making some things hard to get working again

A ton of other issues where ironed out already.

kernel arguments

For example the kargs, included in their just file.

I discovered a bug back then on my crappy Lenovo Thinkpad firmware, so some are called "unstable" (they are not unstable, they simply break boot on some strange proprietary firmware). I run 3 coreboot laptops (EDK2, Heads, Dasharo) all with those "unstable" kargs without issues.

disabling/enabling CUPS on demand

This is always a good measurement.

hardened_malloc

This is a security hardened memory allocator, forked by GrapheneOS developers from the OpenBSD project. It works really fine on Desktop linux too. Chromium works, desktops and apps all work.

using hardened_malloc has some drawbacks, mainly:

  • the implementation is not clean, normally you would need to recompile glibc with hardend_malloc afaik. Instead, secureblue just preloads it with LD_PRELOAD
  • firefox uses it's own memory allocator "mozjemalloc" which results in a crash when using hardened_malloc with LD_PRELOAD. For that reason, Fedora Firefox allows using different mallocs and I tested it and it works. Torbrowser devs thought about it, not sure about the progress in Librewolf, may be done too.
  • Electron apps dont use hardened_malloc because they do some magic
  • flatpak apps need a whole in their sandbox to read that library. otherwise, a flatpak runtime extension would be needed, which doesnt yet exist
  • the LD_PRELOAD method may just not break the system as many components dont respect it.
  • when recompiling core components for hardened_malloc, you dont have a fallback, like you have in GrapheneOS (where you can disabled hardened_malloc per app)

removal of insecure remote desktop apps

KRFP (VNC) is an example, it supposedly works but is unencrypted?

Instead, KRDP (RDP) can be used, but RDP requires nonfree codecs like h264 afaik.

Not sure about GNOME.

bubblejail

This is a pre-release application, more or less experimental. It is built on COPR using this or this spec file.

Background, Browser Sandboxes

Flatpak has some issues, like the generalized but restrictive seccomp filter on all apps.

That filter prevents apps from creating their own user namespaces, meaning browsers cannot normally work.

Chromium uses a fork server called "zygote" which can be tricked to use "flatpak spawn" instead, so Chromium browsers kinda work. The security of that process is unclear, it may not be well enough restricted (especially comparing the amounts of money flowing into bubblewrap vs. the Chromium process Sandbox) but in theory it can be better, as the browser itself is sandboxed too.

Firefox... has no fork server, so it cannot use this approach. The Flatpak is insecure and simply doesnt use any filesystem sandboxing with namespaces at all. Instead it just uses seccomp-bpf and that is it.

This means, Firefox should not be used as a Flatpak. Not sure about preinstalling, but running Firefox ESR is probably not very cool. Also, some people might want to update their browser while not rebooting their system.

The fix

Bubblejail allows to sandbox system applications with a more flexible bubblejail sandbox, in theory allowing an RPM firefox to run, sandbox its processes and still be sandboxed itself.

It requires /usr/share/applications/ desktop entries for now, so it does not work for things like the Firefox tar archive.

Also, Firefox doesnt like it at all, I got tons of strange issues like crashes and things that felt like memory leaks.

Chromium on the other hand works fine afaik, and could already profit from bubblejail.

Security certificates / levels in Anaconda

Currently, the security presets in the Anaconda installer dont work either, not sure how this could be fixed.

