Re: [apparmor] Rule to allow chmod-operations (or reduce dmesg suppression)

On 2021-03-30, Christian Boltz wrote: > However, you carefully avoided the correct path ;-) - you'll need > /var/cache/fontconfig/ w, FML, that slipped my mind. Thanks for the pointer! In case anyone's interested what happened: Apparently, the first Electron-App to start after something

Re: [apparmor] Apparmor on Embedded devies.

On 3/30/21 11:11 AM, Murali Selvaraj wrote: > Hi All, > > We are planning to use "Apparmor profiles" as part of Security reasons. > -> Assume, we have finalized a profile for a certain process after > experiment in our setup/QA validation. > -> Next day, there is a possibility of any code merging

Re: [apparmor] Apparmor on Embedded devies.

On Tue, Mar 30, 2021 at 11:41:25PM +0530, Murali Selvaraj wrote: > -> As we know that code has been merged/updated continuously (day to > day) on the particular process, Do we have any mechanism to ensure how > the Apparmor profile aligns with the latest process/image? Be sure your continuous

Re: [apparmor] Rule to allow chmod-operations (or reduce dmesg suppression)

Hello, Am Dienstag, 30. März 2021, 22:28:00 CEST schrieb Jonas Große Sundrup: > type=1400 audit(1617134745.962:4981): apparmor="DENIED" > operation="chmod" profile="/usr/lib/signal-desktop/signal-desktop" > name="/var/cache/fontconfig/" pid=246265 comm="signal-desktop" > requested_mask="w"

Re: [apparmor] Reg.Apparmor vs Hardening

On 3/30/21 10:54 AM, Murali Selvaraj wrote: > Hi All, > > As per my understanding with the help of Apparmor profile we are > restricting the access to the process in terms of > its resources/namespaces. > > It looks similar to hardening where we are restricting the resources to > process. >

[apparmor] Rule to allow chmod-operations (or reduce dmesg suppression)

Hi, my dmesg shows me the following output: type=1400 audit(1617134745.962:4981): apparmor="DENIED" operation="chmod" profile="/usr/lib/signal-desktop/signal-desktop" name="/var/cache/fontconfig/" pid=246265 comm="signal-desktop" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 What would

[apparmor] Apparmor on Embedded devies.

Hi All, We are planning to use "Apparmor profiles" as part of Security reasons. -> Assume, we have finalized a profile for a certain process after experiment in our setup/QA validation. -> Next day, there is a possibility of any code merging where this entry won't be available in the existing (2)

[apparmor] Reg.Apparmor vs Hardening

Hi All, As per my understanding with the help of Apparmor profile we are restricting the access to the process in terms of its resources/namespaces. It looks similar to hardening where we are restricting the resources to process. Does it mean, technically Hardening and Apparmor profiles look