[conspire] Autorun in GNOME/Nautilus

Rick Moen rick at linuxmafia.com
Tue Sep 27 17:11:29 PDT 2011


Quoting Ruben Safir (ruben at mrbrklyn.com):

> I've been wondering what the heck apparmour is.  I thought it was
> something Novell added to the OS which was unnecessary.

AppArmor is per-application sandboxing, enforced by a kernel that
includes the necessary LSM code.

It requires that a 'policy' file exist for any application that's to be
corraled in this fashion:  The policy file describes various sorts of
access that will be permitted or denied to particular pathspecs.
Several distros (not just Novell/SUSE) have been gradually introducing
policies covering particular utilities posing security concern.  The
Wikipedia page cites CUPS, MySQL, libvert, Evince[1], and Firefox.

A position-independent executable (PIE) is one compiled so that it can
be copied to any memory location and executed without modification or
relinking.  The point of doing so is to enable kernel-level tools like
PaX and Exec Shield to randomise application address spaces in RAM
(executable base address, position of libs, heap, stack), so that
attacks have a difficult time exploiting any vulnerabilities that may
exist.

PaX is a non-mainline patch for that function and several other things.

Exec Shield is another non-mainline patch (from Red Hat) that randomises
address space plus adding a different set of security enhancements.


[1] To get some idea of why Evince needs help, compare its and xpdf's
dependencies in my page about PDF readers,
http://linuxmafia.com/faq/Apps/pdf-readers.html .  (I exclude X11 core
libs and also libgcc and friends.)





More information about the conspire mailing list