Hello, Am Donnerstag, 21. August 2014 schrieb pinguin74:
q1)
Some apps want to access /proc/ and the directory that corresponds to the process ID. How do you handle that?
No(t yet), but there are plans to do so.
I think the best way would be to allow shell commands from within profiles. AppArmor could include an additional config file that defines a set of shell commands allowed in profile files. I think that would be nice. Maybe you can write a wrapper for the PID issue, but I have no good idea yet.
Well, this isn't as easy as it looks ;-) You can write scripts that automatically update a profile (or profile sniplet) - that's what I did for samba to adopt the profile to the shares in smb.conf [1]. You'll of course need to be careful to avoid creating insecure sniplets. For PIDs, it's more interesting[tm] because it needs to be handled inside the kernel - the profile itsself can't know which PID a process gets at startup or when forking. A very ugly workaround would be to update the profile each time you start an application with the list of current PIDs. That's not what you want, trust me ;-)
When I look in your example profile, I see Cx somewhere and you define the profile for the child process within the main profile file, right? Thus you don´t need several profile files, you can put the child´s profile right into the main profile file, right?
Basically right. The more important part is that a child profile is only used when the child is executed by the parent - but not when you execute the child from another program. So for example if you have /usr/bin/firefox { /bin/foo Cx, [...] } /bin/foo will only be confined if it's called by firefox. It will run unconfined if you start it from a shell or from another program. BTW: You might want to have a look at - http://blog.cboltz.de/archives/65-openSUSE-conference.html - especially the "AppArmor Crash Course" slides linked at the end - http://activedoc.opensuse.org/book/opensuse-security-guide/part-iv-confining...
BTW, sending a user agent with your mail user client may not be beneficial for security....
Who tells you that my header contains the user agent I'm actually using? ;-) Besides that, experts can often tell from small details in the other headers which mail client was used. Oh, and finally - I'm quite sure KMail does not have critical security issues (with HTML mode disabled). Maybe I'm just not paranoid enough to remove that header ;-) Regards, Christian Boltz PS: Non-random sig ;-) [1] /usr/share/samba/update-apparmor-samba-profile -- my_hdr X-MSMail-Priority: Normal my_hdr X-Mailer: Microsoft Outlook Express 5.50.4133.2400 my_hdr X-MimeOLE: Produced by Microsoft MimeOLE V5.50.4133.2400 unset user_agent set attribution="----- Original Message -----\n\From: %n <%a>\n\%t\n\Sent: %d\n\Subject: %s" ...und schon benutzt man OE. Mach das mal mit KMail. ;-)))) [Andreas Kneib über mutt in suse-linux] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org