[Nix-dev] AppArmor

Patrick Wheeler patrick.john.wheeler at gmail.com
Sun May 12 07:41:52 CEST 2013 

Thanks for getting this started.  I have had some interest in finding out
the time and effort it would take to confine some services. The ping
example should help me get started

Thanks again.


On Sat, May 11, 2013 at 1:10 AM, <phreedom at yandex.ru> wrote:

> Fresh AppArmor is available for further development.
>
> The end result should be fully automatic confinement configuration for all
> services configured using nixos options without extraConfig and such, a
> feature
> which would be unique to NixOS.
>
> Currently, AppArmor ships with a single profile which confines ping. If you
> comment out a line or two of the profile, ping will fail and apparmor will
> complain to dmesg.
>
> What needs to be done:
>  * Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target
> "],
> but it doesn't exist in NixOS
>  * Test and possibly fix profile loading/unloading on nixos-rebuild switch
>  * Check if any of abstractions that AppArmor ships need NixOS-specific
> customization
>  * Create profiles for common SUID binaries, since they are often used in
> privelege escalation attacks.
>  * Create profiles for common proprietary nasties like skype and steam,
> because
> we can't trust them.
>  * Create a profile for FireFox with an option to have dedicated
> upload/download dir. Bonus points for packaging a confined TorBrowser(a
> fork of
> FireFox)
>  * Create profiles for network-facing services, especially web servers
> since
> these often host webapps which tend to be full of holes.
>
> To enable AppArmor, add security.apparmor.enable = true to your config and
> use
> linux_3_2_apparmor kernel(or build another version in a similar way).
>
> Have fun!
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
Patrick Wheeler
Patrick.John.Wheeler at gmail.com
Patrick.J.Wheeler at rice.edu
Patrick.Wheeler at colorado.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130512/669949fc/attachment.html

More information about the nix-dev mailing list