path: root/talk.org

#+TODO: TODO(t) IN-PROGRESS DONE
#+STARTUP: indent
#+OPTIONS: ':nil *:t -:t ::t <:t H:2 \n:nil ^:t arch:headline
#+OPTIONS: author:t broken-links:nil c:nil creator:nil
#+OPTIONS: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t
#+OPTIONS: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t
#+OPTIONS: timestamp:t title:t toc:t todo:t |:t
#+TITLE: Securing Kopano with Apparmor
#+SUBTITLE: Kopano Conference 2017, Arnhem NL
#+DATE: 2017-09-28
#+AUTHOR: Guido Günther
#+EMAIL: agx@sigxcpu.org
#+LANGUAGE: en
#+SELECT_TAGS: export
#+EXCLUDE_TAGS: noexport
#+CREATOR: Emacs 25.2.2 (Org mode 9.0.9)
#+latex_header: \mode<beamer>{\usetheme{Copenhagen}}
#+latex_header: \setbeamertemplate{headline}{}
#+latex_header: \AtBeginSection[]{\begin{frame}<beamer>\frametitle{Topic}\tableofcontents[currentsection]\end{frame}}
#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra)

* Who am I
:PROPERTIES:
:UNNUMBERED: t
:END:

** About me

- Debian Developer (libvirt et al., gbp, LTS, ...)
- GNOME contributor
- FSFE Fellow
- Freelancing Free Software Developer

** Intro
:PROPERTIES:
:BEAMER_env: note
:END:
- Purpose: learn what apparmor is, how to use it, how to debug, status of kopano apparmor

* What is Apparmor
  
** What is Apparmor

- pathname based Mandatory access control (MAC)
- Linux LSM, userspace tools and profiles
- Confines application to a limited set of resources via *profiles*
- These control
   - file read, write, execute, lock
   - Network access
   - raw socket access
   - allowed capabilities
   - rlimits
   - tracing
   - (dbus, signals)

** Apparmor Policy Example I
:PROPERTIES:
:BEAMER_ENVARGS: [t]
:END:

*** Apparmor Policy Example I :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
#+BEAMER: \fontsize{9}{7.2}\selectfont
#+name: Policy example
#+BEGIN_EXAMPLE
 
/usr/sbin/kopano-server { 
  #include <abstractions/base> 
  #include <abstractions/nameservice> 
  #include <abstractions/user-tmp> 
 
  capability chown, 
  ...
  capability setuid, 
 
  network tcp, 
 
  /etc/kopano/debian-db.cfg r, 
  /etc/kopano/server.cfg r, 
 
  @{PROC}/@{pid}/task/@{tid}/comm rw, 
  ...
 
#+END_EXAMPLE

** Apparmor Policy Example II
*** Apparmor Policy Example II :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
#+BEAMER: \fontsize{8}{7.2}\selectfont
#+BEGIN_EXAMPLE
  ...
  /run/kopano/prio.sock rw, 
  /run/kopano/server.pid rw, 
  /run/kopano/server.sock rw, 
 
  /usr/lib/x86_64-linux-gnu/kopano/*.so m, 

  ...
  profile kopano_userscripts { 
    file, 
    network, 
  } 
  ...
} 
#+END_EXAMPLE

** Building and Debugging profiles

- Denials are logged in kernel log, use *dmesg*
- aa-complain <program>
- aa-genprof <program>

** Apparmor Distro Support
#+BEAMER: \pause
*** Enabled by default in

- Ubuntu (lots of code upstreamed in 4.13)
- OpenSuSE
  
#+BEAMER: \pause
*** Installation on Debian
https://wiki.debian.org/AppArmor/HowToUse

#+BEGIN_SRC sh
  sudo apt install apparmor apparmor-{utils,profiles}
  mkdir /etc/default/grub.d
  echo 'GRUB_CMDLINE_LINUX_DEFAULT="'      \
           '$GRUB_CMDLINE_LINUX_DEFAULT'   \
           'apparmor=1 security=apparmor"' \
       > /etc/default/grub.d/apparmor.cfg
  update-grub && reboot

  aa-enabled && sudo aa-status
#+END_SRC

* Apparmor and Kopano
** Security Precautions in Kopano

- Services run as user kopano nowadays
- Built with hardening support (in Debian)

- But all services run as the _same_ user

** Why is MAC useful

- Webapp listens on the internet
- Z-Push listens on the internet
- e.g. kopano-dagent and kopano-search process untrusted input
- ...

