Am 29.08.2014 16:50, schrieb Carlos E. R.:
On 2014-08-29 16:05, pinguin74 wrote:
Hi there,
do AppArmor profiles really need to be world readable?
Would it hurt to set them to 640 or even 600?
Why should user processes need to read AA profiles? If they don´t need, they shouldn´t in the first place IMHO.
I mean, doesn´t only AA (=root) need to read them?
No, it needs root to write them.
You don't need to hide the information from users, there are no secrets in them. Like fstab: users can read it, too.
Well, I think one thing you can learn from attacks is, that attackers always abuse things you never expected they could be abused at all... Thus, disable, delete, remove everything not necessarily needed... Maybe an attacker could read the profiles and then attack another app that seems to him to be secured in a less strict way? I´d like to avoid that by setting profiles to 640 or 600.