AA confining bash

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

AA confining bash

pinguin74
With regard to the lates Bash Shock, I wonder does it make sense to
confine Bash with AppArmor after all?

I think to create a dedicated profile solely for Bash does not make
sense, because in general you want to be able to access everything with
Bash, right?

If an app wants to access Bash I envoke /bin/bash with the ix parameter,
this way Bash inherits the app´s profile. Is this the only best way to
confine Bash? Or does a dedicated profile make sense?

Thanks


signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AA confining bash

Carlos E. R.-2
On 2014-10-03 22:42, pinguin74 wrote:
> With regard to the lates Bash Shock, I wonder does it make sense to
> confine Bash with AppArmor after all?

No.
It is used by everything, needs access everywhere.

You can confine the parent and its children, when you know in advance
what the parent is going to do for months to come.

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AA confining bash

pinguin74
Am 03.10.2014 um 23:23 schrieb Carlos E. R.:
> On 2014-10-03 22:42, pinguin74 wrote:
>> With regard to the lates Bash Shock, I wonder does it make sense to
>> confine Bash with AppArmor after all?
>
> No.
> It is used by everything, needs access everywhere.

> You can confine the parent and its children, when you know in advance
> what the parent is going to do for months to come.

I think with aa-notify you can learn quickly if the profile needs
adjustment, so it should work if Bash inherits the main profile.

I tried this with clamscan, Thunderbird and Firefox, they all invoke
bash. And never had complaints bash couldn´t access something!

Best regards



signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AA confining bash

Carlos E. R.-2
On 2014-10-03 23:45, pinguin74 wrote:
> Am 03.10.2014 um 23:23 schrieb Carlos E. R.:


> I tried this with clamscan, Thunderbird and Firefox, they all invoke
> bash. And never had complaints bash couldn´t access something!

But of course. You are not setting a profile for bash, but for clamscan,
Thunderbird and Firefox.

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AA confining bash

Christian Boltz-7
In reply to this post by pinguin74
Hello,

Am Freitag, 3. Oktober 2014 schrieb pinguin74:
> With regard to the lates Bash Shock, I wonder does it make sense to
> confine Bash with AppArmor after all?
>
> I think to create a dedicated profile solely for Bash does not make
> sense, because in general you want to be able to access everything
> with Bash, right?

Right.
 
> If an app wants to access Bash I envoke /bin/bash with the ix
> parameter, this way Bash inherits the app´s profile. Is this the only
> best way to confine Bash? Or does a dedicated profile make sense?

You can use a child profile (Cx) if you want to give bash different
permissions than the main profile.

If you are really paranoid, you can use another child profile for
binaries executed by the Cx'd bash. Note that aa-logprof won't offer
(C)hild when you are already in a child profile, but you can use (N)amed
and enter the wanted child profile, like /bin/foo///bin/bar if your main
profile is /bin/foo and you want a child profile for /bin/bar.


Regards,

Christian Boltz

PS: Speaking about shellshock - if a windows user points fingers at
Linux because of shellshock, point him to
https://plus.google.com/117024231055768477646/posts/AhBgNjsVASa
;-)

--
[Windows remote herunterfahren] einfach ein Nichtgepatchtes Windows
verwenden und einen der tausen Viren, die letztes Jahr die Maschinen
runter gefahren haben ;)   [Andreas Loesch in suse-linux]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]