** Restricting the MariaDB/Mysql I
*** Add and activate the profile

#+BEGIN_SRC sh
wget 'https://raw.githubusercontent.com/MariaDB/' \
     'server/10.2/' \
     'support-files/policy/apparmor/usr.sbin.mysqld'
touch /etc/apparmor.d/local/usr.sbin.mysqld
apparmor_parser -a /etc/apparmor.d/usr.sbin.mysqld
#+END_SRC

Needs current git version

*** Output
#+BEGIN_EXAMPLE
1 processes are unconfined but have a profile defined.
   /usr/sbin/mysqld (592) 
#+END_EXAMPLE

** Restricting the MariaDB/Mysql II
*** Restart the service
#+BEGIN_SRC sh
/etc/init.d/mysql restart
#+END_SRC

*** Output
#+BEGIN_EXAMPLE
1 processes are in complain mode.
   /usr/sbin/mysqld (2461) 
#+END_EXAMPLE

** Restricting the MariaDB/Mysql III
*** Enforce the policy
#+BEGIN_SRC sh
aa-enforce /usr/sbin/mysqld
#+END_SRC

*** Output
#+BEGIN_EXAMPLE
1 processes are in enforce mode.
   /usr/sbin/mysqld (2461) 
#+END_EXAMPLE

** Restricting kapano-server
- new profile created from scratch
*** Add the apparmor policy
#+BEGIN_SRC sh
  cd /etc/apparmor.d
  cp profiles/usr.sbin.kopano-server .
  touch local/usr.sbin.kopano-server
  apparmor_parser -a usr.sbin.kopano-server
  systemctl restart kopano-server
#+END_SRC

** Restricting kopano-dagent

***  kopano-dagent
- Reads untrusted network traffic
- Similar to the server but far less permissions
- New profile created from scratch

*** Add the apparmor policy
#+BEGIN_SRC sh
  cp profiles/usr.sbin.kopano-dagent /etc/apparmor.d/
  touch /etc/apparmor.d/local/usr.sbin.kopano-dagent
  apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-dagent
#+END_SRC

** Restricting kopano-search
- Indexes untrusted data
- Basic profile
*** Kopano Search

#+BEGIN_SRC 
touch local/usr.sbin.kopano-search
cp profiles/usr/sbin.kopano-search /etc/apparmor.d
apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-search
#+END_SRC

** TODO Other core services and helpers

kopano-archiver, kopano-backup, kopano-gateway, kopano-ical,
kopnao-monitor, kopano-spooler

** Restricting Webapp (Apache)
*** Restricting Apache itself

#+BEGIN_SRC sh
apt-get install libapache2-mod-apparmor
rm /etc/apparmor.d/disable/usr.sbin.apache2
apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
aa-status
#+END_SRC

** Restricting Webapp (Webapp)
- New profile created from scratch
- Add AAHatName to /etc/kopano/apache2.conf
- Enable profile
*** Restricting Webapp
#+BEGIN_SRC sh
 cp profiles/kopano-webapp /etc/apparmor.d/apache2.d/
 apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
 a2enmod apparmor
 systemctl restart apache2
#+END_SRC

** TODO Other Kopano Components

- +Z-Push+
- +Deskapp+
  (but see http://bugs.debian.org/742829 for chromium)
- +Mattermost+

** How you can help

See above

** Upstreaming Status
- [-] mariadb profile fixes
  - [X] https://github.com/MariaDB/server/pull/447
  - [ ] https://bugs.debian.org/875890
- [ ] apache2 profile fixes
  - [ ] https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065
  - [ ] http://bugs.debian.org/875892
- [-] kopanocore profiles
  - [ ] Upstream https://github.com/Kopano-mirror/kopano-core/pull/1
  - [X] Debian Package
- [X] kopano-webapp profile
  - [ ] Upstream not yet submitted
  - [X] Debian: Pushed to git
- [ ] dh-apparmor
  - Support /etc/apparmor.d/apache/: http://bugs.debian.org/876647

* Appendix							 :B_appendix:
  :PROPERTIES:
  :BEAMER_env: appendix
  :END:

** Thanks

- Send profile updates to <pkg-giraffe-discuss@lists.alioth.debian.org>
- Questions?

** Links
- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference

** Status of Kopano in Debian

- kopanocore 8.3.4 is in Buster/testing 
- z-push 2.3.8 is in experimental
- Webapp 3.3.1 in waiting in new

# Local Variables:
# org-src-preserve-indentation: t
# End: