[Whonix-devel] untrusted root

Patrick Schleizer adrelanos at riseup.net
Thu Oct 31 11:22:00 CET 2019


On 2019-10-29 03:36 PM, Patrick Schleizer wrote:
> Hi forest,
>
> we are working on software packages towards untrusted root. Please
> kindly consider joining our efforts.
>
>
https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
>
>
https://forums.whonix.org/t/untrusted-root-improve-security-by-restricting-root/7998
>
> https://github.com/Whonix/security-misc
>
>
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339
>
> Kind regards,
> Patrick


forest <forestmerge at airmail.cc> relied:

> I'm not able to assist full-time but I may be available for consultancy over email. There are a few things that I should mention about untrusted root that are necessary prerequisites for doing so securely, though:
> 
> 1. A solid formal threat model is a must. It's the only way to ensure all developers are on the same page. It's even better if it includes data flow diagrams for at-risk processes. Threat modeling becomes more complex if privesc is in-scope, but for a serious project, it's worth the investment in the long run.
> 
> 2. AppArmor is probably not going to cut it. Although there are hacky ways to get it to work with PID 1, you'd be much better off with SELinux or, even better, Grsecurity's RBAC (requires subscription, but provides overwhelmingly better security than possible with vanilla Linux).
> 
> 3. There's no safe way to run Xorg with multiple mutually-distrusting users at the same time (e.g. a regular user and a root shell). The same is true with other utilities like tmux, but Xorg is the most common culprit of bypasses for a desktop system.


Forwarded here with permission.



More information about the Whonix-devel mailing list