Re: [Tails-testers] [Tails-dev] [call for testing] AppArmor …

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
CC: tails-testers
Subject: Re: [Tails-testers] [Tails-dev] [call for testing] AppArmor profiles
On 10/8/14, intrigeri <intrigeri@???> wrote:
> Jacob Appelbaum wrote (08 Oct 2014 12:19:57 GMT) :
>> What are the parameters you'd like to be tested? That is - what would
>> count as a bug? Do we have a security model of what should be readable
>> by a given app? Or writable by a given app?
>
> We don't have any such thing specified yet. The idea was to get *some*
> minimal AppArmor support in and working first, so this call for
> testing is more about whether I broke anything, than about checking
> that the AppArmor profiles are actually efficient security-wise.
>


Understood.

> However, don't hesitate moving forward and trying to escape the
> confinement profiles to access things we clearly don't want to allow,
> e.g.:
>
>  * none of these applications should be allowed to access files in
>    ~/.{gnupg,ssh}/


That seems wise - It may make sense to simply say that Pidgin can only
open .purple, a network link and so on. The "and so on" part is
difficult - how do we deal with sharing files? Do we only allow files
from ~/Persistent/Documents/ or from somewhere else?

File path based access restrictions are... well, I don't feel great
about AppArmor for this kind of stuff. I think will still improve on
the status quo though. What happens when there is a hard link?

>  * especially, file access via alternate paths specific to Debian Live
>    systems, e.g.
>    /live/persistence/TailsData_unlocked/{gnupg,openssh-client}
>    ... should be tested

>


Ok. I'll give it a spin.

All the best,
Jacob