On Mon, May 30, 2016 at 11:25:45AM +0200, Johannes Meixner wrote:
Hello,
perhaps off topic - more a question from someone who does not know any internals about AppArmor:
On May 29 18:10 Christian Boltz wrote (excerpt):
This is a general problem with profiles for desktop applications. As soon as an application comes with File - Open or File - Save as menu items, the profile can a) allow opening and saving files from a specified set of directories (for example, the Ubuntu firefox profile AFAIK allows saving files only to ~/download/). Unfortunately this will terribly annoy users. b) allow opening and saving files everywhere, which makes the profile pretty useless
I think when there is an explicit dialog whereto the application will save a file or wherefrom the application will read a file, there should be no need for additional restrictions because the user can see and confirm what file will be used and by standard Unix permissions a normal user cannot damage other user's data (basically "the system" is root's data).
In contrast when an application reads or writes files unnoticed by the user then I would like to have some restrictions set up so that the application cannot do "bad things".
In particular I would like that an application cannot unnoticed replace existing files (e.g. replace my private data by something else) and that an application cannot unnoticed read arbitrary files (e.g. read my private data and send it to someone in the Internet).
Is such a setup possibe with AppArmor?
No.
I wonder how AppArmor (or any external tool) could know whether or not an application reads or writes files unnoticed versus via an explicit user confirmation dialog?
Apparmor is implemented by static file/directory path whitelisting rules in the kernel, it cannot distinguish between a user wanted action and malicious one (e.g. if there is a dialog or not). Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org