Mailinglist Archive: opensuse-security (24 mails)

< Previous Next >
Re: [opensuse-security] AA confining bash
Am 03.10.2014 um 23:23 schrieb Carlos E. R.:
On 2014-10-03 22:42, pinguin74 wrote:
With regard to the lates Bash Shock, I wonder does it make sense to
confine Bash with AppArmor after all?

No.
It is used by everything, needs access everywhere.

You can confine the parent and its children, when you know in advance
what the parent is going to do for months to come.

I think with aa-notify you can learn quickly if the profile needs
adjustment, so it should work if Bash inherits the main profile.

I tried this with clamscan, Thunderbird and Firefox, they all invoke
bash. And never had complaints bash couldnĀ“t access something!

Best regards


< Previous Next >
Follow Ups
References