-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2013-12-05 at 22:49 +0100, Carlos E. R. wrote:
On 2013-12-05 22:46, John Andersen wrote:
On 12/5/2013 1:22 PM, Carlos E. R. wrote:
I will keep using acroread, jailed in an apparmour profile, and with a trick on the firewall so that it can not connect.
Can you share the details of the AppArmour and the firewall blockage?
I still have not done that. The firewall thing yes, but it is not currently active and I have to check things. Sure, I'll post.
For the firewall. In "/etc/sysconfig/scripts/SuSEfirewall2-custom" add this: iptables -A OUTPUT -m owner --gid-owner talker -j LOG --log-prefix 'Do not talk home: ' iptables -A OUTPUT -m owner --gid-owner talker -j REJECT I have it on "fw_custom_after_chain_creation()", but I don't know if that's the correct place. Then the binary of the application to block is changed, so that it belongs to the group "talker", and the it is made SGID (chmod g-s). In "/etc/permissions.local" add the line: /usr/lib/Adobe/Reader9/bin/acroread root:talker 2755 Then run "chkstat --system --set" result: Telcontar:~ # ls -l /usr/lib/Adobe/Reader9/bin/acroread - -rwxr-sr-x 1 root talker 20137 May 16 2013 /usr/lib/Adobe/Reader9/bin/acroread What this does is that the acrobat application runs under the group "talker", not as it usual self. Now, I don't know how to see this in the output of "ps"... Well, it appears that the network packet comming from programs can be identified by group, and thus, you can block that group from passing. I don't know how to verify if acrobat can connect or not, ie, how to force it to connect. If it does, I see it on the log. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlKhH60ACgkQtTMYHG2NR9UpcQCfd0anAcLbvbab4+Ic0CqAuzCX fGYAoIg4P4faNTt4coP4y4ai5UC4A65p =5ohf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org