Re: Which Debian packages leak information to the network?

To: debian-security@lists.debian.org
Subject: Re: Which Debian packages leak information to the network?
From: donoban <donoban@riseup.net>
Date: Fri, 20 May 2016 11:49:47 +0200
Message-id: <[🔎] 573EDDBB.4050501@riseup.net>
In-reply-to: <[🔎] 573ED85B.2020400@wwb.cc>
References: <[🔎] 573C8F40.60106@riseup.net> <[🔎] 20160518163352.GA7986@jwilk.net> <[🔎] 20160518165427.GA2003@layer-acht.org> <[🔎] 573ECC1F.3070704@riseup.net> <[🔎] 7712f462-14ec-ac52-ea03-d6235bc9a32e@gmail.com> <[🔎] 573ED85B.2020400@wwb.cc>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> On 20/05/16 09:55, Elmar Stellnberger wrote: Well, in order to
>> block network access for individual apps you would need something
>> like SELinux. However I do not know abouot the availability of
>> security profiles for all such apps, neither do I know about a
>> convenient tool to browse such profiles f.i. in order to see 
>> whehther a given app is allowed to access the network.
>> 
On 20/05/16 11:26, ale wrote:
> I think you could also use AppArmor profiles to filter network
> access per application in the way you describe.
> 

The problem with AppArmor (I am not sure with SeLinux) is that all the
information about what packages/programs are allowed to use Internet
will be distributed on different AppArmor profiles which are pretty
difficult to maintain and manage.

The ideal scenario should be some file on /etc/ with a list of all
packages with access granted, so an user could easily add or remove
permissions.

A package which network access by default will be added automatically
on install. Some packages could be optional (like gnome-calculator),
on install (or on first run) the user will be asked if they want to
grant access to it.

I do not know any distribution doing something like this, so probably
it has some problems or backwards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXPt27AAoJEBQTENjj7QilPgIQAJ/FQKZrkI3FhvKgEr1GcX2B
1igMBMfdcHLZvZZb5vG3P018mrA1XbPFOuhCfiCMCKilmzTiyMk9KJCSGPbdRgKs
iEXvavK4AVXGHTu2b0q4PxEtM507Eg+sAdcrJZUIQZ4p+kwflqZ/yCPGVcbHL/Go
g6cNiioG1DCTxI7zuuLpkOZFk/ykkdEfAwCFeiWkGyNSLWRfdVBKLbJ+rkMG/JQd
4xTauFJ8Eo8LY2GT1TOlJ4yP4e0Lj/bJYxO4n5zg5k5yAwss4YyFhmsCNLoemn/s
a0gI1GZl1uxs80X9Ll4Tma+mvZvX7v/L/tTF+KG72qS8AeDqJe8gZ4PJbKrTbbzw
Uy0zgmh+lstTqfpj0SXyIP4nUKpue9gAoPHEfp4Tt0TmhzBGsPzeNHDk24isy7QR
gp+l0TpEfc58ONHeBZAdVwdiJTmW0fRDaA5Lfj26773S3jYzxND8Igpsigqn8kuB
ahnn+/yY4ucI/YWu9n7ntaA2R9vHjaOP7Cj+FqlZs8qvTbUnM8X7naEuSpqI8PoS
DuefP9XgeIxLuumNtRkzZRt4DbqsHkPu6qe9Lt2CNl6FZCkhVPCzA8qUFO9E0A5G
zLoZZM6ENkBQP2qrEb3Yhgq9+9PSyfD6uqF38OplxTdkyx4NgVFAgqnVukplken+
q5440aqvJHK09tevWSjC
=vzxJ
-----END PGP SIGNATURE-----

Reply to:

References:
- Which Debian packages leak information to the network?
  - From: Patrick Schleizer <adrelanos@riseup.net>
- Re: Which Debian packages leak information to the network?
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Which Debian packages leak information to the network?
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Which Debian packages leak information to the network?
  - From: donoban <donoban@riseup.net>
- Re: Which Debian packages leak information to the network?
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: Which Debian packages leak information to the network?
  - From: ale <ale@wwb.cc>

Prev by Date: Re: Which Debian packages leak information to the network?
Next by Date: Re: Which Debian packages leak information to the network?
Previous by thread: Re: Which Debian packages leak information to the network?
Next by thread: Re: Which Debian packages leak information to the network?
Index(es):
- Date
- Thread