[Bug 1336125] Re: Preload should be compiled with security flags
If someone wants to try benchmarking/ doing some sort of a 'does this feel slower' test in order to make a decision, by all means. I personally have no noticed any difference with my system having it removed, but that's just me. Removing the code is obviously the most effective way to remove the attack surface, though that approach won't really extend too far - many other binaries on Elementary are in the same boat but would not make sense to remove. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1336125 Title: Preload should be compiled with security flags To manage notifications about this bug go to: https://bugs.launchpad.net/elementaryos/+bug/1336125/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1336125] Re: Preload should be compiled with security flags
** Also affects: preload (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1336125 Title: Preload should be compiled with security flags To manage notifications about this bug go to: https://bugs.launchpad.net/elementaryos/+bug/1336125/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1094789] Re: Pulseaudio Profile
I hadn't realized that pulseaudio was no longer setuid, I'm just out of
date I suppose haha. If it's not setuid there's less of a need for such
strict rules, and using an abstraction may be ok.
But wouldn't it simply be enough to use: @{multiarch} ?
I apologize for taking so long to reply.
If /base were used I think this profile could be deployed across
architectures without issue, yes?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1094789
Title:
Pulseaudio Profile
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1094789/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1094789] Re: Pulseaudio Profile
It also requires the setuid permission. I thought that it dropped its privileges? Because it, apparently, needs quite a number of capabilities, including setuid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1094789 Title: Pulseaudio Profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1094789/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1094789] Re: Pulseaudio Profile
I see it's changed to expired. If it would help move things along, I can rewrite this profile with /base and remove redundant entries. At that point anyone willing to simply test it can do so, but it should simply work. I'm still unsure about the capabilities, as is *requested* those capabilities. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1094789 Title: Pulseaudio Profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1094789/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1094789] Re: Pulseaudio Profile
His is cleaner, and would work on more systems since he uses abstractions. If Pulseaudio isn't setUID then it should be fine, since being so tight shouldn't be necessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1094789 Title: Pulseaudio Profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1094789/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1094789] [NEW] Pulseaudio Profile
Public bug reported:
This profile works on 64bit, and is pretty restrictive. Maybe it'll be
of use for someone?
I tested it on Ubuntu 12.10 64bit (it needs 32bit variables, naturally)
and I can play sound from my browser and videos just fine.
It's setuid so it obviously needs a ton of capabilities, but file access
can be restricted quite a lot. It may need more work, but I figure
someone can build from this? It might be worth packaging.
# Last Modified: Sun Dec 30 19:06:02 2012
#include
/usr/bin/pulseaudio {
capability chown,
capability dac_override,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
capability sys_resource,
/usr/lib/locale/locale-archive r,
/dev/null rw,
/dev/random r,
/dev/snd/controlC* rw,
/dev/snd/pcm* rw,
/dev/urandom r,
/etc/group r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pulse/client.conf r,
/etc/pulse/daemon.conf r,
/etc/pulse/default.pa r,
/etc/pulse/system.pa r,
/etc/udev/udev.conf r,
/home/*/.ICEauthority r,
/home/*/.Xauthority r,
/home/*/.esd_auth rwk,
/home/*/.pulse-cookie rwk,
/home/*/.pulse/ rw,
/home/*/.pulse/* rw,
/home/*/orcexec.* rw,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libdbus-*.so.* mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libglib-*.so.* mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libnsl-*.so mr,
/lib/x86_64-linux-gnu/libnss_compat-*.so mr,
/lib/x86_64-linux-gnu/libnss_files-*.so mr,
/lib/x86_64-linux-gnu/libnss_nis-*.so mr,
/lib/x86_64-linux-gnu/libpthread-*.so mr,
/lib/x86_64-linux-gnu/libresolv-*.so mr,
/lib/x86_64-linux-gnu/librt-*.so mr,
/lib/x86_64-linux-gnu/libudev.so.* mr,
/lib/x86_64-linux-gnu/libuuid.so.* mr,
/lib/x86_64-linux-gnu/libwrap.so.* mr,
/proc/asound/card*/ r,
/proc/asound/card*/pc*/ r,
/proc/asound/card*/pc*/sub*/ r,
/proc/asound/card*/pc*/sub*/status r,
/proc/cpuinfo r,
/proc/stat r,
/proc/sys/kernel/ngroups_max r,
/root/.esd_auth rwk,
/root/.pulse-cookie rw,
/root/.pulse/ rw,
/root/.pulse/* rw,
/run/pulse/ rw,
/run/pulse/.pulse-cookie rwk,
/run/pulse/dbus-socket rwk,
/run/pulse/native rwk,
/run/pulse/pid rwk,
/run/shm/ r,
/run/shm/* rw,
/run/udev/data/+sound:card* r,
/sys/bus/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/pci[0-9]*/**/*class r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
/sys/devices/virtual/dmi/id/bios_vendor r,
/sys/devices/virtual/dmi/id/board_vendor r,
/sys/devices/virtual/dmi/id/sys_vendor r,
owner /tmp/** mrwk,
/usr/bin/pulseaudio mrix,
/usr/lib/ r,
/usr/lib/libpulse*.so* mr,
/usr/lib/pulse-*/modules/*.so* mr,
/usr/lib/pulseaudio/pulse/gconf-helper rix,
/usr/lib/x86_64-linux-gnu/alsa-lib/*pulse.so mr,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,
/usr/lib/x86_64-linux-gnu/libFLAC.so.* mr,
/usr/lib/x86_64-linux-gnu/libICE.so.* mr,
/usr/lib/x86_64-linux-gnu/libSM.so.* mr,
/usr/lib/x86_64-linux-gnu/libX11-xcb.so.* mr,
/usr/lib/x86_64-linux-gnu/libX11.so.* mr,
/usr/lib/x86_64-linux-gnu/libXau.so.* mr,
/usr/lib/x86_64-linux-gnu/libXdmcp.so.* mr,
/usr/lib/x86_64-linux-gnu/libXext.so.* mr,
/usr/lib/x86_64-linux-gnu/libXtst.so.* mr,
/usr/lib/x86_64-linux-gnu/libasound.so.* mr,
/usr/lib/x86_64-linux-gnu/libasyncns.so.* mr,
/usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
/usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* r,
/usr/lib/x86_64-linux-gnu/libgobject-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libjson.so.* mr,
/usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
/usr/lib/x86_64-linux-gnu/libogg.so.* mr,
/usr/lib/x86_64-linux-gnu/liborc-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
/usr/lib/x86_64-linux-gnu/libsamplerate.so.* mr,
/usr/lib/x86_64-linux-gnu/libsndfile.so.* mr,
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.* mr,
/usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
/usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.* mr,
/usr/lib/x86_64-linux-gnu/libxcb.so.* mr,
/usr/lib/x86_64-linux-gnu/pulseaudio/lib*-*.so* mr,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/pulseaudio/** r,
/var/lib/dbus/machine-id r,
/var/lib/lightdm/.Xauthority r,
/var/lib/lightdm/.esd_auth rwk,
owner /var/lib/lightdm/.pulse-cookie rwk,
/var/lib/lightdm/.pulse/ r,
owner /var/lib/lightdm/.pulse/* w,
/var/lib/lightdm/.pulse/* r,
/var/lib/pulse/ rw,
/var/lib/pulse/*-default-sink rw,
/var/lib/pulse/*-default-source rw,
/var/lib/pulse/*.tdb rw,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/stat r,
}
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ub
[Bug 1186793] [NEW] Updating is over insecure connection
Public bug reported: Relying on signatures is silly. It gives attackers much more control over a situation, and we already know that this *doesn't work* when weak signatures like MD5 are used (see Flame hash collision). Is the average user going to get attacked this way, with a collision? Maybe not. But Ubuntu servers are going to get targeted, and updating over HTTP just doesn't make sense. Flame may have been a government attack aimed at other governments, but users were infected. They were attacked to get to the government systems. So whether you're a server or a high value target or whatever, there are people who will try to exploit this system. Preventing this is as simple as properly implementing HTTPS and encouraging third party developers to do the same with their packages.. https://www.cs.arizona.edu/stork/packagemanagersecurity/ https://en.wikipedia.org/wiki/Flame_(malware)#Operation HTTPS with HSTS in particular will prevent: 1) An attacker from viewing traffic that can give them information as to the attack surface on a system. They can see which applications are at which versions, and how often the system is updating. 2) It means that if the signing key is compromised the attacker can install their own updates via MITM. HTTPS prevents this. Is there any solid reason why updates are still over an insecure connection? Microsoft has updated over a secure connection for a year now. ** Affects: ubuntu Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1186793] Re: Updating is over insecure connection
I tried assigning ia32-apt-get but it says it isn't a package in Ubuntu. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1186793] Re: Updating is over insecure connection
*** This bug is a duplicate of bug 247445 *** https://bugs.launchpad.net/bugs/247445 Like Chris Thompson said, completely different bug report. Not a duplicate. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1186793] Re: Updating is over insecure connection
** This bug is no longer a duplicate of bug 247445 Package managers vulnerable to replay and endless data attacks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1183086] Re: Please update to 27.0.1453.110
Either leave it out of the repositories or keep it updated with at least security backports. Anything else is negligent and encouraging users to install *known insecure* software. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1183086 Title: Please update to 27.0.1453.110 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1183086/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
