From bfdeaac7ef5c4816759acb0dddc299a58bf27755 Mon Sep 17 00:00:00 2001 From: Guido Günther Date: Mon, 25 Sep 2017 19:22:15 +0200 Subject: Initial commit --- talk.org | 309 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 309 insertions(+) create mode 100644 talk.org (limited to 'talk.org') diff --git a/talk.org b/talk.org new file mode 100644 index 0000000..4ad6336 --- /dev/null +++ b/talk.org @@ -0,0 +1,309 @@ +#+TODO: TODO(t) IN-PROGRESS DONE +#+STARTUP: indent +#+OPTIONS: ':nil *:t -:t ::t <:t H:2 \n:nil ^:t arch:headline +#+OPTIONS: author:t broken-links:nil c:nil creator:nil +#+OPTIONS: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t +#+OPTIONS: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t +#+OPTIONS: timestamp:t title:t toc:t todo:t |:t +#+TITLE: Securing Kopano with Apparmor +#+SUBTITLE: Kopano Conference 2017, Arnhem NL +#+DATE: 2017-09-28 +#+AUTHOR: Guido Günther +#+EMAIL: agx@sigxcpu.org +#+LANGUAGE: en +#+SELECT_TAGS: export +#+EXCLUDE_TAGS: noexport +#+CREATOR: Emacs 25.2.2 (Org mode 9.0.9) +#+latex_header: \mode{\usetheme{Copenhagen}} +#+latex_header: \setbeamertemplate{headline}{} +#+latex_header: \AtBeginSection[]{\begin{frame}\frametitle{Topic}\tableofcontents[currentsection]\end{frame}} +#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra) + +* Who am I +:PROPERTIES: +:UNNUMBERED: t +:END: + +** About me + +- Debian Developer (libvirt et al., gbp, LTS, ...) +- GNOME contributor +- FSFE Fellow +- Freelancing Free Software Developer + +** Intro +:PROPERTIES: +:BEAMER_env: note +:END: +- Purpose: learn what apparmor is, how to use it, how to debug, status of kopano apparmor + +* What is Apparmor + +** What is Apparmor + +- pathname based Mandatory access control (MAC) +- Linux LSM, userspace tools and profiles +- Confines application to a limited set of resources via *profiles* +- These control + - file read, write, execute, lock + - Network access + - raw socket access + - allowed capabilities + - rlimits + - tracing + - (dbus, signals) + +** Apparmor Policy Example I +:PROPERTIES: +:BEAMER_ENVARGS: [t] +:END: + +*** Apparmor Policy Example I :B_ignoreheading: +:PROPERTIES: +:BEAMER_env: ignoreheading +:END: +#+BEAMER: \fontsize{9}{7.2}\selectfont +#+name: Policy example +#+BEGIN_EXAMPLE + +/usr/sbin/kopano-server { + #include + #include + #include + + capability chown, + ... + capability setuid, + + network tcp, + + /etc/kopano/debian-db.cfg r, + /etc/kopano/server.cfg r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + ... + +#+END_EXAMPLE + +** Apparmor Policy Example II +*** Apparmor Policy Example II :B_ignoreheading: +:PROPERTIES: +:BEAMER_env: ignoreheading +:END: +#+BEAMER: \fontsize{8}{7.2}\selectfont +#+BEGIN_EXAMPLE + ... + /run/kopano/prio.sock rw, + /run/kopano/server.pid rw, + /run/kopano/server.sock rw, + + /usr/lib/x86_64-linux-gnu/kopano/*.so m, + + ... + profile kopano_userscripts { + file, + network, + } + ... +} +#+END_EXAMPLE + +** Building and Debugging profiles + +- Denials are logged in kernel log, use *dmesg* +- aa-complain +- aa-genprof + +** Apparmor Distro Support +#+BEAMER: \pause +*** Enabled by default in + +- Ubuntu (lots of code upstreamed in 4.13) +- OpenSuSE + +#+BEAMER: \pause +*** Installation on Debian +https://wiki.debian.org/AppArmor/HowToUse + +#+BEGIN_SRC sh + sudo apt install apparmor apparmor-{utils,profiles} + mkdir /etc/default/grub.d + echo 'GRUB_CMDLINE_LINUX_DEFAULT="' \ + '$GRUB_CMDLINE_LINUX_DEFAULT' \ + 'apparmor=1 security=apparmor"' \ + > /etc/default/grub.d/apparmor.cfg + update-grub && reboot + + aa-enabled && sudo aa-status +#+END_SRC + +* Apparmor and Kopano +** Security Precautions in Kopano + +- Services run as user kopano nowadays +- Built with hardening support (in Debian) + +- But all services run as the _same_ user + +** Why is MAC useful + +- Webapp listens on the internet +- Z-Push listens on the internet +- e.g. kopano-dagent and kopano-search process untrusted input +- ... + +** Restricting the MariaDB/Mysql I +*** Add and activate the profile + +#+BEGIN_SRC sh +wget 'https://raw.githubusercontent.com/MariaDB/' \ + 'server/10.2/' \ + 'support-files/policy/apparmor/usr.sbin.mysqld' +touch /etc/apparmor.d/local/usr.sbin.mysqld +apparmor_parser -a /etc/apparmor.d/usr.sbin.mysqld +#+END_SRC + +Needs current git version + +*** Output +#+BEGIN_EXAMPLE +1 processes are unconfined but have a profile defined. + /usr/sbin/mysqld (592) +#+END_EXAMPLE + +** Restricting the MariaDB/Mysql II +*** Restart the service +#+BEGIN_SRC sh +/etc/init.d/mysql restart +#+END_SRC + +*** Output +#+BEGIN_EXAMPLE +1 processes are in complain mode. + /usr/sbin/mysqld (2461) +#+END_EXAMPLE + +** Restricting the MariaDB/Mysql III +*** Enforce the policy +#+BEGIN_SRC sh +aa-enforce /usr/sbin/mysqld +#+END_SRC + +*** Output +#+BEGIN_EXAMPLE +1 processes are in enforce mode. + /usr/sbin/mysqld (2461) +#+END_EXAMPLE + +** Restricting kapano-server +- new profile created from scratch +*** Add the apparmor policy +#+BEGIN_SRC sh + cd /etc/apparmor.d + cp profiles/usr.sbin.kopano-server . + touch local/usr.sbin.kopano-server + apparmor_parser -a usr.sbin.kopano-server + systemctl restart kopano-server +#+END_SRC + +** Restricting kopano-dagent + +*** kopano-dagent +- Reads untrusted network traffic +- Similar to the server but far less permissions +- New profile created from scratch + +*** Add the apparmor policy +#+BEGIN_SRC sh + cp profiles/usr.sbin.kopano-dagent /etc/apparmor.d/ + touch /etc/apparmor.d/local/usr.sbin.kopano-dagent + apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-dagent +#+END_SRC + +** Restricting kopano-search +- Indexes untrusted data +- Basic profile +*** Kopano Search + +#+BEGIN_SRC +touch local/usr.sbin.kopano-search +cp profiles/usr/sbin.kopano-search /etc/apparmor.d +apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-search +#+END_SRC + +** TODO Other core services and helpers + +kopano-archiver, kopano-backup, kopano-gateway, kopano-ical, +kopnao-monitor, kopano-spooler + +** Restricting Webapp (Apache) +*** Restricting Apache itself + +#+BEGIN_SRC sh +apt-get install libapache2-mod-apparmor +rm /etc/apparmor.d/disable/usr.sbin.apache2 +apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 +aa-status +#+END_SRC + +** Restricting Webapp (Webapp) +- New profile created from scratch +- Add AAHatName to /etc/kopano/apache2.conf +- Enable profile +*** Restricting Webapp +#+BEGIN_SRC sh + cp profiles/kopano-webapp /etc/apparmor.d/apache2.d/ + apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 + a2enmod apparmor + systemctl restart apache2 +#+END_SRC + +** TODO Other Kopano Components + +- +Z-Push+ +- +Deskapp+ + (but see http://bugs.debian.org/742829 for chromium) +- +Mattermost+ + +** How you can help + +See above + +** Upstreaming Status +- [-] mariadb profile fixes + - [X] https://github.com/MariaDB/server/pull/447 + - [ ] https://bugs.debian.org/875890 +- [ ] apache2 profile fixes + - [ ] https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065 + - [ ] http://bugs.debian.org/875892 +- [-] kopanocore profiles + - [ ] Upstream https://github.com/Kopano-mirror/kopano-core/pull/1 + - [X] Debian Package +- [X] kopano-webapp profile + - [ ] Upstream not yet submitted + - [X] Debian: Pushed to git +- [ ] dh-apparmor + - Support /etc/apparmor.d/apache/: http://bugs.debian.org/876647 + +* Appendix :B_appendix: + :PROPERTIES: + :BEAMER_env: appendix + :END: + +** Thanks + +- Send profile updates to +- Questions? + +** Links +- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference + +** Status of Kopano in Debian + +- kopanocore 8.3.4 is in Buster/testing +- z-push 2.3.8 is in experimental +- Webapp 3.3.1 in waiting in new + +# Local Variables: +# org-src-preserve-indentation: t +# End: -- cgit v1.2.3