[apparmor] Dynamic AppArmor rules
paj at pajhome.org.uk
Fri Jun 13 16:00:21 UTC 2014
Has anyone done any work on dynamic AppArmor rules? I think these could
massively help develop secure profiles for interactive applications.
For example, consider the Firefox profile. To maintain 100% compatibility
it needs read/write access to the whole file system, because you could
upload a file from anywhere (or save a file anywhere). That would pretty
much kill any security benefit. So we have the tradeoff where the profile
breaks compatibility a bit, doesn't do all the security it could, it just
does the best it can.
But what if we could have a rule that was "prompt". So when Firefox tries
to access a file outside the explicitly permitted directories, the user
gets a prompt asking them to approve or deny the access. Potentially this
could have options like "Just now" "Allow for this session" "Allow
I couldn't find anything online on "dynamic AppArmor rules" but perhaps
this is called something else? If so, just let me know, and I can look fro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AppArmor