Mailinglist Archive: opensuse-security (12 mails)

< Previous Next >
Re: [opensuse-security] Apparmor suggestion to include more profiles
Hello,

Am Montag, 30. Mai 2016, 11:25:45 CEST schrieb Johannes Meixner:
perhaps off topic - more a question from someone
who does not know any internals about AppArmor:

I'll give an "AppArmor Crash Course" talk at the openSUSE conference
next month to get you started with AppArmor ;-)

Maybe we could also talk about confining CUPS with an AppArmor profile
(Ubuntu does this already, so we don't need to start from scratch)

On May 29 18:10 Christian Boltz wrote (excerpt):
This is a general problem with profiles for desktop
applications.
As soon as an application comes with File - Open
or File - Save as menu items, the profile can
a) allow opening and saving files from a specified set

of directories (for example, the Ubuntu firefox profile
AFAIK allows saving files only to ~/download/).
Unfortunately this will terribly annoy users.

b) allow opening and saving files everywhere, which makes

the profile pretty useless

I think when there is an explicit dialog whereto the
application will save a file or wherefrom the application
will read a file, there should be no need for additional
restrictions because the user can see and confirm what
file will be used and by standard Unix permissions

You are assuming bug-free and exploit-free software here.

While I would really like to have that, I'm afraid reality differs.
Oh, and I never heard of malicious software that first displays a file
dialog so that the user can decide which file to destroy or leak ;-)

The idea with the "external" file dialog is to allow access to the
selected file on the fly [1], which also means access to other files
(bypassing the file dialog) could be denied.

a normal user cannot damage other user's data
(basically "the system" is root's data).

Right.

In contrast when an application reads or writes files
unnoticed by the user then I would like to have some
restrictions set up so that the application cannot
do "bad things".

In particular I would like that an application cannot
unnoticed replace existing files (e.g. replace my
private data by something else) and that an application
cannot unnoticed read arbitrary files (e.g. read my
private data and send it to someone in the Internet).

Is such a setup possibe with AppArmor?

Not with the current code - this would need the "external" file dialogs.

Also, thinks like files embedded into a document (but stored in a
separate file) make things much more interesting[tm]. However, let's first
get the external file dialogs implemented before discussing these details
;-)

I wonder how AppArmor (or any external tool) could know
whether or not an application reads or writes files
unnoticed versus via an explicit user confirmation dialog?

As Marcus already wrote, this isn't possible - either a file is in the
whitelist/profile or it isn't.


Regards,

Christian Boltz

[1] This can be done by temporarily adjusting the profile, by coping
the file to a whitelisted directory etc. - but the technical details
don't really matter in this discussion ;-)
For bonus points, it could remember the recently used files of each
application, so that "File - Open recently used files" also works.

--
* cboltz votes for the boring version - can't
<sarnold> that's a bit informal for a mandatory security platform :)
<sbeattie> ah, but you see, contractions are informal, and we can't,
err can not, err cannot, err can ?not have that.
[from #apparmor, while discussing bugzilla.novell.com/853661]

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation