[apparmor] owner usage for @{HOME} rules
Seth Arnold
seth.arnold at canonical.com
Wed Dec 19 00:00:13 UTC 2012
On Tue, Dec 18, 2012 at 05:26:49PM -0500, Simon Deziel wrote:
> I am wondering why some of the profile abstractions are not using the
> owner prefix with the variable @{HOME} while many others do (and some
> mix both)?
Funny, Steve's recent patch set made me wonder the same thing. (If only
by shining a light clearly on the differences again.)
In some cases, 'owner' couldn't work -- e.g., Apache's mod_userdir. I'm
sure there are others.
Different sites have different security goals and our provided profiles
are intended to help the people who want to be safer than running without
AppArmor, but don't want to put in effort to use it.
This does mean missing some opportunities for further tightening profiles.
If we add 'owner' to every desktop-oriented program where it makes sense,
some of our users will be upset that they cannot share files amongst the
users -- shared documents, shared music, shared photos, etc., are common
among families (and historical acedemic Unix deployments have tended to
be everything shared by default, and specific things like ~/.netrc, mail
spools, browser cookie stores, etc., kept private).
If we don't add 'owner' to the rules, a virus or worm is more likely to be
able to spread outside of one user account to infect other user accounts,
either by actively writing to other user's data, or by allowing a program
to read another user's infected data. (Think of a corrupt user-installed
font, corrupted PDF, etc.)
I could see using 'owner' everywhere, using 'owner' only to keep some
data separate (~/.ssh, ~/.gnupg, etc.), or not using 'owner' at all.
I think I fall down on the "keep private data private" version. It feels
like the best balance for the most number of users who won't themselves
edit profiles. It also requires a decision at every use...
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121218/b6c707bf/attachment.pgp>
More information about the AppArmor
mailing list