[Whonix-devel] AppArmor
Jason Ayala
jason at jasonayala.com
Fri Aug 9 19:27:03 CEST 2013
Really? :/
I was being purposes provocative, hoping you'd contradict me :) I've been doing
my best to find answers, but it's not going well.
I take back "poorly developed". Development is active and ongoing.
For poorly understood and underpowered, take a look at:
http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
I dare you to find anyone working on and sharing profiles...
Apparmor apparently used to have a repo but shut it down (no explanation)
http://wiki.apparmor.net/index.php/Profile_repo
Ubuntu has a repo for the profiles they include with the OS (with various
levels of quality. Half are off by default)
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/13.10/
>Those two are not mutually exclusive. Together with compiler hardening,
>they're all useful.
...
> Is it really that bad?
Ok fine. You're right. If someone wants to work on apparmor profiles, why not?
Hell, I'm a bit interested in it too. But I'm discouraged by what I see so
far... Browsing through several profiles, there's a suprising amount of "WTF
does this do?" comments. And I'm discouraged by the fact that there's no working
tor browser profile nor user developed profiles being shared. I just wouldn't
put my hopes in it.
>(For example, it would NOT have prevented the FH js exploit).
Though I don't pretend to understand concepts surrounding injecting machine code
into memory via an exploit... (Did the injected code run under the firefox
process? What was the nature of the crash of firefox that it induced? Was it a
buffer overflow?) The article above explains that apparmor poorly defends
against arbitrary code execution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://whonix.org/pipermail/whonix-devel/attachments/20130809/e91a0394/attachment.sig>
More information about the Whonix-devel
mailing list