depending on reading some apparmor docs, I know that apparmor read logs to determine what profile a program will be, that means a profile only can be built when the program have been exec at least a time, or we already how will be executed of a specific program.
but if a hack inserts a bad-program such as a back door or virus what should never be executed any time, and at the same time we don’t know what’s the consequence will happen due to the behaviors of a bad-program. therefore, how could apparmor do to prevent these situations?
Can apparmor confine every thing what under a specific directory by default? because use:
aa-autodep /path/to/restrict/* is ‘complain’ by default and everything are allowed, can apparmor deny everything by default?
AppArmor’s purpose is to prevent a trusted program’s unknown
vulnerabilities from being exploited to escalate privileges or use
existing system privileges to do bad things. If you have an untrusted
application from somebody, don’t run it. If you do run it in the first
place make sure it isn’t bad and once running setup a policy for it to
limit its operations for a time when it is exploited. If somebody is able
to run an untrusted app on your system then you have probably already lost
the battle.
Good luck.
On 06/10/2010 12:26 AM, luke chen wrote:
>
> Hello,
>
> depending on reading some apparmor docs, I know that apparmor read logs
> to determine what profile a program will be, that means a profile only
> can be built when the program have been exec at least a time, or we
> already how will be executed of a specific program.
>
> but if a hack inserts a bad-program such as a back door or virus what
> should never be executed any time, and at the same time we don’t know
> what’s the consequence will happen due to the behaviors of a
> bad-program. therefore, how could apparmor do to prevent these
> situations?
>
> Can apparmor confine every thing what under a specific directory by
> default? because use:
> aa-autodep /path/to/restrict/* is ‘complain’ by default and everything
> are allowed, can apparmor deny everything by default?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/