 So hello everyone, my name is Alex Pujol and the focus on this talk it will be ready like to speak of Aparmore and especially like the Aparmore profiles. Everything is on open source on GitHub already. Yeah so let's go and to have a look at this a bit deeper now. So usually the people that come here as I don't present their company but their company are a bit bigger that's the company where I've worked from. So technically that's called the Collaboratory at TU Dublin. So the Collaboratory itself it's a small spin-off company from the University of TU Dublin in Ireland. This is a university that is specialized in cyber security in general and the purpose of this company is to make more links between like academia and industry and to make both parts to like each other a bit more. And one of our main product for us is like to provide to every company's or university some sort of security operations center for training purposes with a really like training that is tailored for the need on any kind of companies. So this is how it's look like. It's brand new like from last week. Even this is actually a three-game image because we don't have the actual new image. This is so new than this. Yeah so that was for the advertisement part. So now let's go back to Aparmore. So I think everyone here knows what is Aparmore. Everyone knows the tool that it is enabled by default on most of I mean half of the links description I will say. The problem is like by default you don't have a lot of profiles. So this is an example like you have something like 40-50 profile by default and when you actually run the stuff you have only like a few actually processes that are running. And this is kind of an issue because Aparmore is a really nice tool but if you don't have profile for it and that is running with software that has always running it's been like you are not really using this nice tool. But in a way that's not really a big surprise because from an historical point of view this stuff was mostly focused on server and especially on way like because we know that it's hard to make a lot of profile for a lot of programs so it was focused on server it was focused on network network network system and with user system and like every Mac policies we always have the same issue like on the first results on Google is how do I disable this shit sorry. So that's kind of bit of an issue so here it's Aparmore.D which is a full set of Aparmore profile and when I say the full set is mostly like this is well there are a lot of profile but like they are expected to work together in order to ensure that you can find most of the system. So I have to say that merit like is due to some other people too so here like Mikhail Morfikov I think yes because this work is based it was originally based on this repository where I exonerated it with my profile and did a lot of work regarding the test of this stuff to ensure it works everywhere because it was mostly focusing on Debian before his own system. So now okay we have some profile that's nice but like there are really a lot of packages and a lot of program and it's obviously not possible to confine everything. So the question is what should we confine and what should we not confine obviously after. So for this we need a bit to go back to the basics. From the last talk from today and yesterday I know you know it but we need to go back to the security model of Linux. So long time ago the idea was a bit like if a program is running on your computer you trust it because anyway you don't have any other option but now we don't trust any things that run on your computer anymore. You do still do some stuff but not everything. And in order to solve this you have this kind of like implementation so a secure boot like you can have sandbox everything you have some sort of confinement and on top of this some time you try to put like an immutable code system for the main system of your distribution. And if we look a bit deeper at this figure we see that really like the confinement part is really focused on the core system. We feel like the application we want to we are usually sandboxing so every server stuff that you learn in a VM or in Docker every like your favorite game your favorite mail system and so on and so on really it's in a sandbox and therefore we don't need to write profile for them. And that's the concept here that what I followed in this project is like we really are going to focus on what we have in this core system now the question is what do you put really in the core system. And because obviously this is the Linux world world at the end this is the distribution that decide what they put what they put so this is only like general scope of this program and after everyone is free to do whatever they want. But so obviously like the basics tool to define I will say so all every root stuff so system DBs network manager all the network stuff GDM and so on and so on. The desktop environment too so right now I only put support for GNOME because these are long to really quite long to make and I'm working for to have an integration with KDE and everything that is user space like some the sound like XORG or Yelon and so on. And at the end too like we still need to support like the sandbox manager. So when I said sandbox manager is still like a LibVet is seen as a sandbox manager and even Steam's because now a day they run game in sandbox so even Steam is a sandbox manager. And at the end we have some special application like web browser and file browser. So now we know what to confine and just so quite a few reminders if you really want to have a good set of confin confinments in a way. So first yes this is a paramour so this is monitor access control so obviously we are going to really focus on a low list not deny list and it's not always easy to do it and sometimes it's cool it can be seen as a lazy path to just allow a lot of stuff and say yeah that should be okay but no we need to stick to the Mac principle. Obviously I mean obviously it should not break a program which is much more complex