The secureblue project has done a lot of testing, following a "if it may be insecure or we dont know how to fix it, we turn it off" approach. This results in an often worse UX, but the benefits are there. Big issues are especially - removals of base packages, which cannot be layered again, due to how OCI container builds work - firewall rules being all removed, making some things hard to get working again A ton of other issues where ironed out already. ## kernel arguments For example the kargs, [included in their just file](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just). I discovered a bug back then on my crappy Lenovo Thinkpad firmware, so some are called "unstable" (they are not unstable, they simply break boot on some strange proprietary firmware). I run 3 coreboot laptops (EDK2, Heads, Dasharo) all with those "unstable" kargs without issues. ## disabling/enabling CUPS on demand This is always a good measurement. ## hardened_malloc This is a security hardened memory allocator, forked by GrapheneOS developers from the OpenBSD project. It works really fine on Desktop linux too. Chromium works, desktops and apps all work. using hardened_malloc has some drawbacks, mainly: - the implementation is not clean, normally you would need to recompile glibc with hardend_malloc afaik. Instead, secureblue just preloads it with LD_PRELOAD - firefox uses it's own memory allocator "mozjemalloc" which results in a crash when using hardened_malloc with LD_PRELOAD. For that reason, Fedora Firefox allows using different mallocs and I tested it and it works. Torbrowser devs thought about it, not sure about the progress in Librewolf, may be done too. - Electron apps dont use hardened_malloc because they do some magic - flatpak apps need a whole in their sandbox to read that library. otherwise, a flatpak runtime extension would be needed, which doesnt yet exist - the LD_PRELOAD method may just not break the system as many components dont respect it. - when recompiling core components for hardened_malloc, you dont have a fallback, like you have in GrapheneOS (where you can disabled hardened_malloc per app) ## removal of insecure remote desktop apps KRFP (VNC) is an example, it supposedly works but is unencrypted? Instead, KRDP (RDP) can be used, but RDP requires nonfree codecs like h264 afaik. Not sure about GNOME. ## [bubblejail](https://github.com/igo95862/bubblejail/issues) This is a pre-release application, more or less experimental. It is [built on COPR](https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail) using [this](https://github.com/secureblue/fedora-extras/tree/main/bubblejaill) or [this](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) spec file. ### Background, Browser Sandboxes Flatpak has some issues, like the generalized but restrictive seccomp filter on all apps. That filter prevents apps from creating their own user namespaces, meaning browsers cannot normally work. Chromium uses a fork server called "zygote" which can be tricked to use "flatpak spawn" instead, so Chromium browsers kinda work. The security of that process is unclear, it may not be well enough restricted (especially comparing the amounts of money flowing into bubblewrap vs. the Chromium process Sandbox) but in theory it can be better, as the browser itself is sandboxed too. Firefox... has no fork server, so it cannot use this approach. The Flatpak is insecure and simply doesnt use any filesystem sandboxing with namespaces at all. Instead it just uses seccomp-bpf and that is it. This means, Firefox should not be used as a Flatpak. Not sure about preinstalling, but running Firefox ESR is probably not very cool. Also, some people might want to update their browser while not rebooting their system. ### The fix Bubblejail allows to sandbox system applications with a more flexible bubblejail sandbox, in theory allowing an RPM firefox to run, sandbox its processes and still be sandboxed itself. It requires /usr/share/applications/ desktop entries for now, so it does not work for things like the Firefox tar archive. Also, Firefox doesnt like it at all, I got tons of strange issues like crashes and things that felt like memory leaks. Chromium on the other hand works fine afaik, and could already profit from bubblejail. ## Security certificates / levels in Anaconda Currently, the security presets in the Anaconda installer dont work either, not sure how this could be fixed.
Owner
Copy link

I love the idea of opt-in security configuration via scripts.

Two objectives to keep in mind:

  • There should be a simple way to undo each change if possible.
  • We need to have a clear support policy for each change or perhaps for all of these
I love the idea of opt-in security configuration via scripts. Two objectives to keep in mind: - There should be a simple way to undo each change if possible. - We need to have a clear support policy for each change or perhaps for all of these

yes absolutely. I think we can just make a short list of things, which need new custom implementations, or which can just be added.

already possible security audit tools

  • lynis (see my PR) (generalistic security auditing tool)
  • audit-secureblue (that is huge, it tests for all their security measurements below, in one single command)

on/off possible via just

  • 1 kargs with set-kargs-hardening and remove-kargs-hardening (#28 is relevant here for extra failsafety)
  • 2 toggle-cups
  • 3 toggle-bluetooth-modules
  • 4 toggle-gnome-extensions
  • 5 flexibly override-enable-module
  • 6 toggle-gnome-jit-js toggle the ability for GNOME extensions to run just-in-time Javascript
  • 7 toggle-xwayland for GNOME, KDE and Sway, that one is really cool
  • 8 toggle-bash-environment-lockdown
  • (KDE) toggle-ghns toggle the "get new stuff" backend to prevent installing malicious addons

