Author Topic: [How-To] Application oriented firewall simple and easy using Tomoyo MAC  (Read 2065 times)

0 Members and 1 Guest are viewing this topic.

Offline QtAndNiceTopic starter

  • Jr. Mitglied
  • **
  • Posts: 93
  • Kernel: 3.16 (src from git + modified) x64
  • Desktop: KDE 4.x.(current stable)
  • Branch: stable
  • GPU Card: nVidia GTX 760
  • GPU driver: non-free
  • Skill: Novice
Please Note: Manjaro team has removed Tomoyo support from their binary kernel, you will have to activate the tomoyo support in the config file and compile the kernel from source if you like to use this method

To edit all the files described below and to execute any of the described commands you need local root access rights.

NOTE:
The firewall setting works as a white list, when you're done with this tutorial, any Internet access to or from any application on your computer will be blocked by default,
you will need to enable it explicitly for selected application by using tomoyo-editpolicy and changing it's profile from 0 to 1 as simple as that.

if you already configured tomoyo, goto step 6.

Step 1:
Edit /boot/grub/grub.cfg

you have to add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:
Quote
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Manjaro Linux (Kernel: 3.9.11-1-MANJARO x64)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.9.11-1-MANJARO x64-true-blablablablablablablablabla' {
        savedefault
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd3,gpt2'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2  blablablablablablablablabla
        else
          search --no-floppy --fs-uuid --set=root blablablablablablablablabla
        fi
        echo    'Loading Linux 3.9.11-1-MANJARO x64 ...'
        linux   /vmlinuz-39-x86_64 root=UUID=00000000-0000-0BLA00-0000-000000000 rw   resume=UUID=blablablablablablablablatimebla9848944984 security=tomoyo TOMOYO_trigger=/sbin/init
        echo    'Loading initial ramdisk ...'
        initrd  /initramfs-39-x86_64.img
}

Step 2:
Edit /etc/default/grub

add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:
Quote
GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT=" resume=UUID=00000000-0000-0BLA00-0000-000000000 security=tomoyo TOMOYO_trigger=/sbin/init"
GRUB_CMDLINE_LINUX=""

# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
...

Step 3:
Install tomoyo-tools
type in the terminal:
Code: [Select]
pacman -S tomoyo-tools
Step 4:
Reboot your OS.

Step 5:
Initialize tomoyo default configs and profiles
type in the terminal:
Code: [Select]
/usr/lib/tomoyo/init_policy
Step 6:
edit /etc/tomoyo/policy/current/profile.conf, Import or override your entries with the following code:
Code: [Select]
PROFILE_VERSION=20110903
0-COMMENT=-----block network inet-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
0-CONFIG={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
1-COMMENT=-----allow all-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
1-CONFIG={ mode=disabled grant_log=no reject_log=no }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

Step 7:
Reboot your OS.

USAGE:
you can edit any rule by executing:
Code: [Select]
tomoyo-editpolicythen, by pressing s you can change application's profile 0=block all Internet access, 1=allow all Internet access
you can exit the policy editor by pressing q.

NOTE:
after any changes you made to the policy, you need to save it to the disk, to do so, just type in the terminal:
Code: [Select]
tomoyo-savepolicy
NOTE:
Before you can allow an application you have to run it at least once, that way tomoyo notes the application's existence.
 
NOTE:
to find an application a bit quicker in the tomoyo's policy editor, just press f while in policy editor, and then type the first few letters of the application, after that press enter,
press n to look for the next occurrence of the application in the domain policy list

IF YOU STILL DON'T HAVE A CLUE HOW TO USE TOMOYO's POLICY EDITOR:
READ THE DOCUMENTATION:
http://tomoyo.sourceforge.jp/2.5/index.html.en

« Last Edit: 15. February 2015, 21:39:17 by QtAndNice »

Offline intika

  • Neuling
  • *
  • Posts: 3
  • Skill: Novice
This is just WAW !!!! as simple as that ?! unbelievable !!! thanks a million dude this is just awesome !!!!!!!