than it sounds. As we said you should not confine any everything in your computer and we try to be to be as the device and distribution agnostic as possible. So this is time to a small demo after this this is Mac policies so by definitions you there is no nothing really to show but so yeah so here you have Ubuntu VM if you have a look at H-TOP you can see on the security attribute here that you do have actually an app on our profile for every single application running here. So we have all the system stuff we have everything that is related to it's here by itself and so on and so on. We can even have a look a bit deeper here so these are only like the only applications that are that don't have an a paramour profile and that are running I know in the system so what we see is like we have well we have this shell we have system D as the initial system as a user so this is plan but if you want to have to be able to do a good full system confinement you need to confine everything else before otherwise it's a bit more complex and there are some issues with a paramour to this kind of stuff is I won't go deeper here so this time this is not a VM this is this actual computer yep sorry and here so this is not Ubuntu but Arch Linux Arch Linux it is running GNOME too and we can see we have exactly the same stuff but there are some minor changes if you look deeper because now the same distribution a lot of stuff actually different and here actually here you have this little program that is actually not confined because this is the kind of software that really can mess up with your bot system if you actually block some things including in in a complying mode yes because everything is here it's a is in complying mode and not in on-force mode because this is the death this is for death purposes but even in complying mode which means like there are a lot of tests to do even like a bar metal system on laptop on servers before to be able to ensure that you have full system confinement for some of this tool yes so quickly this is another VM this time with Arch Linux and KDE so I will look here but same stuff again you have KDE specific tool here this time you have Xorg that is running here and not well on you have a bit less a bit more stuff that are not confined because it's still a working progress but this is the same concept last one this time this is open to use on XDE and you have the same stuff yep so that was for the small demo now if we have a look a bit deeper at what actually we have in the profile so it's quite various like from 10 line profiles to 6666 line profile with the GNOME shell and actually this is not a joke this is a real number size of this profile and I make no comment on this and this is mostly for the DBS world which is another subject by itself yeah so otherwise what do what do we have in this first profile here so it's a bit standard as you will get for any kind of other profile database anyway what I had hit myself it's because it's really only when you have a lot of program and with a lot of attachment sometimes it's like I define really specifically one viable here that will be like the entry point of the program and that will be used later in the profile otherwise here so this simple program just need to check if you have a part more on and therefore you need to have to list some resource and to check the month points yeah so nothing's really fantastic here another program as example this time that's make a bit more sense maybe for you because this is the smart card the demand for GPG so here what do we have it's like already we see we have a bit more entry point of the in this program we need to speak with other with other program in the same set of in the same repository of profiles we have some special abstraction too because it's kind of really useful to be able just to say okay we need access to some USB this is which works I don't care now I know and we have a lot of admin configurable viable that allow you to really I mean a bit like the scope it's like you have some special file because you are your as a Linux expert as a Linux dev you you want your file system where you or who you want with your own special technique configuration the purpose is just like you only have to define or redefine some of these variables and you should be good to go and last but not least so it's regarding the non-shell GNOME in general so it's not only one profile but like so for GNOME itself for instance it's over 80 profiles that need to work together and on top of this you have the GNOME virtual file system that can be used by other the desktop environment and you have over 30 profile for itself and I don't know if we see here a lot but like we I mean like GNOME as a special architecture for instance this is technically GDM that start that start some well on the or X or session and after that will start you are actually you are actually GNOME stuff and therefore when you work on the connection of this kind of profile well it's better to first know GNOME and discover how what the actual architecture of the system is that is that will help you a lot and after like the idea it's like to stay as close as possible to the actual architecture of GNOME because like if someday decided so here we need an external process to run some things usually it means like this other process are doing different stuff and therefore it's good to put them in a different profile it's not always true there are some exception but usually it's a good pattern yeah so when we have a lot of profile it's time to have some kind of standardization as much as possible in how you write profile because like this it it's gonna allow you really to detect issues in a profile to detect some security feature or not security feature in the profile as well and so there will be more work to do here is still as a reminder this is still really a work in progress stuff the plan is later maybe like even like to have some profile linter to actually do a real check of every kind of issues that we can we could check here yeah and so because