layman term?
Are them really necessary for Desktop? And if so, is Arch distro which lacks official support for them considered as insecure?
In layman's terms, they are mitigating a lot of Chair-Keyboard interface issues, like inserting that USB drive you found on the parking lot and opening the pdf that was inside for example
So, they seems useless and just protect the system from high level of stupidity.
If you think you are not stupid and don't need them, you are precisely the kind of person that needs them
According to your example.
AppArmor lets you define permissions for each program and denies that program access to anything you haven't allowed it to do. I write my own AppArmor profiles so that I can run some required proprietary software without having to worry about it doing weird things to my OS. Thanks to AppArmor it can only do what I let it do. It can write to ~/Downloads, but not to ~/Documents. It can't read info about my hardware. Even if I were careless enough to start it as root, it still wouldn't have any root privileges except the ones I defined in the profile.
Have you ever run a command that pipes curl to bash or an installer that depends on such a command?
The first one is a no, the second one could be a popular, well-known AUR.
That is really important Allowing any program to read your ssh and gpg keys, documents, photos, etc is terrible
They protect you from programs that do more than they need to. They also allow you to follow the principle of least privilege. Say you run tcpdump. It need to be root. But it doesn't need all the power that root has. With AppArmor you can run it as root, but it will only have a few special permission, not the full set of root capabilities.
Is writing its profiles difficult? Would you please share a sample?
See my profile for skypeforlinux at https://gitlab.com/alexconst.sh/apparmor-profiles/-/blob/dev/usr.bin.skypeforlinux for example.
If you're on Debian or Ubuntu, install the apparmor-profiles package and look around in /etc/apparmor.d
This is pretty good, allow me to steal that 😉
Sure, it's GPLv2 / GPLv3 :)
I'm on fedora 34 right now, was wondering about switch to an arch-based distro [endeavourOS exactly], and concerned about keeping it as secure as fedora.
Make sure to read comments at the top of the file. Also see the end of README.md, there's a suggestion to further mitigate Xorg vulnerabilities.
Oh, Fedora must be using SELinux.
Yeah, pretty complicated.
btw I mainly restrict filesystem access. AppArmor can do much more. You can restrict mounting filesystems to specific mount points or fs types. You can restrict dbus access. Or make the program use TCP only. Or deny network access entirely. It's very flexible.
I expect you say so:)
Why not Ubuntu?
Why not Windows... Oh wait
*breathes in heavily*
Imagine going to south africa to sell your soul to Amazon
Обсуждают сегодня