Hello, On Nov 4 23:45 Christian Boltz wrote (excerpt):
Am Mittwoch, 4. November 2015 schrieb Johannes Meixner:
Is it possible to have an AppArmor profile for rpm so that rpm cannot change already existing files?
... If you really want that, it might be possible to create a profile based on the rpm -qpl output, but that won't help much for %post scripts. Well, except if your goal is not to let %post change anything that is not related to the new package, ... ;-)
Yes, my goal is not to let %post change anything that is not related to the new package because otherwise anything evil could be done via RPM scriptlets. For my personal use case see https://fate.opensuse.org/307745 (excerpt) ------------------------------------------------------------------ ... it downloads RPMs only from hardcoded URLs from OpenPrinting and inspects the downloaded RPM whether it overwrites already installed files on the system and if not, it installs it without running any RPM scripts because normal printer drivers do not need to run RPM scripts during installation. If the above conditions are not fulfilled it shows a very explicite warning text and does not install anything. ------------------------------------------------------------------ Normal printer driver software packages do not need to run RPM scriptlets. Perhaps also for installing normal application prgrams there is no real need to run RPM scriptlets. The only exception is perhaps running /sbin/ldconfig in %post and %postun. But I wonder if this could be misused to do evil things, e.g. when third-party software provides its own version of a standard library with "special additional functionality" (a.k.a. backdoor).
Speaking about printer drivers - do you think having a profile for cups would be possible?
I do not yet understand what you mean with "a profile for cups" i.e. what your intent behind such a profile should be.
In contrast when installing openSUSE maintenance updates such an AppArmor profile would have to be disabled before.
Obviously ;-)
BTW: aa-exec allows you to invoke a program with a specific profile. That's probably easier than switching profiles on and off.
Perhaps a more general feature request like https://fate.opensuse.org/307745 for "a general tool" (not necessarily a YaST module) that helps a normal user to install third-party software in a reasonably secure way (what "reasonably secure" is needs to be discussed and defined) makes sense?
Probably it is really a good idea to create an AppArmor profile for rpm to deny access to /home/* and see how a default openSUSE installation behaves.
Perhaps this could reveal "interesting" results ;-)
OK, challenge accepted. ... ... basically with the same result:
A default tumbleweed install with KDE does not touch anything inside /home :-)
Wow! We are really good!
A funny detail is that some %post script creates /dev/lp* - any idea why that might be needed? For bonus points, tell me which package does that, and why /dev/lp* are needed on a laptop that doesn't have a parallel port ;-)
See https://bugzilla.opensuse.org/show_bug.cgi?id=673845 for the full story. You need to find out why you got the parallel-printer-support RPM installed on your computer. As far as I know installation of this RPM is not done in a hardware dependant way but by a RPM "recommends" (actually by a "Supplements: cups"). Kind Regards Johannes Meixner -- SUSE LINUX GmbH - GF: Felix Imendoerffer, Jane Smithard, Graham Norton - HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org