INC-2026-04-04: Investigation

Investigation

Verify LSM State

# Check active Linux Security Modules
cat /sys/kernel/security/lsm

Expected on a bare Arch install: lockdown,capability,yama — no AppArmor, no SELinux.

# Check if AppArmor is available in kernel (compiled in but not enabled)
grep -i apparmor /boot/config-$(uname -r) 2>/dev/null || zcat /proc/config.gz | grep -i apparmor
# Check for any AppArmor or SELinux packages installed
pacman -Q apparmor 2>/dev/null || echo "apparmor: not installed"
pacman -Q selinux-utils 2>/dev/null || echo "selinux: not installed"

Findings

  1. No MAC framework active — default Arch kernel ships with AppArmor compiled in (CONFIG_SECURITY_APPARMOR=y) but not enabled at boot

  2. Not in deployment plan — Phases 0-11 of the P16g deploy runbook do not include MAC deployment

  3. Razer has same gap — this is a systemic issue, not P16g-specific (but P16g is the immediate concern as it’s being hardened now)

Root Cause

Technical explanation: The P16g deployment runbook (PRJ-2026-04-p16g-deploy) was authored without a MAC deployment phase. The default Arch Linux installation enables only Yama (ptrace restriction) — no path-based or label-based MAC. This means every process running as evanusmodestus has equal, unrestricted access to all user-owned files including encrypted credentials, age identities, GPG private keys, and gopass stores.

Why it happened:

  • Immediate cause: MAC not included in deployment phases 0-11

  • Contributing factors: Arch Linux does not enable AppArmor by default (unlike Ubuntu/SUSE)

  • Systemic issues: No security hardening checklist exists for workstation deployments — Phase 11 ("Verification") mentions "hardening" but has no specific MAC requirement