On Mon, Jun 27, 2016 at 11:15:26PM +0100, Simon McVittie wrote: > On Thu, 11 Feb 2016 at 17:03:22 +0100, Simon Ruderich wrote: >> Without network mediation local UNIX access is a big >> problem (DBUS). > > [snip] > > Normal filesystem-backed Unix sockets are mediated by ordinary file-based > AppArmor rules, so they are much easier to sandbox. > > [snip]
Sadly that's not correct in Debian at the moment. That part of the AppArmor code is still missing in the Debian kernel. To restrict access for UNIX-Sockets the normal file hooks are not sufficient and the unix_stream_connect and unix_may_send hooks must be used. This part is still missing in Debian making any restrictions to for example DBUS or all other Unix-Sockets impossible! (And in contrast with IP sockets, UNIX sockets they can't be constrained with iptables.) Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: PGP signature
