Похожие чаты

What vulnerabilities and/or threats can SELinux and AppArmor mitigate in

layman term?
Are them really necessary for Desktop? And if so, is Arch distro which lacks official support for them considered as insecure?

29 ответов

25 просмотров

In layman's terms, they are mitigating a lot of Chair-Keyboard interface issues, like inserting that USB drive you found on the parking lot and opening the pdf that was inside for example

Kiavash-Yk Автор вопроса
Ludovic 'Archivist' Lagouardette
In layman's terms, they are mitigating a lot of Ch...

So, they seems useless and just protect the system from high level of stupidity.

Kiavash Yk
So, they seems useless and just protect the system...

If you think you are not stupid and don't need them, you are precisely the kind of person that needs them

AppArmor lets you define permissions for each program and denies that program access to anything you haven't allowed it to do. I write my own AppArmor profiles so that I can run some required proprietary software without having to worry about it doing weird things to my OS. Thanks to AppArmor it can only do what I let it do. It can write to ~/Downloads, but not to ~/Documents. It can't read info about my hardware. Even if I were careless enough to start it as root, it still wouldn't have any root privileges except the ones I defined in the profile.

Kiavash Yk
According to your example.

Have you ever run a command that pipes curl to bash or an installer that depends on such a command?

Kiavash-Yk Автор вопроса
Ludovic 'Archivist' Lagouardette
Have you ever run a command that pipes curl to bas...

The first one is a no, the second one could be a popular, well-known AUR.

Ender
AppArmor lets you define permissions for each prog...

That is really important Allowing any program to read your ssh and gpg keys, documents, photos, etc is terrible

Kiavash Yk
So, they seems useless and just protect the system...

They protect you from programs that do more than they need to. They also allow you to follow the principle of least privilege. Say you run tcpdump. It need to be root. But it doesn't need all the power that root has. With AppArmor you can run it as root, but it will only have a few special permission, not the full set of root capabilities.

Kiavash-Yk Автор вопроса
Ender
AppArmor lets you define permissions for each prog...

Is writing its profiles difficult? Would you please share a sample?

Kiavash Yk
Is writing its profiles difficult? Would you pleas...

See my profile for skypeforlinux at https://gitlab.com/alexconst.sh/apparmor-profiles/-/blob/dev/usr.bin.skypeforlinux for example.

Kiavash Yk
Is writing its profiles difficult? Would you pleas...

If you're on Debian or Ubuntu, install the apparmor-profiles package and look around in /etc/apparmor.d

Kiavash-Yk Автор вопроса
Ender
If you're on Debian or Ubuntu, install the apparmo...

I'm on fedora 34 right now, was wondering about switch to an arch-based distro [endeavourOS exactly], and concerned about keeping it as secure as fedora.

Ludovic 'Archivist' Lagouardette
This is pretty good, allow me to steal that 😉

Make sure to read comments at the top of the file. Also see the end of README.md, there's a suggestion to further mitigate Xorg vulnerabilities.

Kiavash-Yk Автор вопроса
Kiavash Yk
Thank you

btw I mainly restrict filesystem access. AppArmor can do much more. You can restrict mounting filesystems to specific mount points or fs types. You can restrict dbus access. Or make the program use TCP only. Or deny network access entirely. It's very flexible.

Kiavash-Yk Автор вопроса
Martin Rys
Why not Arch?

I expect you say so:)

Mihai
Why not Ubuntu?

Why not Windows... Oh wait

Mihai
Why not Ubuntu?

*breathes in heavily*

Martin Rys
*breathes in heavily*

Imagine going to south africa to sell your soul to Amazon

Похожие вопросы

Обсуждают сегодня

Ready for some fun AND a chance to win TKO Tokens? Join us for exciting minigames in our Telegram group! 🕒 Don’t miss out—games start on today 25 October 2024, at 8 PM! Ge...
Milkyway | Tokocrypto
255
Добрый вечер. Есть вопрос, а может и предложение. Был у меня диалог в другой группе о делфи и я задался вопросом: "А нельзя ли в делфи цвет //коментария и {комментария} сде...
Kraszx
24
How about the project bro Likes the community not that active ?
🅿️abby_FX
19
Всем привет! Подскажи, пожалуйста, как передать в TComboBox сразу значение и id записи. На Delphi я делал так: ComboBox1.Items.AddObject('Какое-то значение', Pointer(id запис...
Евгений
13
Мдя, прикол, боевая сборка запускается (именно под отладчиком) после F9 примерно полторы минуты (97 секунд если быть точным). Начал копать - проблема детектится сразу - зависа...
Александр (Rouse_) Багель
38
How are we going bro about the Raids ??
🅿️abby_FX
13
Россия стала ввозить сливочное масло из ОАЭ. Просто ради любопытства взглянул на статистику и впечатлился. У арабов среднестатистическая корова дает около 42 литров молока в д...
Foxcool
2
Здравствуйте, вопрос по структурам данных. Были у вас случаи, когда пришлось писать деревья или двунаправленные списки?
/ /
50
Товарищи, кто работа с iphelper? Или может я в самой логике ошибки фигачу, не пойму.... var ifTable : PMIB_IFTABLE; size, corSize: DWORD; Buffer ...
Warfarellen
4
я так понимаю, я так подозреваю, что создание такого плагина для человека, кто умеет писать плагины для делфи потребует минут 5-10 времени. но это мое подозрение. хотелось бы ...
Kraszx
7
Карта сайта