John Johansen: > On 01/25/2018 12:46 PM, Simon McVittie wrote: >> On Thu, 25 Jan 2018 at 11:29:26 -0800, John Johansen wrote: >>> On 01/25/2018 10:15 AM, Vincas Dargis wrote: >>>> Even if environment scrubbing would work, should it still allow execute >>>> xdg-open _anything_ (like that example) directly? >>> >>> it would depend on how you structure your policy, you certainly don't have >>> to allow it >> >> I can't help thinking that, when D-Bus mediation goes upstream, launching >> URLs/files via D-Bus activation (rather than by executing xdg-open and >> having it execute some other program) goes a long way towards fixing this.
+1 > yes that will help, but unfortunate that won't likely land until 4.17 > with the way things have gone late (I was targeting 4.15 but the > revert has delayed us a bit more than cycle). Frankly, as much as I would love to eventually be able to use this in policy on Debian & Tails, I'm not worried about a 4 months delay on this front. Not only we've already been waiting for it for so long that a few months more doesn't make a big difference, but it's only one piece of the bigger picture: quite some work is needed elsewhere to fully take advantage of this new kernel mediation feature. One could push forward the corresponding changes needed in the surrounding applications & platform ecosystem without waiting for fine-grained D-Bus mediation to land in Linux mainline: at first glance, that means picking a few first candidate user stories we want to confine better (e.g. opening URLs from Evince or opening an attachment from Thunderbird), decide how ideally we would like them to ask $more_privileged_program to do $stuff, and make it happen. FYI I'm not going to work on this personally during the current Debian development cycle, but one of my goals for the next one (Bullseye) will probably be to help fix the desktop app confinement story we offer on the Debian desktop. It's not clear to me yet how much it will involve AppArmor but regardless of the exact sandboxing technology that's used to confine the app, in any case we need to teach the apps (or some underlying toolkit) to send IPC requests instead of executing programs themselves. Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
