Re: [Tails-testers] [Tails-dev] [call for testing] AppArmor …

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: The Tails public development discussion list
CC: tails-testers
Oggetto: Re: [Tails-testers] [Tails-dev] [call for testing] AppArmor profiles
Jacob Appelbaum wrote (08 Oct 2014 12:19:57 GMT) :
> What are the parameters you'd like to be tested? That is - what would
> count as a bug? Do we have a security model of what should be readable
> by a given app? Or writable by a given app?


We don't have any such thing specified yet. The idea was to get *some*
minimal AppArmor support in and working first, so this call for
testing is more about whether I broke anything, than about checking
that the AppArmor profiles are actually efficient security-wise.

However, don't hesitate moving forward and trying to escape the
confinement profiles to access things we clearly don't want to allow,
e.g.:

* none of these applications should be allowed to access files in
~/.{gnupg,ssh}/
* especially, file access via alternate paths specific to Debian Live
systems, e.g.
/live/persistence/TailsData_unlocked/{gnupg,openssh-client}
... should be tested

:)

Cheers,
--
intrigeri