Hello, Am Montag, 30. Mai 2016, 11:25:45 CEST schrieb Johannes Meixner:
perhaps off topic - more a question from someone who does not know any internals about AppArmor:
I'll give an "AppArmor Crash Course" talk at the openSUSE conference next month to get you started with AppArmor ;-) Maybe we could also talk about confining CUPS with an AppArmor profile (Ubuntu does this already, so we don't need to start from scratch)
On May 29 18:10 Christian Boltz wrote (excerpt):
This is a general problem with profiles for desktop applications. As soon as an application comes with File - Open or File - Save as menu items, the profile can a) allow opening and saving files from a specified set
of directories (for example, the Ubuntu firefox profile AFAIK allows saving files only to ~/download/). Unfortunately this will terribly annoy users.
b) allow opening and saving files everywhere, which makes
the profile pretty useless
I think when there is an explicit dialog whereto the application will save a file or wherefrom the application will read a file, there should be no need for additional restrictions because the user can see and confirm what file will be used and by standard Unix permissions
You are assuming bug-free and exploit-free software here. While I would really like to have that, I'm afraid reality differs. Oh, and I never heard of malicious software that first displays a file dialog so that the user can decide which file to destroy or leak ;-) The idea with the "external" file dialog is to allow access to the selected file on the fly [1], which also means access to other files (bypassing the file dialog) could be denied.
a normal user cannot damage other user's data (basically "the system" is root's data).
Right.
In contrast when an application reads or writes files unnoticed by the user then I would like to have some restrictions set up so that the application cannot do "bad things".
In particular I would like that an application cannot unnoticed replace existing files (e.g. replace my private data by something else) and that an application cannot unnoticed read arbitrary files (e.g. read my private data and send it to someone in the Internet).
Is such a setup possibe with AppArmor?
Not with the current code - this would need the "external" file dialogs. Also, thinks like files embedded into a document (but stored in a separate file) make things much more interesting[tm]. However, let's first get the external file dialogs implemented before discussing these details ;-)
I wonder how AppArmor (or any external tool) could know whether or not an application reads or writes files unnoticed versus via an explicit user confirmation dialog?
As Marcus already wrote, this isn't possible - either a file is in the whitelist/profile or it isn't. Regards, Christian Boltz [1] This can be done by temporarily adjusting the profile, by coping the file to a whitelisted directory etc. - but the technical details don't really matter in this discussion ;-) For bonus points, it could remember the recently used files of each application, so that "File - Open recently used files" also works. -- * cboltz votes for the boring version - can't <sarnold> that's a bit informal for a mandatory security platform :) <sbeattie> ah, but you see, contractions are informal, and we can't, err can not, err cannot, err can ?not have that. [from #apparmor, while discussing bugzilla.novell.com/853661] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org