Re: [Tails-dev] AppArmor profiles in Debian

Delete this message

Reply to this message
Autor: intrigeri
Data:  
Para: The Tails public development discussion list
CC: Kees Cook, apparmor
Assunto: Re: [Tails-dev] AppArmor profiles in Debian
Hi,

Kees Cook wrote (16 Feb 2012 23:50:38 GMT) :
> On Thu, Feb 16, 2012 at 09:52:47PM +0000, Robert Ransom wrote:
>> On 2012-02-15, intrigeri <intrigeri@???> wrote:
>> > I don't intend to protect GnuPG from itself.
>> > By design, GnuPG handles much untrusted data.
>> > I would like to protect the rest of the system from GnuPG.
>> > Does it make sense, or did I miss something obvious?
>> > (I'm pretty new in this landscape, so it would not surprise me if I had.)
>>
>> During normal operation, GnuPG is intended to read the user's secret
>> keyring and open and use network connections. In some cases, GPG is
>> intended to do both in the same execution (e.g. decrypting a
>> public-key-encrypted message, then verifying a signature containing a
>> keyserver URL).
>>
>> The consequences of GPG being compromised are so severe that I don't
>> see a benefit in trying to protect the surrounding system from a
>> compromised GPG process.


> That's traditionally been my view as well -- GPG is usually considered the
> high-value target itself. I'm not opposed to having a gpg profile; I just
> hadn't considered one before. :P


Thanks, Robert and Kees, for answering.

I agree a GnuPG profile would not be very useful in the set of
usecases both of you seem to primarily have in mind, that is "I use
GnuPG for asymmetric encryption" and/or "I sign stuff with my private
key".

But there are not the only GnuPG usecases; I have in mind another kind
of usecase, that is:

   "I don't use asymmetric encryption and I have no private keyring;
    hence, my high-value target is elsewhere; however, I use GnuPG to
    validate signatures on big piles of untrusted data, e.g. Tails ISO
    images or Release.gpg files from the nearest Debian/Ubuntu mirror
    (doesn't last one run as root, by the way?)."


In a setup like this, I see *some* benefit in trying to protect the
surrounding system from a compromised GnuPG process. Makes sense?

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| We're dreaming of something else.
| Something more clandestine, something happier.