On 5/18/2016 10:27 AM, Darac Marjal wrote:
On Wed, May 18, 2016 at 09:23:34AM -0500, Richard Owlett wrote:
https://packages.debian.org/jessie/apparmor is uninformative.

It says:
"This provides the system initialization scripts needed to use
the AppArmor Mandatory Access Control system, including the
AppArmor Parser which is required to convert AppArmor text
profiles into machine-readable policies that are loaded into
the kernel for use with the AppArmor Linux Security Module."

There is a link to http://wiki.apparmor.net/index.php/Main_Page
which gives no hints!

My application question.
1. If BrowserA and BrowserB are installed, can AppArmor prevent
BrowserB from
  connecting to the internet independent of user permissions?
2. Can AppArmor default to preventing *ALL* but specific
applications from
  connecting to the internet independent of user permissions?

 From that wiki page: "AppArmor security policies completely
define what system resources individual applications can access,
and with what privileges."

That statement reminds me of one of George Orwell's characters saying "It means whatever I want it to mean."



"Network access" is, although not explicitly stated on that page,
a system resource. So yes, you can prevent, say, an application
called "firefox" from accessing the network entirely. Looking
deeper, I see
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules
which defines the network rules of AppArmor. It appears that you
should be able to constrain said application to only connect to
certain addresses.

The very first line of the page said "Don't trust me." [paraphrased ;] I was looking for descriptive information aimed at a general audience. I was looking for guidance on "suitability for intended use". A "No" to my narrowly stated question would have eliminated AppArmor. To actually want to use it is a wider question. I was hoping for a response from an actual user.


Just a warning that you need to think carefully about the rules
you implement. Can a user get around your rules by renaming
"firefox" to "iceweasel"? If, instead, you put blanket rules in
place check that you aren't blocking other networking functions
(like X talking over the local network, for example). AppArmor
does, however, have a "complain" mode where, rather than
enforcing rules it will log violations to syslog. You can use
this to guide your profile creation.

After initially reading your post I found something that hinted that "blacklist all except explicit exceptions" would be possible. More reading required.

Thank you for your time.



Reply via email to