Was looking for that a long time ago !!!!!  Thanks !!!!!!!!!!!!!!!!!!!!!!

i ported your trick to mageia https://forums.mageia.org/en/viewtopic.php?f=41&t=8273 hope your don't mind

Thanks again ! i finally could be confident in the security of my server !!!

i registered just to say thank you ! i was shocked that no one replied to your post
« Last Edit: 12. August 2014, 05:50:44 by intika »

Offline intika

  • Neuling
  • *
  • Posts: 3
  • Skill: Novice
as the NSA is even watching our systems (selinux), we can not say it's useless plus it's always good to be able to control apps

Offline simgin

  • Held Mitglied
  • *****
  • Posts: 520
  • Kernel: Towo, liquorice etc etc.....
  • Desktop: LinuxBBQ: Zijwaartz wmx, Siduction Xfce, Slackware Fluxbox & Arch noX!
  • Branch: All.
  • GPU Card: GeForce 8600M & GT 555M 2GB
  • Skill: Intermediate
Registered just to say thank you, thats dedication mate  C:-) Agree its a bit strange that no one has commented here before, for my own part, I dont use it, but there must have been someone that has. Its documented very well and should be stickied.

simon
Compared to Plan 9, Unix creaks and clanks and has obvious rust spots, but it gets the job done well enough to hold its position. There is a lesson here for ambitious system architects: the most dangerous enemy of a better solution is an existing codebase that is just good enough.

Eric S. Raymond

Offline QtAndNiceTopic starter

  • Jr. Mitglied
  • **
  • Posts: 93
  • Kernel: 3.16 (src from git + modified) x64
  • Desktop: KDE 4.x.(current stable)
  • Branch: stable
  • GPU Card: nVidia GTX 760
  • GPU driver: non-free
  • Skill: Novice
Hey everyone its maybe a bit late for me the answer
but thanks for the appreciation, im really glad somone accually use this solution :D

I got tired of people allways asking if you need an application oriented firewall when running Linux.
As a men not believing in trust and sufficiency of current network security used in desktop distributions i had to find a convenient solution to the security problem, a part that was definitelly missing in a desktop environment, an  application oriented firewall.
I red the most important parts of the documentations of all MACs available to date, in terms of support, background and convenience, TOMOYO was the right choice to be used as a full featured application oriented network firewall.
i will update this tutorial, on my box i use a bit different rule set i didn't documented here.
there are now 3 effective profiles
0- block all
1- allow only outgoing connection (additional security measure for client applications (games) )
2 - allow in and out connections

also im writing a script that will allow per wine executed windows application blocking, which if needed i will also upload here
« Last Edit: 13. September 2014, 10:11:42 by QtAndNice »

Online Eunuch

  • Neuling
  • *
  • Posts: 40
  • Kernel: 3.18
  • Desktop: XFCE
  • Branch: Stable
  • GPU Card: Intel 3000
  • GPU driver: no ide?a
  • Skill: Novice
Does it reduce the performance of the machine? if yes, will it be super slow? I have a core I5

Offline QtAndNiceTopic starter

  • Jr. Mitglied
  • **
  • Posts: 93
  • Kernel: 3.16 (src from git + modified) x64
  • Desktop: KDE 4.x.(current stable)
  • Branch: stable
  • GPU Card: nVidia GTX 760
  • GPU driver: non-free
  • Skill: Novice
Does it reduce the performance of the machine? if yes, will it be super slow? I have a core I5

not noticable if you are using this Mandatory access control only as network firewall, since it doesn't have to "listen" for I/O procedures, just for network access white list

please note: Manjaro has removed Tomoyo support from the binary kernel, you will have to compile the kernel from source if you like to use this method

Online Eunuch

  • Neuling
  • *
  • Posts: 40
  • Kernel: 3.18
  • Desktop: XFCE
  • Branch: Stable
  • GPU Card: Intel 3000
  • GPU driver: no ide?a
  • Skill: Novice
Yes, I noticed. I gave up on this. I'm tempted to install Apparmor, but I got told that it's not a good idea, since it is going to be dead soon.

Offline QtAndNiceTopic starter

  • Jr. Mitglied
  • **
  • Posts: 93
  • Kernel: 3.16 (src from git + modified) x64
  • Desktop: KDE 4.x.(current stable)
  • Branch: stable
  • GPU Card: nVidia GTX 760
  • GPU driver: non-free
  • Skill: Novice
Yes, I noticed. I gave up on this. I'm tempted to install Apparmor, but I got told that it's not a good idea, since it is going to be dead soon.
if per application security and performance is importaint to you, you will have to use different kernel or compile it by yourself (witch is actually pretty easy since you only have to get the source from git)

the problem with other solutions is the jumping from userspace to kernel space back and forth witch causes performance issues, a MAC stays in kernel space and does the job pretty good (except for SELinux).

ip tables is a really lame solution as in it doesn't protect per application outgoing traffic, i also found this: http://douaneapp.com but it doesn't look legit enough to me with it's twitter integrated gui
« Last Edit: 16. February 2015, 21:03:15 by QtAndNice »

Offline intika

  • Neuling
  • *
  • Posts: 3
  • Skill: Novice
still using that tool in combination with iptable etc.
it was like a revelation to me ^^ work fine on last mageia even without recompiling the kernel.

it's funny that douane app added a twitter page