CR: P16g AppArmor Deployment

Change Summary

Field	Value
CR ID	CR-2026-04-04-p16g-apparmor-deployment
Date	2026-04-04
Priority	P2 - High (security gap on secrets-handling workstation)
Type	Security Hardening
Status	Phase 2 complete — browsers confined
Requestor	Evan Rosado
Implementor	Evan Rosado
Risk Level	Medium (boot parameter change requires reboot; misconfigured profiles can break applications)
Systems Affected	modestus-p16g
Predecessor	N/A
Related INC	INC: P16g No MAC

Field

Value

CR ID

CR-2026-04-04-p16g-apparmor-deployment

Date

2026-04-04

Priority

P2 - High (security gap on secrets-handling workstation)

Type

Security Hardening

Status

Phase 2 complete — browsers confined

Requestor

Evan Rosado

Implementor

Evan Rosado

Risk Level

Medium (boot parameter change requires reboot; misconfigured profiles can break applications)

Systems Affected

modestus-p16g

Predecessor

N/A

Related INC

INC: P16g No MAC

Deploy AppArmor as the Mandatory Access Control framework on the P16g. Establish complain-mode baselines, then enforce custom profiles that deny high-risk applications (browsers, node/npm, Docker) access to ~/.secrets/, ~/.gnupg/, ~/.age/, and gopass stores.

Background

The P16g was deployed on 2026-04-02 without any MAC system. Arch Linux ships with AppArmor compiled into the default kernel (CONFIG_SECURITY_APPARMOR=y) but does not enable it at boot. The workstation handles age-encrypted secrets, GPG private keys, Vault SSH certificates, and gopass credential stores — all accessible by any user-space process without confinement.

See INC-2026-04-04-002 for the incident report.

Current State

LSM stack: lockdown,capability,yama — no MAC
All user processes have unrestricted access to all user-owned files
No AppArmor package installed
No profiles loaded
Kernel has CONFIG_SECURITY_APPARMOR=y (compiled in, not enabled)

Target State

LSM stack: lockdown,capability,yama,integrity,apparmor,bpf
AppArmor service enabled and running
Complain-mode profiles for all applications (Phase 1)
Enforce-mode profiles for high-risk apps with explicit denies on credential stores (Phase 2)
Custom profiles for node/npm, browsers, Docker (Phase 3)

Future Considerations

Razer Parity

modestus-razer has the same MAC gap. After validating AppArmor on P16g, replicate the deployment:

Copy custom profiles via dots-quantum or rsync
Add AppArmor stow package to dots-quantum for consistent deployment

Profile Management

Store custom profiles in dots-quantum as a stow package (apparmor/.etc/apparmor.d/local/)
Version control profile changes alongside dotfiles
Consider aa-notify for desktop notifications on deny events

P16g Deploy Runbook Update

AppArmor is now tracked as Phase 12 (Security Hardening) in the P16g deployment runbook:

Phase 12: Security Hardening
Covers AppArmor (4 sub-phases), UFW, SSH hardening, port audit

Changelog

Date Author Change

Date	Author	Change
2026-04-04	Evan Rosado	Initial CR — AppArmor deployment plan for P16g with phased rollout
2026-04-05	Evan Rosado	Phase 1 executed: `pacman -S apparmor`, boot params updated on all 3 entries (arch, fallback, LTS), `acpi_mask_gpe=0x6E` restored on fallback + LTS, `apparmor.service` enabled. Updated sed approach to full-line replacement after append method failed due to terminal line wrapping.
2026-04-05	Evan Rosado	Phase 1 verified post-reboot: 162 profiles loaded, 79 enforce, AppArmor in LSM stack. Phase 2 executed: browser profiles (Firefox, Chrome, Chromium) converted from `flags=(unconfined)` to confined with allow-all baseline + credential store deny rules in `local/`. Added `flags=(attach_disconnected)` to fix bwrap sandbox denials. All 3 browsers in enforce mode.

2026-04-04

Evan Rosado

Initial CR — AppArmor deployment plan for P16g with phased rollout

2026-04-05

Evan Rosado

Phase 1 executed: pacman -S apparmor, boot params updated on all 3 entries (arch, fallback, LTS), acpi_mask_gpe=0x6E restored on fallback + LTS, apparmor.service enabled. Updated sed approach to full-line replacement after append method failed due to terminal line wrapping.

2026-04-05

Evan Rosado

Phase 1 verified post-reboot: 162 profiles loaded, 79 enforce, AppArmor in LSM stack. Phase 2 executed: browser profiles (Firefox, Chrome, Chromium) converted from flags=(unconfined) to confined with allow-all baseline + credential store deny rules in local/. Added flags=(attach_disconnected) to fix bwrap sandbox denials. All 3 browsers in enforce mode.