on/off questionable / not yet implemented

  • a setup-usbguard (which allows all currently connected USB devices, disabling it entirely needs to be implemented
  • b SELinux confined users
  • c hardened Flatpak configs (all options in yafti should have a hardening config, I have a bunch, but they are not yet open sourced, will do here.
yes absolutely. I think we can just make a short list of things, which need new custom implementations, or which can just be added. already possible security audit tools - [ ] lynis (see my PR) (generalistic security auditing tool) - [ ] `audit-secureblue` (that is huge, it tests for all their security measurements below, in one single command) on/off possible via just - [ ] 1 kargs with `set-kargs-hardening` and `remove-kargs-hardening` (#28 is relevant here for extra failsafety) - [ ] 2 `toggle-cups` - [ ] 3 `toggle-bluetooth-modules` - [ ] 4 `toggle-gnome-extensions` - [ ] 5 flexibly `override-enable-module` - [ ] 6 `toggle-gnome-jit-js` toggle the ability for GNOME extensions to run just-in-time Javascript - [ ] 7 `toggle-xwayland` for GNOME, KDE and Sway, that one is really cool - [ ] 8 `toggle-bash-environment-lockdown` - [ ] - [ ] (KDE) `toggle-ghns` toggle the "get new stuff" backend to prevent installing malicious addons on/off questionable / not yet implemented - [ ] a `setup-usbguard` (which allows all currently connected USB devices, disabling it entirely needs to be implemented - [ ] b SELinux confined users - [ ] c hardened Flatpak configs (all options in yafti should have a hardening config, I have a bunch, but they are not yet open sourced, [will do here](https://codeberg.org/boredsquirrel/dotfiles).
Owner
Copy link

lynis

Out of scope, as mentioned in #29

audit-secureblue

Is this an existing script that we can fetch?

1 kargs with set-kargs-hardening and remove-kargs-hardening (#28 is relevant here for extra failsafety)

We might be able to use sed to do this, see https://docs.fedoraproject.org/en-US/bootc/kernel-args/#_modifying_kernel_arguments_on_existing_systems

2 toggle-cups

This should be possible with a simple script that checks systemd

3 toggle-bluetooth-modules

Same as cups

4 toggle-gnome-extensions

We should be able to use the gnome-extensions CLI for this without much difficulty

5 flexibly override-enable-module

What does this entail?

6 toggle-gnome-jit-js toggle the ability for GNOME extensions to run just-in-time Javascript

What does this entail?

7 toggle-xwayland

We should be able to modify the systemd unit file for org.gnome.Shell@wayland.service

8 toggle-bash-environment-lockdown

What does this entail?

> lynis Out of scope, as mentioned in https://codeberg.org/HeliumOS/bootc/pulls/29 > audit-secureblue Is this an existing script that we can fetch? > 1 kargs with set-kargs-hardening and remove-kargs-hardening (#28 is relevant here for extra failsafety) We might be able to use sed to do this, see https://docs.fedoraproject.org/en-US/bootc/kernel-args/#_modifying_kernel_arguments_on_existing_systems > 2 toggle-cups This should be possible with a simple script that checks systemd > 3 toggle-bluetooth-modules Same as cups > 4 toggle-gnome-extensions We should be able to use the gnome-extensions CLI for this without much difficulty > 5 flexibly override-enable-module What does this entail? > 6 toggle-gnome-jit-js toggle the ability for GNOME extensions to run just-in-time Javascript What does this entail? > 7 toggle-xwayland We should be able to modify the systemd unit file for org.gnome.Shell@wayland.service > 8 toggle-bash-environment-lockdown What does this entail?

Hi there, I switched back to Kinoite for now, will probably join again when CentOS 10 with EPEL 10 and KDE Plasma 6 is out.

To the things, yes I am also not too happy with ujust, as it is just a single file, spaghetti code.

But secureblue already manages this, which makes maintenance easier. Here is the file, I think you have overlooked it

https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just

Secureblue people keep investigating, so their solutions are for KDE and GNOME both. So reimplementing this can work, but will in part be duplication

Hi there, I switched back to Kinoite for now, will probably join again when CentOS 10 with EPEL 10 and KDE Plasma 6 is out. To the things, yes I am also not too happy with ujust, as it is just a single file, spaghetti code. But secureblue already manages this, which makes maintenance easier. Here is the file, I think you have overlooked it https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just Secureblue people keep investigating, so their solutions are for KDE and GNOME both. So reimplementing this can work, but will in part be duplication

secureblue also separated the justfiles to be easier to manage

https://github.com/secureblue/secureblue/blob/live/files/justfiles/

secureblue also separated the justfiles to be easier to manage https://github.com/secureblue/secureblue/blob/live/files/justfiles/
Sign in to join this conversation.
No Branch/Tag specified
dev
release
No results found.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
HeliumOS/bootc#32
Reference in a new issue
HeliumOS/bootc
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?