Page MenuHomePhabricator

apparmor-profile-everythingProject
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Dec 24 2019

madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Dec 24 2019, 5:07 PM · security, apparmor-profile-everything, Whonix
Patrick closed T943: make /boot and /lib/modules unreadable even for root as Resolved.

Would an audit denyrule for /boot be useful for the sake of audit?

Dec 24 2019, 4:49 PM · security, apparmor-profile-everything, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Dec 24 2019, 4:37 PM · security, apparmor-profile-everything, Whonix
Patrick added a comment to T943: make /boot and /lib/modules unreadable even for root.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

Dec 24 2019, 12:17 PM · security, apparmor-profile-everything, Whonix

Dec 23 2019

madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot/ is already unreadable.

Dec 23 2019, 9:27 PM · security, apparmor-profile-everything, Whonix
Patrick triaged T952: warn against superadmin / superroot in grub boot menu or initramfs as Normal priority.
Dec 23 2019, 4:00 PM · Whonix 16, Whonix, apparmor-profile-everything

Dec 7 2019

Patrick renamed T943: make /boot and /lib/modules unreadable even for root from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.
Dec 7 2019, 9:14 AM · security, apparmor-profile-everything, Whonix
Patrick triaged T943: make /boot and /lib/modules unreadable even for root as Normal priority.
Dec 7 2019, 9:13 AM · security, apparmor-profile-everything, Whonix

Nov 23 2019

Patrick closed T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Resolved.

Awesome!

Nov 23 2019, 5:53 PM · apparmor-profile-everything, AppArmor, Whonix
madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.

I created the issue:

Nov 23 2019, 5:51 PM · apparmor-profile-everything, AppArmor, Whonix
Patrick triaged T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Normal priority.
Nov 23 2019, 5:23 PM · apparmor-profile-everything, AppArmor, Whonix
Patrick closed T936: apparmor-profile-everything breaks Qubes upgrading as Resolved.
Nov 23 2019, 5:07 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick added a project to T936: apparmor-profile-everything breaks Qubes upgrading : apparmor-profile-everything.
Nov 23 2019, 5:07 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick added a member for apparmor-profile-everything: madaidan.
Nov 23 2019, 5:07 PM
Patrick created apparmor-profile-everything.
Nov 23 2019, 5:06 PM