Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Dec 24 2019
Dec 24 2019
Would an audit denyrule for /boot be useful for the sake of audit?
/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.
Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.
Dec 23 2019
Dec 23 2019
/boot/ is already unreadable.
Patrick triaged T952: warn against superadmin / superroot in grub boot menu or initramfs as Normal priority.
Dec 7 2019
Dec 7 2019
Patrick renamed T943: make /boot and /lib/modules unreadable even for root from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.
Nov 23 2019
Nov 23 2019
Patrick closed T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Resolved.
Awesome!
madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.
I created the issue:
Patrick triaged T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Normal priority.
Patrick added a project to T936: apparmor-profile-everything breaks Qubes upgrading : apparmor-profile-everything.
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer