Should I use AppArmor?

Discussion in 'all things UNIX' started by lucygrl, Feb 17, 2014.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    @sim

    Consider isolating dash in its own profile. It needs very little access.

    /bin/dash Cxmr -> dash,

    .....

    profile dash {

    /bin/dash r,
    /etc/ld.so.cache r,
    /lib/@{multiarch}/ld-2.17.so mr,
    /lib/@{multiarch}/libc-2.17.so mr,
    }

    May want to change 2.17 to * or 2.* so you won't need to edit the profile for a later release.

    You should cat /var/log/syslog instead of kern.log because then you'll see all the denied dbus actions the program wants.
    http://penguindroppings.wordpress.com/2013/10/18/application-isolation-with-apparmor-part-iii/

    Consider removing the abstractions (all of them) but user-tmp would be easiest. For current Firefox, all it should need is

    /tmp/ r,
    owner /tmp/* rw,
    owner /tmp/orcexec.* m,
    /var/tmp/ r,
    owner /var/tmp/etilqs_* rw,

    TBB shouldn't be far from that and there's room to make the /tmp/* rw rule tighter.

    I've also found that often sys_ptrace isn't necessary to allow.
     
    Last edited: Apr 11, 2014
    shuverisan, Apr 11, 2014
    #26
  2. _Sim_

    _Sim_ Registered Member

    Joined:
    Mar 2, 2014
    Posts:
    15
    Thanks for your help!

    I thought that only executable files that needs a lot of access should have their own profile. I think the best bet is to isolate every executable file.

    I will do so.

    Thanks for the link!
     
    _Sim_, Apr 12, 2014
    #27
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...