Le 11/12/2016 à 01:16, Tommaso Cucinotta a écrit :
Hi,
please, find attached a rework of the AppArmor patch to harden/confine
possible side effects of converters via an AppArmor profile on Linux.
The major challenge here is to ship with a meaningful AA profile -- I'd
be happy to hear feedback about this very point, namely what do we need
to deny-vs-grant access to, while executing external converters. Due to
the fact that converters tend to handle their own temporary and
preference files et al., I'd be for a permissive settings, where we deny
more and more things as we get awareness of potentially sensitive files.
Hi Tommaso,
Thank you for investigating this approach. I have seen that according to
<http://wiki.apparmor.net/index.php/FAQ#Is_AppArmor_policy_Default_Deny_.28White_listing.29>,
AppArmor profiles are meant to be based on white lists instead of
black lists. But I agree with you that writing a white list is going to
be complicated, if only because converters are user-configurable and
AppArmor profiles less user-friendly. This suggests the question, should
the converters themselves not each have an AppArmor profile instead?
Guillaume
