On 10/8/14, intrigeri <intrigeri@???> wrote:
> Jacob Appelbaum wrote (08 Oct 2014 12:19:57 GMT) :
>> What are the parameters you'd like to be tested? That is - what would
>> count as a bug? Do we have a security model of what should be readable
>> by a given app? Or writable by a given app?
>
> We don't have any such thing specified yet. The idea was to get *some*
> minimal AppArmor support in and working first, so this call for
> testing is more about whether I broke anything, than about checking
> that the AppArmor profiles are actually efficient security-wise.
>
Understood.
> However, don't hesitate moving forward and trying to escape the
> confinement profiles to access things we clearly don't want to allow,
> e.g.:
>
> * none of these applications should be allowed to access files in
> ~/.{gnupg,ssh}/
That seems wise - It may make sense to simply say that Pidgin can only
open .purple, a network link and so on. The "and so on" part is
difficult - how do we deal with sharing files? Do we only allow files
from ~/Persistent/Documents/ or from somewhere else?
File path based access restrictions are... well, I don't feel great
about AppArmor for this kind of stuff. I think will still improve on
the status quo though. What happens when there is a hard link?
> * especially, file access via alternate paths specific to Debian Live
> systems, e.g.
> /live/persistence/TailsData_unlocked/{gnupg,openssh-client}
> ... should be tested
>
Ok. I'll give it a spin.
All the best,
Jacob
