On Mon, Mar 16, 2009 at 3:13 PM, Null Ack <null...@gmail.com> wrote: > * Having AppArmor actually protecting the desktop build rather than > what seems as currently a false illusion of coverage with just CUPS > being protected
The big problem with GUI apps, is that Xorg was not really designed to be secure, so apps can take control of other apps via X's ability to send/trap other applications keypresses etc. There is a "untrusted" mode but it tends to break most existing applications. Also IMHO, Plash is better suited to GUI apps than AppArmor. It can be hard to develop a good AppArmor profile for Desktop apps, e.g. I may choose to open /etc/passwd with OpenOffice. Since I may choose to open any file with any virtually any application, AppArmor would be of little use if we do not make questionable assumptions about what files the user will want to open. Plash is better suited to desktop apps, as it replaces the GTK file open dialog with a trusted dialog that passes in the right to open the files the users selects (and only the files the user selects). > * Enabling UFW by default or some other firewall by default I am not sure if this would help much until we protect desktop applications from each other (above). Ubuntu already has a no open ports. A firewall could theoretically prevent non-authorized software from accessing the network, however I understand there currently a number of ways of non-authorized software to hijack authorized software. E.g. you would have to allow a bittorrent client to act both a client and a server, and it would be hard for a firewall to tell whether bittorrent was run with a weird LD_LIBRARY_PATH that caused bittorrent to serve the malware. > In my view the users want to feel secure in knowing that should a zero > day exploit be identified, that AppArmor or SELinux or foo or whatever > will trap the damage the exploited service can take beyond the > standard user is not root UNIX setup. Unfortunately, at this point the feeling of security would be likely to be false, as there are currently ways for malware writers to bypass the additional security that these could potentially bring to GUI apps. The good news is that AFAICT all we need is for Xorg to support a more compatible "untrusted"-like mode so that we could use Plash to give GTK apps real uncircumventable security, and non-GTK apps could easily be adapted to use the GTK file chooser. http://plash.beasts.org/ (Optimizing Plash to the same extent as AppArmor wouldn't hurt either) -- John C. McCabe-Dansted PhD Student University of Western Australia -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
