lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C056ACAC.1164C%pmeunier@cerias.purdue.edu>
Date: Mon Apr  3 16:23:20 2006
From: pmeunier at cerias.purdue.edu (Pascal Meunier)
Subject: Re: [SC-L] Re: [Owasp-dotnet] RE: 4 Questions:
 Latest IE
 vulnerability, Firefox vs IE security, User vs Admin risk profile, and
 browsers coded in 100% Managed Verifiable code

AppArmor sounds like an excellent alternative to creating a VMWare image for
every application you want to run but distrust, although I can think of
cases where a VMWare image would be safer.  For example, the
installer/uninstaller may have vulnerabilities, may be "dirty" (it causes
problems by modifying things that affect other applications, or doesn't
cleanup correctly), or phones home, etc...  I guess you could make a profile
for the installer as well (I'm not very enthusiastic about that idea
though).  Also, I suspect that what you need to allow in some profiles is
possibly sufficient to enable "some level" of malicious activity.  It's
regrettable that it is only available for Suse Linux.

Perhaps one of the AppArmor mailing lists would be more appropriate to ask
this, but as you posted an example profile with "capability setuid", I must
admit I am curious as to why an email client needs that.  I tried looking up
relevant documentation on the Novell site, but it seems I was unlucky and
tried during a maintenance period because pages were loading erratically.  I
finally got to the "3.0 Building Novell AppArmor Profiles" page but it was
empty.  I would appreciate receiving more information about it.  I am also
interested in the "Linux Security Modules Interface".

Regards,
Pascal Meunier

On 4/2/06 6:49 PM, "Crispin Cowan" <crispin@...ell.com> wrote:

> This is exactly what AppArmor <http://en.opensuse.org/Apparmor> was
> designed for: conveniently confining applications to only be able to do
> what they need to do. Application's least privilege.
> 
> I am running this mail client (Thunderbird) from within a "sandbox" (we
> call it a "profile"). I have attached this policy, which should be
> pretty self-explanatory.
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