From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support) Date: Wed, 26 Dec 2018 05:56:15 +0800 Message-ID: <877efxp8xs.fsf@gmail.com> References: <87d0u9s1x0.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([208.118.235.92]:36478) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gbugg-0001V8-Gl for guix-devel@gnu.org; Tue, 25 Dec 2018 16:56:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gbugc-0008Bp-5g for guix-devel@gnu.org; Tue, 25 Dec 2018 16:56:30 -0500 Received: from mail-pl1-x62b.google.com ([2607:f8b0:4864:20::62b]:40592) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gbugb-00089w-UY for guix-devel@gnu.org; Tue, 25 Dec 2018 16:56:26 -0500 Received: by mail-pl1-x62b.google.com with SMTP id u18so6832005plq.7 for ; Tue, 25 Dec 2018 13:56:25 -0800 (PST) In-Reply-To: <87d0u9s1x0.fsf@dustycloud.org> (Christopher Lemmer Webber's message of "Thu, 23 Aug 2018 08:27:55 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Christopher Lemmer Webber Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Hello everyone, For microkernel, sel4 being a formally verified microkernel (developed by security researchers?) looks promising to me. Maybe someday we can rebase hurd on top of it (replacing mach)... For ocap, I've no idea about it. I've heard of apparmor and selinux but not ocap. Btw, debian has started shipping apparmor profiles since 2017 if I remember correctly. If everything's going well, it should be in the next stable release. Should guix ship apparmor / selinux profiles as well? For RISC-V, my dream would be using a RISC-V chip 3D-printed from a GPL design :) In addition, I have some other ideas regarding guix security. According to , X server lacks GUI isolation. As a result, user gaining local acess to the machine can run a keylogger logging sudo password. This nullifies many security maeasures. Is guix vulnerable to this as well? If so, how should we fix it? Qubes OS fixes it by virtualization (running programs in a VM). But it seems to me that having multiple OS complicates things. I haven't tried using Qubes OS though. Besides, I remember we have discuss about hardening before. Should I start a new hardening branch? (although I don't time to work on it right now). I think this is something we can do now. My idea is to create a new guix module (guix build hardening) which should contains various build flags. Then we should modifiy each build system to import from this new module and fix any build error caused by it. We can ask the build farm to evaluate this new branch, right? What do you think? Cheers, Alex --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXCKnfwAKCRBh71Au9gJS 8gHZAP9JATukN9l6vby1xsHQIlSO35ZzL3QKsnE5LzxnErFYiAD+L5W5dEtYtK/Y FQc5aH2iCXwNO7N8R0AD7N6TL5mA0Qo= =Kkcq -----END PGP SIGNATURE----- --=-=-=--