Originally Posted by
desire.linux
Maybe so, but please make sure that we have understood you right on this one:
If I confine a program (a program with file browsing and editing capabilities) with apparmor, and make sure that this program is confined with no write permissions to the file system at all, only read access (like /** r,), apparmor will still allow this program to delete files and folders if they are owned by the same user who runs the confined program? Even create new folders?
I've interpreted the apparmor wiki as you'll need the write flag to be able to e.g. delete files and create new folders.
I've also interpreted apparmor as an application firewall that should stop write access even if the owner of the confined program owns the directories being written too. Apparmor should have been that extra layer of security!
I don't have access to the profile from this computer.
It was the Gwenview image viewer that was tested. I don't know how it works. Maybe it mysteriously calls another program somehow for folder editing. Aa-genproof didn't notice that anyway.
My friend is pretty sure there's something wrong with apparmor. If apparmor can't confine a program from deleting and writing to the user's own home folder, then I'm having trouble seeing the benefits of using apparmor at all.
Hard to say from what little you have posted.
You need to post the apparmor profile and describe what you are trying to have apparmor do exactly.
As far as
I'm having trouble seeing the benefits of using apparmor at all.
Well, if you can't describe what you want apparmor to do for you, and can not post a profile, I guess it is hard to see the benefits.
Example:
I want to use apparmor to restrict access of some programs in my home directory.
Specifically, I do not want firefox to have any access to ~/.ssh
Here is what I use:
Code:
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/* r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/{Desktop,Downloads}/ r,
owner @{HOME}/{Desktop,Downloads}/** rw,
# per-user firefox configuration
owner @{HOME}/.mozilla/ rw,
owner @{HOME}/.mozilla/** rw,
owner @{HOME}/.mozilla/**/*.sqlite* k,
owner @{HOME}/.mozilla/**/.parentlock k,
owner @{HOME}/.mozilla/plugins/** rm,
owner @{HOME}/.mozilla/**/plugins/** rm,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
# Flash
owner @{HOME}/.adobe/ rw,
owner @{HOME}/.adobe/** rw,
owner @{HOME}/.macromedia/ rw,
owner @{HOME}/.macromedia/** rw,
# Allow flash to use video acceleration
/dev/nvidiactl rw,
/dev/nvidia0 rw,
# Other permissions in HOME directories
owner @{HOME}/.config/ r,
owner @{HOME}/.config/** r,
owner @{HOME}/.config/ibus/bus/ rw,
So you need to start with a definition of a purpose
Bookmarks