Details
Details
Description
Dec 24 2019
Dec 24 2019
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.
Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.
Would an audit denyrule for /boot be useful for the sake of audit?
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.
/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.
Patrick added a comment to T943: make /boot and /lib/modules unreadable even for root.
Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.
Dec 23 2019
Dec 23 2019
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.
/boot/ is already unreadable.
Patrick triaged T952: warn against superadmin / superroot in grub boot menu or initramfs as Normal priority.
Dec 7 2019
Dec 7 2019
Patrick renamed T943: make /boot and /lib/modules unreadable even for root from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.
Nov 23 2019
Nov 23 2019
Patrick closed T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Resolved.
Awesome!
madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.
I created the issue:
Patrick triaged T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Normal priority.
Patrick added a project to T936: apparmor-profile-everything breaks Qubes upgrading : apparmor-profile-everything.