[apparmor] [profile] Firefox: put /bin/ps in a Child Profile for an extra security?
Seth Arnold
seth.arnold at canonical.com
Wed Aug 30 20:53:15 UTC 2017
Hi Daniel,
On Wed, Aug 30, 2017 at 09:40:32PM +0200, daniel curtis wrote:
> ✓ /bin/ps Cx,
> profile /bin/ps {
>
> [NEEDED RULES]
>
> }
>
> }
>
> The "/bin/ps" child profile structure is straightforward, but I'm wondering
> whether is it OK? I'm asking just to be one hundred percent sure. Nothing
Yes, this is good. Be sure to #include <abstractions/base> in this child
profile, and the rest should be easy enough. Your suggested updates to
more modern rules with variables makes sense too.
> What do you think about such idea - an idea of creating a Child Profile for
> "/bin/ps" utility? Could it make a Firefox more secure? (My opinion, mainly
> refers to the comment: "Ideally these would use a child profile." See
> above.)
ps is old enough that I strongly doubt it can be negatively influenced by
malicious processes, so it may not actually have any real impact on system
security. However, the principle of reducing privileges available to
processes on the system is solid, and if nothing else it's good practice.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170830/d1747d67/attachment.pgp>
More information about the AppArmor
mailing list