AppArmor network rules

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

AppArmor network rules

Malte Gell-3
Hi there,

I wonder, when do I have to explicitly set the "network" rule?

VLC media player can connect well without setting the "network" item,
other programs need to have "network" set.

Why does VLC work without setting "network" and others don´t?

It seems programs can have network access without needing "network" be set?


Thanks
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor network rules

Christian Boltz-7
Hello,

Am Samstag, 10. September 2016, 07:59:32 CEST schrieb Malte Gell:
> I wonder, when do I have to explicitly set the "network" rule?
>
> VLC media player can connect well without setting the "network" item,
> other programs need to have "network" set.
>
> Why does VLC work without setting "network" and others don´t?
>
> It seems programs can have network access without needing "network" be
> set?

Some abstractions (abstractions/nameservice and some others) already
include network permissions (network inet stream, network inet dgram and
their inet6 counterparts).

So I'd guess your VLC profile includes abstractions/nameservice and gets
network permissions this way.

If my guess is wrong (and/or if you think your vlc profile is good enough
for others to use), please post the profile ;-)


Regards,

Christian Boltz
--
* tigerfoot [sarcastic mode] Didn't we remove *kit from 12.2 ? [/end
           mode]
<simon123> tigerfoot: we will never get rid of *Kit, they will always
           invent another one :(
[from #opensuse-project]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor network rules

Malte Gell-3
Am 10.09.2016 um 12:39 schrieb Christian Boltz:
>> (...)
>> It seems programs can have network access without needing "network" be
>> set?
>
> Some abstractions (abstractions/nameservice and some others) already
> include network permissions (network inet stream, network inet dgram and
> their inet6 counterparts).

Holy crap, of course, the abstractions!

> If my guess is wrong (and/or if you think your vlc profile is good enough
> for others to use), please post the profile ;-)

Why not. In a new posting to the list with appropriate subject.

Regards


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]