Hi, Am 11.12.2017 um 17:50 schrieb Vincas Dargis: > Though I would like to propose improvements for current profile too, > because it seems that erlang > executable can run `su` too (because inherited execution `ix`), same as > a wrapper script. > > I believe only wrapper script should actually invoke `su`, am I right? > It would be nice to deny > running setuid applications if possible. > > Also, I am guessing that this rule would need extra file/unix rules too, > to access > `/var/run/.psql.5432` unix domain socket to connect to PostgreSQL for > example. I could test all > networking and other features in Ubuntu VM, as all these AppArmor > features are being upstreamed, and > so coming into Debian too.
yes, the current profile is far from perfect, so any improvements are very welcome. Regards, -- .''`. Philipp Huebner <debala...@debian.org> : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` `-
signature.asc
Description: OpenPGP digital signature
