Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Why is Java not apparmor'd by default?

  1. #1
    Join Date
    Mar 2011
    Beans
    673

    Why is Java not apparmor'd by default?

    There are a few services running apparmor by default. Why aren't there enforced profiles for Java by default? The profile for Firefox is there but it's only for Firefox (why?) and it's on complain by default.

    So would it be the apparmor maintainers who should be talked to about this?
    sig

  2. #2
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Why is Java not apparmor'd by default?

    Quote Originally Posted by Hungry Man View Post
    There are a few services running apparmor by default. Why aren't there enforced profiles for Java by default? The profile for Firefox is there but it's only for Firefox (why?) and it's on complain by default.
    The default firefox profile *does* confine Java. From the profile itself:

    Code:
    # Addons
      #include <abstractions/ubuntu-browsers.d/firefox>
    If you follow that abstraction it leads to a file named "java." If you look at that file:

    Code:
    profile browser_openjdk {
    As you can see it profiles Java for the browser (both OpenJDK and Oracle Java).

    BTW, I tested one of these Java exploits against the AppArmor'ed Firefox and the exploit failed. When I turned off AA, it succeeded.

    EDIT: If you are talking about confining the JVM itself, then no it's not. However, since the browser is the #1 attack vector for Java exploits on a desktop machine, then it makes sense to confine Java for the browser only. That means Java needs to be confined on a per application basis.
    Last edited by rookcifer; September 26th, 2012 at 09:37 PM.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  3. #3
    Join Date
    Mar 2011
    Beans
    673

    Re: Why is Java not apparmor'd by default?

    Yes, I know the default Firefox profile does. Like I said, the profile is there but only for Firefox.

    There's no separate profile for the JVM. There's no profile for Chromium or Opera by default.
    sig

  4. #4
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Why is Java not apparmor'd by default?

    Quote Originally Posted by Hungry Man View Post
    Yes, I know the default Firefox profile does. Like I said, the profile is there but only for Firefox.
    Probably because Firefox is the default browser in Ubuntu.

    There's no separate profile for the JVM. There's no profile for Chromium or Opera by default.
    Profiling the JVM and make it work with every possible configuration would be tough.

    As for Chromium, there is indeed a default profile for it. You may have to install it though.

    Code:
    sudo apt-get install apparmor-profiles
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  5. #5
    Join Date
    Mar 2011
    Beans
    673

    Re: Why is Java not apparmor'd by default?

    Probably because Firefox is the default browser in Ubuntu.
    Right. But it's also not enforced by default when it really should be.

    Profiling the JVM and make it work with every possible configuration would be tough.
    Outside of for developers (who would be competent enough to disable it) it shouldn't be.
    sig

  6. #6
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is Java not apparmor'd by default?

    There's no separate profile for the JVM. There's no profile for Chromium or Opera by default
    .

    on lubuntu chromium is....

    The question is imho, do you need java.
    otherwise use the quickjava add-on for firefox.

  7. #7
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Why is Java not apparmor'd by default?

    Quote Originally Posted by Soul-Sing View Post
    .

    on lubuntu chromium is....

    The question is imho, do you need java.
    otherwise use the quickjava add-on for firefox.
    Some people do need Java in the browser. Unfortunately some sites require it. Some people say their banking site requires it (fortunately mine doesn't).

    I think one solution would be if the Chrome developers would implement the Java plugin into their sandbox like they do with Flash. Right now Chrome/Chromium does nothing to protect Java.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  8. #8
    Join Date
    Mar 2011
    Beans
    673

    Re: Why is Java not apparmor'd by default?

    I don't know what Chrome does on Linux. On Windows it limits IPC to Java.
    sig

  9. #9
    Join Date
    Aug 2012
    Beans
    47

    Re: Why is Java not apparmor'd by default?

    Quote Originally Posted by Hungry Man View Post
    There are a few services running apparmor by default. Why aren't there enforced profiles for Java by default? The profile for Firefox is there but it's only for Firefox (why?) and it's on complain by default.

    So would it be the apparmor maintainers who should be talked to about this?







    Its a great idea Hungry Man, this will be like a request for ubuntu developers, to add this by default, this will help a lot the new users who dont know how to use apparmor.

  10. #10
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is Java not apparmor'd by default?

    apparmor is a application based protocol, with profiles for many apps. so every application which uses java should be limited/restricted by a apparmor profile afaik.
    The only way to restrict java in a general way, is to disable it.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •