Purism, the Social Purpose Corporation focused on software freedom, privacy and security, proves it is dedicated to making its products secure straight off of the factory floor. Now, new PureOS installations (including those provided with Librem devices) have AppArmor activated by default. Let us first look at what AppArmor is, and then why we chose it specifically to strengthen PureOS.
AppArmor falls into a category of security software called Mandatory Access Control (MAC) enacted through a Linux Security Module (LSM).
MAC is a security protocol that restrains the ability of individual resource owners to grant or deny access to objects in a computer system which is accomplished by defining criteria from the System Administrator to be enforced by the Operating System. The key factor that makes this protocol very secure is that access control policies cannot be altered by end users since the policies bypass user and application settings which might inadvertently or purposefully violate system security. All applications installed on a system with MAC have access control policies that interact directly with the kernel. On GNU/Linux systems the only user capable of making changes to the Operating System kernel is an administrator account, or Root, which means that unprivileged user accounts cannot override system critical settings. This is a primary reason GNU/Linux is commonly considered one of the most secure Operating Systems available.
Linux Security Modules are an integrated part of the Linux kernel’s modularity. Kernel modules are software loadable on demand if and when the functionality they provide is required or requested, such as device drivers. Modules provide a couple of benefits:
AppArmor is one of the MACs included in the mainline Linux kernel as an optional LSM and it is the one that Purism deemed excellent enough to protect their Librem devices.
Now that we’ve gotten past all of the technical details we can address the obvious burning question: Why?
In theory, software developers try to write stable programs that shouldn’t exploit your system. In practice, all software has bugs, and even though developers do their best to debug their code before release, there is always the possibility of bugs having gone unnoticed and turning into security issues. A lot of security issues stem from the fact that the person coding your word processor or music player isn’t necessarily a hardware or security expert. A software developer for desktop applications may not intend on allowing exploitable code into their applications, but to err is human, and so it can happen.
AppArmor can be thought of as “immunization” for your Operating System, using the concept of “minimum privilege required” applied on a case by case basis for each application profiled. This means that protected applications are selected through evaluation of system risk.
Of course, fundamentally, any type of MAC limits an end-user’s ability to use their computer. The general tendency for many users of other security systems has been to disable security functions that potentially affect ease-of-use, calling them unnecessarily strict. This situation happens often in situations where users are left “on their own” without a support team or IT department to set up and monitor security protocols; a system administrator can adjust access control profiles to ensure applications perform correctly with security still in place. This is where AppArmor shines: the intuitive nature of profile authoring as well as excellent technical documentation allows efficient generation and testing security policies, and the Purism R&D team takes on the job of doing this work for you in PureOS so that you can use PureOS worry-free.
AppArmor is Free software, which is important to Purism’s ethics. Access to source code allows auditing code which ensures you that no malicious code is in your system, but it also allows for rapid bug identification and fixing. This is important since the pace of software development is currently very fast. Proprietary operating systems may claim to have native system security in place in their core, but you would never know if it really exists or works as promised because you can’t audit their code. We’re not that kind of company! Purism cares to provide users’ privacy and security that they can trust, and this requires users to be allowed to access the source code if they want to.
This is why the Purism development team worked hard to set up AppArmor so that it can be activated by default in PureOS, so that every Librem device that gets shipped is as secure and trustworthy as it should be.