Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Apparmor Profiles
-
- Posts: 374
- Joined: 2008-02-01 16:21
Apparmor Profiles
I'm currently having a more and more in-depth look at AppArmor Profiles in Debian. It's something but certainly there's room for improvement. Anyone who has also written custom profiles and is willing to start work on an improved or new set of profiles ?
Embrace what you're not certain off,
keep an eye on what you're confident about.
keep an eye on what you're confident about.
Re: Apparmor Profiles
I'm interest in and I think that profiles should be improved as some profiles are really relaxed but my biggest problem is that most profiles should be overworked upstream and all Ubuntu references should be replaced with distribution agnostic names (abstractions/ubuntu-browsers-d/chromium-browser> => abstractions/distribution-browsers-d/chromium-browsers).
-
- Posts: 374
- Joined: 2008-02-01 16:21
Re: Apparmor Profiles
Thanks, we understand each other.
I'm currently tinkering but not yet studying on how to modularize this in a sane way. My aim is also to really protect the entire system, at least as far as AppArmor permits. After all it is said to be quite imperfect ( one ref of many = http://www.rsbac.org/pipermail/rsbac/20 ... 02186.html ) Implementing RSBAC seems a bit over my head for now
Currently i'm limiting my scope of thought to a rather generic split of "Internet Connecting Applications" and "Internet Visible Services" This kind of leaves open the use of attached or inserted media, shell access exploitation and many others. I'm also considering some form of automated profiling of packages being installed but this seems a dead end, for now.
I'm currently tinkering but not yet studying on how to modularize this in a sane way. My aim is also to really protect the entire system, at least as far as AppArmor permits. After all it is said to be quite imperfect ( one ref of many = http://www.rsbac.org/pipermail/rsbac/20 ... 02186.html ) Implementing RSBAC seems a bit over my head for now
Currently i'm limiting my scope of thought to a rather generic split of "Internet Connecting Applications" and "Internet Visible Services" This kind of leaves open the use of attached or inserted media, shell access exploitation and many others. I'm also considering some form of automated profiling of packages being installed but this seems a dead end, for now.
Embrace what you're not certain off,
keep an eye on what you're confident about.
keep an eye on what you're confident about.