On 2/10/20 7:23 AM, mailinglis...@posteo.de wrote:
hello,
i just discovered, some apps desire access to DMI data, precisely to
/sys/devices/virtual/dmi/id/
In the case of audio software i can understand it may need to know on
what hardware it runs.
but a web browser? why would a webbrowser need to know the bios version
or computer model name?
the one who really benefits from such information is a possble attacker,
thus for a web browser i would deny access to this data.
what do you think?
Generally speaking the web browser doesn't need access to it. You can deny
access to it and the web browser should function. However some features
may not work, like the chrome extension API that was already pointed out.
Profiles are always trying to balance usability against attack surface.
Unfortunately the web browser profile are really loose because web browsers
present apis to do all kinds of thing and the goal is to not break the
average user as that just results in apparmor being disabled.
You can tighten up the browser profiles a fair bit for local use with
little to no pain for most use cases.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