we have a lot of profile too we need we have some kind of helpers so is this for instance like the first one is like something that is really useful in system D because system D likes to do this kind of stuff so to put the result of your command into a pager so here with this kind of helper we can directly like send whatever result in the pagers this pager will have a weaker confinement that the actual system they command so it's kind of time-saving stuff we have similar stuff with like xdj open like stuff when we need to open whatever kind of resources we have a special helper software helper program profile sorry that will that already as a list of all the program a normal all the programs that a normal UI should be able to to to call yes so everything is not beautiful still because our primary is path path based the distribution while they are distribution they are they are doing whatever they want and this is normal this is not this is normal this is their job to do whatever they want but it's generate some issues for instance this is a Firefox attachment so all the possible way where you can find Firefox in any kind of Linux distribution so it's starting to be a bit of a mess and you have the same stuff for Chrome your home Chrome braves all the your browser the same kind of stuff yeah so and that's the end it's a bit of weight of time to make it all of this this is maybe the first time but not the last time that I'm going to say we need helps please so and after like every can like a lot of other programs have similar stuff like like every distribution puts the binary where where they want and therefore we have this kind of stuff yeah same stuff apart more doesn't follow sim link for obvious security reasons which mean like we need to take measure to ensure that every time we are going to catch bin or user bin and after we have more kind of classic issues like I mean constant that every other software will have it's just like here we are not going to make then one program but when doesn't program I mean profile but this is kind of more classic but still which mean like we need my dinner please so now I show you a bit what we have and now this is time a bit to have a look at how do we do this so as we already saw in the small demo basically everything's works in a VM for all distribution we we try to to to use basically so we select one target distribution we build a test VM for this we have the script to do this one style apart more than the inside and always check whatever issue we get on top of this I made like this tiny tool like a log just that gives you like a small overview and a colorful overview of whatever logs has been raised by audit day by audit day or system D or whatever yeah so I didn't really mention this up to now but like usually when you generate a profile you need to ensure that the log that you are collected collected are actually legitimate like you are not going to generate profile from a program that is has already been attacked and therefore maybe like the profile you are going to make is going to have vulnerabilities in it so the good stuff here because every time we generate a new like VM on purpose for this and only for this is mean like we are sure or I mean confident that like what you we have in the VM is trustworthy that there is no attacker in it and therefore when logs have been raised in this VM we are confident that they are legitimate and it is not someone that something that have been weird or something yeah so I already show you this a bit but like basically right now we are supporting all gems the major distribution that support upper more and this is a bit the scope with different kind of flavor so server economic ID if you want to have support for your next of our their environment please helps because that long to do and technically so this is kind of classic stuff to to generate the VM like we have like a packer and clad in it tool to generate these VMs is really not only on really classic a little stuff like with a wagon stuff behind okay so we have stuff to generate some VMs so we are we have a development workflow but at some point we need to test this stuff and this is where it become a bit so because if we as we saw before like if we don't test this stuff we it will raise some logs some issues in some distribution in some concept concept in some and we had integration that we didn't think of before and the question is how do you how can you test upper more profile so in a way like a can you even on ensure that you will always have a good profile perfect profile I think it's not even possible at all but at least we can try to get to to get all the bug as soon as possible and so the scope for this is so first we have your you have your VM that fine you want to have your upper more profile that fine for your specific distribution and let's say like this stuff are working fine meaning like once you have a lot of this stuff you are not raising any issues it's been like if you are doing the same run like one week after and like you have you get new issues it's me like maybe they have been an update and maybe this update generated some stuff requires more profile more a new profile require more access to some profiles and so on and so on and therefore it's allow you it's it can allow you to detect where you have issues and after obviously it's up to you to decide what they want to do with this but now you want to test your profile too so the concept is kind of classy I would say so you run your profile your the programs that where you have a profile for in the VM you and you see what goes wrong you need to do this like in a VM and in a classic laptop server as we saw before because they are not exactly the same they can generate different stuff but now you have a question okay so what program actually are you going to take because okay I we have 1000 program much more actually but it doesn't matter we have the name of this program but like are we going just to to introduce the classic command for UI program anyway we know this is just less anyway