Hardening Your Linux Desktop with Mandatory Access Control and a Little Bit of Common Sense

Introduction to Mandatory Access Control

Mandatory Access Control (MAC) is a security framework that enforces access control decisions based on a set of rules, rather than relying on user identity or group membership. On Linux, one of the most popular MAC implementations is SELinux (Security-Enhanced Linux) and AppArmor. I’ve found AppArmor to be generally easier to use and more widely supported, so we’ll focus on hardening your Linux desktop using AppArmor.

Installing and Configuring AppArmor

To get started with AppArmor, you’ll need to install the apparmor package on your system. On Debian-based systems, you can do this with the following command:

sudo apt-get install apparmor apparmor-profiles apparmor-utils

On Arch Linux, you can use:

sudo pacman -S apparmor

Once installed, you’ll need to enable AppArmor by loading the kernel module:

sudo modprobe apparmor

You can verify that AppArmor is enabled by checking the kernel module:

sudo lsmod | grep apparmor

This should show you that the apparmor module is loaded. Don’t bother with this step if you’re using a distribution that enables AppArmor by default.

Creating AppArmor Profiles

AppArmor profiles define the rules for a specific application or service. You can create a new profile using the aa-genprof command. For example, to create a profile for the firefox browser:

sudo aa-genprof firefox

This will launch firefox and prompt you to generate a profile. The real trick is to use the application normally while the profile is being generated, so AppArmor can learn what permissions are required. You can then use the aa-logprof command to refine the profile based on the application’s behavior.

Understanding AppArmor Profile Syntax

AppArmor profiles are written in a simple syntax that defines the permissions and restrictions for an application. For example, the following profile allows firefox to read and write to the user’s home directory:

#include <tunables/global>

/usr/lib/firefox/firefox {
  # Allow reading and writing to the user's home directory
  /home/* rw,
}

You can find more information on the AppArmor profile syntax in the official AppArmor documentation. I usually start with the examples provided in the documentation and modify them to suit my needs.

Enforcing AppArmor Profiles

Once you’ve created and refined an AppArmor profile, you can enforce it using the aa-enforce command. For example:

sudo aa-enforce /etc/apparmor.d/usr.lib.firefox.firefox

This will enable the profile and restrict the firefox application to the defined permissions. In practice, you may need to tweak the profile several times to get it just right.

Troubleshooting AppArmor Issues

If you encounter issues with AppArmor, you can use the aa-logprof command to analyze the application’s behavior and refine the profile. You can also use the aa-complain command to put the profile into complain mode, which will log any violations without enforcing the restrictions. This is where people usually get burned - they enforce a profile without testing it thoroughly, and then wonder why their application isn’t working.

Additional Hardening Measures

In addition to using AppArmor, there are several other hardening measures you can take to secure your Linux desktop:

• Use a secure password manager, such as keepassxc or gnome-keyring.
• Enable full-disk encryption using LUKS or Veracrypt.
• Use a secure boot mechanism, such as UEFI Secure Boot.
• Keep your system and applications up-to-date with the latest security patches. I’ve seen this go wrong when people neglect to update their systems regularly.

Common Sense Security

While technical security measures are important, common sense also plays a crucial role in securing your Linux desktop. This includes:

• Being cautious when clicking on links or downloading attachments from unknown sources.
• Using strong, unique passwords for all accounts.
• Avoiding the use of root privileges unless absolutely necessary.
• Regularly backing up important data to an external drive or cloud storage service. Don’t underestimate the importance of backups - they can save you from a world of trouble.

Next Steps

For more information on AppArmor and Linux security, you can visit the official AppArmor website or the Linux kernel documentation. With AppArmor and a few other hardening measures, you can significantly reduce the risk of security breaches and protect your system from malicious activity.

See also

• Hardening SSH with Linux Kernel's Built-in Features and a Few Surprising sysctl Tweaks
• Hardening Your Linux Desktop with Mandatory Access Control and Namespace Isolation
• Using Mandatory Access Control to Lock Down Your Linux Desktop with AppArmor
• Hardening Your Linux Laptops for Coffee Shop Combat: Firewall Rules and Network Profiles for the Paranoid Traveler
• Using seccomp to Lock Down Container Privileges in Linux