Re: recommends for apparmor in newest linux-image-4.13

To: debian-devel@lists.debian.org
Subject: Re: recommends for apparmor in newest linux-image-4.13
From: Vincas Dargis <vindrg@gmail.com>
Date: Wed, 29 Nov 2017 19:24:22 +0200
Message-id: <[🔎] f959b121-7b92-5f18-f91e-d8c9a2581a9a@gmail.com>
In-reply-to: <[🔎] 20171129072514.GA31212@chew>
References: <[🔎] 20171123131846.GA27575@lst.de> <[🔎] 1511445349.14687.63.camel@decadent.org.uk> <[🔎] 20171123135822.GA28776@lst.de> <[🔎] 1511445584.14687.64.camel@decadent.org.uk> <[🔎] 20171123140109.GA28885@lst.de> <[🔎] 20171123144310.gac6zwqysfzdsh3i@exolobe3> <[🔎] 20171128185445.GA5602@lst.de> <[🔎] 20171128230308.GB769@bongo.bofh.it> <[🔎] 18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 87609tg1d1.fsf@hope.eyrie.org> <[🔎] 20171129072514.GA31212@chew>

On 2017-11-29 09:25, Jonathan Dowland wrote:

On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:

My personal pet "I don't have time" project I'd love to see is extending
systemd units for as many services in Debian as possible to include
namespace restrictions and seccomp filter rules, which I think has good
parallel potential alongside an LSM for raising the default security
posture of Debian.  LSMs deal with per-file restrictions much more easily
than systemd's seccomp and namespace support, but the seccomp and
namespace support does a lot of other nice things that LSMs aren't as good
at.


Yes this would be excellent; a necessary prerequisite would be getting
more daemons (and cron-scheduled processes) shipping systemd units too.

Since mentioned, I would like that these daemons would implement seccomp filtering themselves, meaning like withinapplication itself, using libeseccomp. Thy can fine-grain what thread what syscalls can make.

For example, some networking, parsing thread might not need execve() at all. Meanwhile, it might be needed for main orother thread to call some external application, but that can be later mediated with MAC, is it AppArmor, SELinux orwhatever.

Reply to:

Follow-Ups:
- seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Russ Allbery <rra@debian.org>

References:
- recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Lars Wirzenius <liw@liw.fi>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: md@Linux.IT (Marco d'Itri)
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Michael Stone <mstone@debian.org>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Russ Allbery <rra@debian.org>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Jonathan Dowland <jmtd@debian.org>

Prev by Date: Re: recommends for apparmor in newest linux-image-4.13
Next by Date: Bug#883103: ITP: proxmoxer -- Python Wrapper for the Proxmox 2.x API
Previous by thread: Re: recommends for apparmor in newest linux-image-4.13
Next by thread: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Index(es):
- Date
- Thread