[apparmor] Dynamic AppArmor rules

Paul Johnston paj at pajhome.org.uk
Fri Jun 13 16:00:21 UTC 2014


Has anyone done any work on dynamic AppArmor rules? I think these could
massively help develop secure profiles for interactive applications.

For example, consider the Firefox profile. To maintain 100% compatibility
it needs read/write access to the whole file system, because you could
upload a file from anywhere (or save a file anywhere). That would pretty
much kill any security benefit. So we have the tradeoff where the profile
breaks compatibility a bit, doesn't do all the security it could, it just
does the best it can.

But what if we could have a rule that was "prompt". So when Firefox tries
to access a file outside the explicitly permitted directories, the user
gets a prompt asking them to approve or deny the access. Potentially this
could have options like "Just now" "Allow for this session" "Allow

I couldn't find anything online on "dynamic AppArmor rules" but perhaps
this is called something else? If so, just let me know, and I can look fro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140613/9f6decb5/attachment.html>

More information about the AppArmor mailing list