Thanks for getting this started. I have had some interest in finding out the time and effort it would take to confine some services. The ping example should help me get started
Thanks again. On Sat, May 11, 2013 at 1:10 AM, <phree...@yandex.ru> wrote: > Fresh AppArmor is available for further development. > > The end result should be fully automatic confinement configuration for all > services configured using nixos options without extraConfig and such, a > feature > which would be unique to NixOS. > > Currently, AppArmor ships with a single profile which confines ping. If you > comment out a line or two of the profile, ping will fail and apparmor will > complain to dmesg. > > What needs to be done: > * Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target > "], > but it doesn't exist in NixOS > * Test and possibly fix profile loading/unloading on nixos-rebuild switch > * Check if any of abstractions that AppArmor ships need NixOS-specific > customization > * Create profiles for common SUID binaries, since they are often used in > privelege escalation attacks. > * Create profiles for common proprietary nasties like skype and steam, > because > we can't trust them. > * Create a profile for FireFox with an option to have dedicated > upload/download dir. Bonus points for packaging a confined TorBrowser(a > fork of > FireFox) > * Create profiles for network-facing services, especially web servers > since > these often host webapps which tend to be full of holes. > > To enable AppArmor, add security.apparmor.enable = true to your config and > use > linux_3_2_apparmor kernel(or build another version in a similar way). > > Have fun! > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Patrick Wheeler patrick.john.whee...@gmail.com patrick.j.whee...@rice.edu patrick.whee...@colorado.edu
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
