[Bug 724829] New: install AppArmor by default (again)
https://bugzilla.novell.com/show_bug.cgi?id=724829 https://bugzilla.novell.com/show_bug.cgi?id=724829#c0 Summary: install AppArmor by default (again) Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Patterns AssignedTo: coolo@suse.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer Blocker: --- Several people, including some maintainers of packages with an AppArmor profile, requested on the opensuse-factory ML to install AppArmor by default (again). The reason for not installing AppArmor by default was (IIRC) mostly that wasn't really maintained and some profiles were incomplete and accidently blocked something. Both things are solved in the meantime (better don't ask how many evenings I spent on the AppArmor package...). Please re-add AppArmor to the default installation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c1
Sascha Peilicke
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c2
--- Comment #2 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c3
Christian Boltz
From the things Ludwig mentioned: usr.sbin.avahi-daemon has a profile. usr.sbin.nscd and usr.sbin.ntpd are also things that are started by default IIRC and are protetected by AppArmor.
Of course I use all profiles that are installed by default on my system and everything works - so AppArmor won't "bug joe user with that" ;-) It just sits in the background and adds some additional security. The desktop notification works (it's not a tray applet/icon anymore - it uses /usr/bin/notify-send). You can start it with sudo /usr/sbin/aa-notify -p --display $DISPLAY BTW: the usr.sbin.smbd profile is now even automatically updated based on your shares in smb.conf. Now to the more interesting[tm] things you asked: The problem with firefox and acroread is that they have "save as..." and "open..." in their file menu. This means that I'd have to give them read and write permissions to (more or less) the whole filesystem, which makes having a profile quite pointless. The only thing that would be possible without restricting users would be a set of deny rules where I could blacklist read access to ~/.gnupg and ~/.ssh - but such a blacklist would never be complete. To make the firefox profile really secure, a restriction like "downloads can only be stored in ~/Downloads/" would be needed. That's exactly what the firefox profile in /etc/apparmor/profiles/extras/ does, and it's also the reason why this profile isn't enabled by default. Flash could be easier because it doesn't have "save as..." and "open..." - but I'm not sure at which point between browser and flash a profile could attach. (Does flash run as a standalone process? What's the name of the binary?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c4
--- Comment #4 from Sascha Peilicke
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c5
Christian Boltz
If $FOO would be helpful when $CONDITION is met, we should wait for $CONDITION to happen. Enabling by default means maintaining it,
guess what I'm doing since some months ;-) and I'm also well-known on the upstream mailinglist since years - money quote (from february 2007): ----------
"Quite low" is 1 in 4 billion. Murphy could make me believe you saw it once, but not twice. You could plausibly see it in a stress test rig This _is_ Christian :) he has a knack for finding bugs no one else can.. [> Crispin Cowan and Seth Arnold in apparmor-general]
means updating profiles once application behavior changes. This usually includes bug reports of 'broken' apps first.
I'm using AppArmor on my systems (desktop + some web/mail servers) myself, so there are good chances that I notice it quite fast if a profile needs to be updated.
Maybe the majority of confined services don't change that much, but I would like to see a real assessment of AppArmor before we pretend it adds any value.
Understandable, even if I wonder why nobody asked in the last years ;-) AppArmor is included (and was enabled) since how many years now?
Even if we have some profiles, are we really sure they actually do what they're supposed to do (i.e. catch all security-relevant cases) or is this just a it-feels-safer (tm) solution?
Show me something that makes a system 100% safe, please ;-) If you had written "catch _nearly_ all security-relevant cases", I'd say yes. Upstream is very picky before accepting profile patches (and ask why a change/additional permission is needed if it isn't obvious), therefore I'm sure the profiles don't allow more than they should allow.
Has it been proven that AppArmor itself isn't subject to security issues? Are
The only issue I'm aware of is bug 717209 (fixed in 12.1 by newer upstream kernel), but the impact is very limited - it crashes the current task (which is obviously misbehaving when writing garbage to /proc, so you could even call it a feature ;-)) and triggers a crash dump (if enabled).
there reported cases where it really defeated a security breach?
Counter-question: are there reported cases where your firewall really defeated a security breach? (In theory all applications/daemons are secure, so why would you need a firewall?) The "problem" with such questions is that you will get the answer _after_ something went wrong. Security tools are like a fire insurance - hopefully you'll never need it, but if you don't have one and your house burns down, you'll have a really big problem... Back to the original question: That's something the security team can probably answer better. I'll needinfo them... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c6
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c8
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c9
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c10
--- Comment #10 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=724829
https://bugzilla.novell.com/show_bug.cgi?id=724829#c11
--- Comment #11 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com