|
|
[[!tag archived]]
|
|
|
|
|
|
Corresponding ticket: [[!tails_ticket 9533]]
|
|
|
|
|
|
[[!toc levels=2]]
|
|
|
Corresponding ticket: tails/tails#9533
|
|
|
|
|
|
This is a follow-up on [[blueprint/audit_AppArmor_profiles]], that
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
This is a follow-up on [audit AppArmor profiles](audit_AppArmor_profiles), that
|
|
|
tracks improvements we would like to make.
|
|
|
|
|
|
See also the [[contribute/design/application_isolation]] design
|
|
|
See also the [application isolation](https://tails.boum.org/contribute/design/application_isolation) design
|
|
|
documentation, that lists ideas that are at the concept stage.
|
|
|
|
|
|
Things to keep in mind
|
... | ... | @@ -28,7 +30,7 @@ Short-term |
|
|
Wide-open access to `$HOME` except blacklist
|
|
|
--------------------------------------------
|
|
|
|
|
|
Everything was checked in [[blueprint/audit_AppArmor_profiles]],
|
|
|
Everything was checked in [audit AppArmor profiles](audit_AppArmor_profiles),
|
|
|
potential issues and remaining todo items follow.
|
|
|
|
|
|
### whitelist approach
|
... | ... | @@ -167,3 +169,4 @@ jvoisin's profile hardening |
|
|
previewer being able to start Claws Mail? What is it useful for?
|
|
|
* disallow networking access: the Debian kernel doesn't support
|
|
|
such rules anyway, so that would be a no-op
|
|
|
|