[pkg-apparmor] Bug#807369: apparmor: Apparmor "deny network" not working in Jessie

Simon Ruderich simon at ruderich.org
Wed Jun 29 15:33:48 UTC 2016


On Mon, Jun 27, 2016 at 11:15:26PM +0100, Simon McVittie wrote:
> On Thu, 11 Feb 2016 at 17:03:22 +0100, Simon Ruderich wrote:
>> Without network mediation local UNIX access is a big
>> problem (DBUS).
>
> [snip]
>
> Normal filesystem-backed Unix sockets are mediated by ordinary file-based
> AppArmor rules, so they are much easier to sandbox.
>
> [snip]

Sadly that's not correct in Debian at the moment. That part of
the AppArmor code is still missing in the Debian kernel. To
restrict access for UNIX-Sockets the normal file hooks are not
sufficient and the unix_stream_connect and unix_may_send hooks
must be used.

This part is still missing in Debian making any restrictions to
for example DBUS or all other Unix-Sockets impossible! (And in
contrast with IP sockets, UNIX sockets they can't be constrained
with iptables.)

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160629/553cfce6/attachment-0001.sig>


More information about the pkg-apparmor-team mailing list