Re: [Tails-dev] AppArmor profiles in Debian

Delete this message

Reply to this message
Autor: Kees Cook
Data:  
Para: Robert Ransom
CC: apparmor, The Tails public development discussion list, debian-derivatives
Assunto: Re: [Tails-dev] AppArmor profiles in Debian
On Thu, Feb 16, 2012 at 09:52:47PM +0000, Robert Ransom wrote:
> On 2012-02-15, intrigeri <intrigeri@???> wrote:
>
> >>>  2. some software that is particularly important in the context of
> >>>     Tails [0]: I'm mainly thinking of Tor, but GnuPG and icedove also
> >>>     come to mind.

> >
> >> What did you have in mind for GPG? Protecting it from itself is a bit
> >> tricky. :)
> >
> > I don't intend to protect GnuPG from itself.
> > By design, GnuPG handles much untrusted data.
> > I would like to protect the rest of the system from GnuPG.
> > Does it make sense, or did I miss something obvious?
> > (I'm pretty new in this landscape, so it would not surprise me if I had.)
>
> During normal operation, GnuPG is intended to read the user's secret
> keyring and open and use network connections. In some cases, GPG is
> intended to do both in the same execution (e.g. decrypting a
> public-key-encrypted message, then verifying a signature containing a
> keyserver URL).
>
> The consequences of GPG being compromised are so severe that I don't
> see a benefit in trying to protect the surrounding system from a
> compromised GPG process.


That's traditionally been my view as well -- GPG is usually considered the
high-value target itself. I'm not opposed to having a gpg profile; I just
hadn't considered one before. :P

-Kees

-- 
Kees Cook                                            @debian.org