[conspire] Autorun in GNOME/Nautilus

Nick Moffitt nick at zork.net
Wed Sep 28 02:59:40 PDT 2011


Rick Moen:
> AppArmor is per-application sandboxing, enforced by a kernel that
> includes the necessary LSM code.
> 
> It requires that a 'policy' file exist for any application that's to
> be corraled in this fashion:  The policy file describes various sorts
> of access that will be permitted or denied to particular pathspecs.

This is an important change from SELinux, which did the right thing from
a security perspective but entirely the wrong thing from a user
interface perspective.  SELinux prevented EVERYTHING, and you switched
on permissions as warranted.  Unfortunately the procedures for doing
this weren't widely understood, and admins regularly found themselves in
a situation where the only information they had was that globally
disabling SELinux allowed some program to do the work they needed. 

Bad scene.

AppArmor does a slightly wrong thing, from a security perspective, in
that it is default-allow in the set of applications it protects (though
the profiles themselves are typically written in a default-deny
fashion).  Your hand-compiled program in your home directory isn't
covered by it, nor is the proprietary vendor-supplied zipfile you opened
up into the /opt ghetto.  But applications that are known to be handling
risky data or performing sensitive tasks can be locked down to only
their accepted operational parameters.

This means that admins don't find themselves shutting off apparmor
just so apache can bind to a funny port.  It also means that distros can
build metre-thick concrete bunkers around programs like evince.

> [1] To get some idea of why Evince needs help, compare its and xpdf's
> dependencies in my page about PDF readers,
> http://linuxmafia.com/faq/Apps/pdf-readers.html .  (I exclude X11 core
> libs and also libgcc and friends.)

Have a look at Ubuntu's /etc/apparmor.d/usr.bin.evince profile sometime.
Kees Cook put a lot of effort into that one, and it's got almost no
wiggle room at all!  

-- 
"As I soared high into the tag cloud Xeni Jardin
carefully put up for me, I couldn't help but wonder how
high we were above the blogosphere." -- Carlos Laviola




More information about the conspire mailing list