On Wed, May 18, 2016 at 09:23:34AM -0500, Richard Owlett wrote:
https://packages.debian.org/jessie/apparmor is uninformative. It says:"This provides the system initialization scripts needed to use the AppArmor Mandatory Access Control system, including the AppArmor Parser which is required to convert AppArmor text profiles into machine-readable policies that are loaded into the kernel for use with the AppArmor Linux Security Module."There is a link to http://wiki.apparmor.net/index.php/Main_Page which gives no hints!My application question.1. If BrowserA and BrowserB are installed, can AppArmor prevent BrowserB fromconnecting to the internet independent of user permissions?2. Can AppArmor default to preventing *ALL* but specific applications fromconnecting to the internet independent of user permissions?
From that wiki page: "AppArmor security policies completely define what system resources individual applications can access, and with what privileges."
"Network access" is, although not explicitly stated on that page, a system resource. So yes, you can prevent, say, an application called "firefox" from accessing the network entirely. Looking deeper, I see http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules which defines the network rules of AppArmor. It appears that you should be able to constrain said application to only connect to certain addresses.
Just a warning that you need to think carefully about the rules you implement. Can a user get around your rules by renaming "firefox" to "iceweasel"? If, instead, you put blanket rules in place check that you aren't blocking other networking functions (like X talking over the local network, for example). AppArmor does, however, have a "complain" mode where, rather than enforcing rules it will log violations to syslog. You can use this to guide your profile creation.
-- For more information, please reread.
Attachment:
signature.asc
Description: PGP signature