[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Apparmor suggestion to include more profiles



Hello,

Am Donnerstag, 2. Juni 2016, 07:22:25 CEST schrieb Malte Gell:
> Am 01.06.2016 um 02:16 schrieb Christian Boltz:
> >> (...)
> >> You´re right, SUSE never came with many really useful AA profiles.
> >> On the other hand, in my mind you always need to change AA profiles
> >> to meet your demands.
> > 
> > Did you also need any changes in the profiles that are enabled by
> > default? If so, please tell me - in many (not all) cases I consider
> > this to be a bug in the profile ;-)
> 
> No, actually I never looked closer at the default profiles.... I´ve
> been more keen on user space programms like Firefox, VLC etc. I guess
> on desktop systems this may be the first doors an attacker would
> break into.

Agreed, but as I already pointed out in another mail, it's close to 
impossible to ship default profiles for them that are safe and don't 
annoy users.

> Where can you make suggestions for changes to default
> profiles/abstractions? Here or bugzilla?

I'm everywhere ;-) but bugzilla has the advantage that nothing gets 
lost.

> > I agree that it would be good to have a place where profiles can be
> > shared, but I'm not sure if the wiki is a good place. The problem I
> > see is that the wiki makes it too easy to do malicious
> > modifications to a profile.
> 
> Can a certain wiki site not be restricted to allow only certain people
> to post stuff?

In theory yes, but managing access permissions in MediaWiki is a 
nightmare if you need more than the usual groups (basically admins and 
"normal" users). To make things worse, MediaWiki has a browsable version 
history, but not a "blame" feature to find out who last edited a line.

> Doesn´t openSUSE have a website that is run "normally" without wiki?
> So people could show and discuss their AA profiles here on the list
> and an admin looks over them and puts them on a static non-wiki web
> site?

Review/moderation is an important point.

Your text sounds like you are describing a git repo ;-) which would be a 
much better solution than a static web page.

> > There are plans to setup a cross-distribution repo for profiles
> > (I discussed this with some Debian people at last year's DebConf
> > (...)
> In the long run that would be best, so all Linux users can benefit, no
> matter what distribution.

I fully agree. The profiles are typically useable everywhere if you honor 
some small details (for example /lib/ vs. /lib64/ -> use /lib*/).

BTW: Even if it isn't one of the stated goals of AppArmor, it more than 
once was helpful to get cross-distribution collaboration improved. And 
I'm not only talking about sharing AppArmor profiles here ;-)  [1]


Regards,

Christian Boltz

[1] I did my "AppArmor Crash Course" talk at DebConf last year. I was 
    the only speaker with an openSUSE t-shirt ;-) and had a funny 
    "Any relations between Debian and openSUSE" slide.
    Next month we'll have two speakers from DebConf15 at the openSUSE 
    conference. I'm sure the things they work on are also relevant, 
    useful and interesting for openSUSE :-)

-- 
Bitte in Zukunft keine Stasi-Vergleiche mehr. Das verharmlost die
gegenwärtige Situation. [purchaser auf
http://www.heise.de/newsticker/foren//forum-290681/msg-26347022/read/]

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx