Author: intrigeri Date: To: The Tails public development discussion list CC: tails-testers Subject: Re: [Tails-testers] [Tails-dev] [call for testing] AppArmor profiles
Jacob Appelbaum wrote (08 Oct 2014 12:19:57 GMT) : > What are the parameters you'd like to be tested? That is - what would
> count as a bug? Do we have a security model of what should be readable
> by a given app? Or writable by a given app?
We don't have any such thing specified yet. The idea was to get *some*
minimal AppArmor support in and working first, so this call for
testing is more about whether I broke anything, than about checking
that the AppArmor profiles are actually efficient security-wise.
However, don't hesitate moving forward and trying to escape the
confinement profiles to access things we clearly don't want to allow,
e.g.:
* none of these applications should be allowed to access files in
~/.{gnupg,ssh}/
* especially, file access via alternate paths specific to Debian Live
systems, e.g.
/live/persistence/TailsData_unlocked/{gnupg,openssh-client}
... should be tested