Mailinglist Archive: opensuse-security (24 mails)

< Previous Next >
Re: [opensuse-security] AA confining bash
Hello,

Am Freitag, 3. Oktober 2014 schrieb pinguin74:
With regard to the lates Bash Shock, I wonder does it make sense to
confine Bash with AppArmor after all?

I think to create a dedicated profile solely for Bash does not make
sense, because in general you want to be able to access everything
with Bash, right?

Right.

If an app wants to access Bash I envoke /bin/bash with the ix
parameter, this way Bash inherits the appĀ“s profile. Is this the only
best way to confine Bash? Or does a dedicated profile make sense?

You can use a child profile (Cx) if you want to give bash different
permissions than the main profile.

If you are really paranoid, you can use another child profile for
binaries executed by the Cx'd bash. Note that aa-logprof won't offer
(C)hild when you are already in a child profile, but you can use (N)amed
and enter the wanted child profile, like /bin/foo///bin/bar if your main
profile is /bin/foo and you want a child profile for /bin/bar.


Regards,

Christian Boltz

PS: Speaking about shellshock - if a windows user points fingers at
Linux because of shellshock, point him to
https://plus.google.com/117024231055768477646/posts/AhBgNjsVASa
;-)

--
[Windows remote herunterfahren] einfach ein Nichtgepatchtes Windows
verwenden und einen der tausen Viren, die letztes Jahr die Maschinen
runter gefahren haben ;) [Andreas Loesch in suse-linux]

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
References