Похожие чаты

What vulnerabilities and/or threats can SELinux and AppArmor mitigate in

layman term?
Are them really necessary for Desktop? And if so, is Arch distro which lacks official support for them considered as insecure?

29 ответов

26 просмотров

In layman's terms, they are mitigating a lot of Chair-Keyboard interface issues, like inserting that USB drive you found on the parking lot and opening the pdf that was inside for example

Kiavash-Yk Автор вопроса
Ludovic 'Archivist' Lagouardette
In layman's terms, they are mitigating a lot of Ch...

So, they seems useless and just protect the system from high level of stupidity.

Kiavash Yk
So, they seems useless and just protect the system...

If you think you are not stupid and don't need them, you are precisely the kind of person that needs them

AppArmor lets you define permissions for each program and denies that program access to anything you haven't allowed it to do. I write my own AppArmor profiles so that I can run some required proprietary software without having to worry about it doing weird things to my OS. Thanks to AppArmor it can only do what I let it do. It can write to ~/Downloads, but not to ~/Documents. It can't read info about my hardware. Even if I were careless enough to start it as root, it still wouldn't have any root privileges except the ones I defined in the profile.

Kiavash Yk
According to your example.

Have you ever run a command that pipes curl to bash or an installer that depends on such a command?

Kiavash-Yk Автор вопроса
Ludovic 'Archivist' Lagouardette
Have you ever run a command that pipes curl to bas...

The first one is a no, the second one could be a popular, well-known AUR.

Ender
AppArmor lets you define permissions for each prog...

That is really important Allowing any program to read your ssh and gpg keys, documents, photos, etc is terrible

Kiavash Yk
So, they seems useless and just protect the system...

They protect you from programs that do more than they need to. They also allow you to follow the principle of least privilege. Say you run tcpdump. It need to be root. But it doesn't need all the power that root has. With AppArmor you can run it as root, but it will only have a few special permission, not the full set of root capabilities.

Kiavash-Yk Автор вопроса
Ender
AppArmor lets you define permissions for each prog...

Is writing its profiles difficult? Would you please share a sample?

Kiavash Yk
Is writing its profiles difficult? Would you pleas...

See my profile for skypeforlinux at https://gitlab.com/alexconst.sh/apparmor-profiles/-/blob/dev/usr.bin.skypeforlinux for example.

Kiavash Yk
Is writing its profiles difficult? Would you pleas...

If you're on Debian or Ubuntu, install the apparmor-profiles package and look around in /etc/apparmor.d

Kiavash-Yk Автор вопроса
Ender
If you're on Debian or Ubuntu, install the apparmo...

I'm on fedora 34 right now, was wondering about switch to an arch-based distro [endeavourOS exactly], and concerned about keeping it as secure as fedora.

Ludovic 'Archivist' Lagouardette
This is pretty good, allow me to steal that 😉

Make sure to read comments at the top of the file. Also see the end of README.md, there's a suggestion to further mitigate Xorg vulnerabilities.

Kiavash-Yk Автор вопроса
Kiavash Yk
Thank you

btw I mainly restrict filesystem access. AppArmor can do much more. You can restrict mounting filesystems to specific mount points or fs types. You can restrict dbus access. Or make the program use TCP only. Or deny network access entirely. It's very flexible.

Kiavash-Yk Автор вопроса
Martin Rys
Why not Arch?

I expect you say so:)

Mihai
Why not Ubuntu?

Why not Windows... Oh wait

Mihai
Why not Ubuntu?

*breathes in heavily*

Martin Rys
*breathes in heavily*

Imagine going to south africa to sell your soul to Amazon

Похожие вопросы

Обсуждают сегодня

а через ESC-код ?
Alexey Kulakov
29
30500 за редактор? )
Владимир
47
Anyone knows where there are some instructions or discort about failed bridge transactions ?
Jochem
21
Чёт не понял, я ж правильной функцией воспользовался чтобы вывести отладочную информацию? но что-то она не ловится
notme
18
Привет)) уже кажется эту тему перемусолили, но вот я так и не понял. Я сейчас сижу на 27дюймов 2к мониторе. На Актуальной макоси, если я куплю 27д 4к монитор: - будет ли изобр...
Vladislav Piskunov
15
Hi guys, any problem with Pulsebrige? Trying to transfer from wETH to ETH. First it tells me to connect my metamask "through mobile app" not desktop. Then I did and confirmed ...
Snowflakecrypto
13
any reference of this implementation?
BitBuddha
29
У меня есть функция где происходит это: write_bit(buffer, 1); write_bit(buffer, 0); write_bit(buffer, 1); write_bit(buffer, 1); write_bit(buffer, 1); w...
~
13
Страшнейшая правда про списки ЦБ. С первых дней жизни P2P сферы, молодые человеки, начитавшись законодательной базы и "внутренних" документов, решили, что им противостоит сер...
Foxcool
3
&"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.42.34433\bin\Hostx64\x64\dumpbin.exe" /EXPORTS C:\Users\Yeet\Tauon\vcpkg\installed\x64-window...
Martin Rys
6
Карта сайта