Hello, Am Sonntag, 24. August 2014 schrieb pinguin74:
How do you best confine Java applications using AppArmor?
I don't know much about Java, but let me answer nevertheless ;-)
Can you just confine the Java interpreter itself or can you confine the Java *.jar package?
Confining the interpreter is not a good idea IMHO - that would be like confining bash or perl, which is a) not a good idea, b) can break other users of $interpreter or c) you'll need a profile that allows everything every user of $interpreter needs - which means you won't have many restrictions left. I'm not aware of a way to confine a *.jar (but, see above, I don't know much about Java). _If_ it's possible to run a *.jar with ./foo.jar then it might also be possible to create a profile for it - just try it ;-) (hint: aa-genprof ./foo.jar) IMHO the easiest way is to write a small wrapper script that starts "java foo.jar" and to create a profile for this wrapper script (with ix or Cx for java). If you start your *.jar with a systemd service file, then newer versions of systemd also allow to specify the profile to use in the service file. ("Newer versions" probably means only openSUSE Factory at the moment, but I never tested this feature.) Regards, Christian Boltz -- And I think we'd be much more succesful if we could deliver functional NetworkManager and updater applets for the first time in years, than providing some hyped "innovation". [Martin Schlander in opensuse-project] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org