[Whonix-devel] Apparmor: Interpreter Access Restrictions

• Previous message: [Whonix-devel] How to remove a widget from systemtray? removeSystrayApplet.js example is broken.
• Next message: [Whonix-devel] [qubes-devel] Re: qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Micah,

At Whonix we are trying to fine tune our Apparmor profiles and I saw an
interesting concept in your profile for torbrowser-launcher, the access
restriction of the script/process to the interpreter running it:

>   # This script doesn't really need to read the interpreter that's
running it.
>   deny /usr/bin/python{2,3}.[0-7]* r,


Can/Should writes to usr/bin/python be denied too to further harden the
profile?

I was under the impression that unless permitted, any path access is
implicitly denied by default in Apparmor, so I'm not sure if its already
covered.

By replying to this mail, your answer will be posted on the whonix-devel
public mailing list, so all of our coders can benefit from your
answer.

• Previous message: [Whonix-devel] How to remove a widget from systemtray? removeSystrayApplet.js example is broken.
• Next message: [Whonix-devel] [qubes-devel] Re: qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]