so we need a lot of test command like this in order to generate a lot of tests and by a lot is possibly 1000 of them maybe even more so for this I had kind of a hacky solution so there is these things called TLDR which basically it's a man page for lazy people that give you this so for instance this is a user add help for TLDR and it directly give you some example classic example of how do you create user all the possible way to create user with TLDR and so when I saw this I said oh but maybe we can run this stuff as test and that's not that stupid because yeah like we have actually 1000 of man page like this we can automate everything this is much more complex than just asking for the usage the classic helps of the stuff and we can and once we have this we can even like generate use this to add manual test for this to for more complex integration and more complex stuff so yes it seems to be good like this now it's still a bit of crazy because like so here when we you are deleting a user you need to actually said what user do you want to delete you want to delete so you need to define like this this arguments which is classic when you want to test when you want to when you want to run a program you need to manage every kind of interactive interactive programming including program with UI you know that this stuff is not enough for more the most complex system anyway and you better run this stuff in a VM because if you run this on your system it will just like remove your classic user yeah I did an experience with this before and yeah so it's not perfect but it's here it's here and thanks to this I made like a like the initial version of a test suite for apartment profile that use this TLDR man page manual page as a two bootstraps all the test at the end is like this stuff so this is for ICP for the SAPI command by the way if you run this stuff in a VM you will get no things because you don't have battery in a VM and therefore yes this is a reminder we need to run this in like a VM is not enough like we need more than this but even like with a kind of quick test like I was able to have a lot of tests from a lot of profile quite quite quickly and this is only the beginning because I bypass every stuff that was too complex where we need to provide like a full partition or some complicated file and stuff like this so this is only the beginning and it already gives a lot of tests and regarding the result for now I would say they are good and bad which is kind of nice because with this kind of stuff like if we get a lot of if you raise a lot of logs it's mean like well when you wrote your profile it means you didn't finish it at all and you don't need this to test to check I mean on this is something you should already know anyway and if we get no things most likely it mean like because your tests are not good enough to actually cover everything so in a way that's fine most of the time the stuff that was raised is because like you need new console access which is normal because technically like when you send this stuff you send it from a CLI and therefore the program needs to write in a terminal and so on and so on and this most of the time this was missing stuff so no things related to worry about in a way but sometimes time to time you actually are the stuff we are now actually here in some weird case this specific program needs to need access to some more resources to need to need to use one program one new program that you didn't think of and it is exactly for this kind of stuff that I made this so this kind of nights even if obviously because I've already been tested quite a lot like it's been already two years in this project most of the time most of the stuff are already working kind of fine yeah and therefore for the future work well there are tests tests and tests to continue as I already mentioned like there are some linter to do later some full system policy to implement and at some time at some point like we will have indeed like a bit more integration with upon our itself but obviously in this will be done only after the tests are done otherwise it should be just less and yes please help here we need people to test this stuff with their own software with their only new distribution with their own sort of whatever that can only help us thanks yeah and I forgot to mention it but like so you have everything on the GitHub but you have a nice documentation website too if you want to test this stuff any question so you said the profiles range from 10 lines to 666 lines do you have a feeling for like all 1500 about how many lines that the total profiles are how many lines of what for all the profiles if you would add up all the lines for all 1500 do you have a feel for about how many lines that would be I don't know at all yeah yeah I'm just curious yeah you know Fedora policy for SELinux is like 120,000 rules I'm just kind of curious of how it would line up complexity wise my guess is in the end you're gonna come up with similar complexity you're gonna end up with a pretty large policy but I was just kind of curious yeah I can see something okay I can have a look after yeah since this is developed and maintained separately from the applications that the profiles are about do you maintain sort of specific versions of the repo so that you can tell a distro like yeah and pin to this not yet because up to now this is mostly a working place stuff like I would say there is it's not even in a style in a stable setup even for our Linux so this is truly for this there are some already some kind of stuff like they know you can really turn baby on you can really car you can really ruin it on our Linux there are some stuff that you will give give up on Debian because they support another version of about and so on and so on but like it is tested but a bit less tested on Debian to be honest so yes later they will be they should be like you will get you get in any other project in a way but it's still in a dev we are still in a dev version right now so it's a bit early for this no further questions thanks