Do you know that a single binary profile can contain two distinct profiles? In this example we can see that a single profile called "name" has a so-called hat profile called "name//hat" that is in the same binary file, ready to be loaded into the Linux kernel.
I've added support to see capabilities allowed by a given binary #AppArmor profile to my apparmor-binary project.
https://gitlab.com/zygoon/apparmor-binary
The animation shows the #ImHex hex editor.
把 rsyslog 訊息串到 Slack 與 Pushover 上
把之前想弄的東西弄出來了,直接在 rsyslog 上設定條件,然後串到 Slack 以及 Pushover 上。 rsyslog 這邊有不少眉眉角角要處理,本來查到 omhttp,想直接透過 omhttp 打到 HTTPS endpoint,但發現 omhttp 沒有也沒打算包進標準套件裡面 (因為不是由官方開發的),但文件上面有... 在 2018 年的「rsyslogd: could not load module 'omhttp' #3302」這邊就有提到這個問題了: Sadly, the omhttp module is currently not part of the def…
Thunderbird can not open attached PDFs. How to fix it? #snap #pdf #thunderbird #apparmor
After I've upgraded from to Ubuntu 24.04 LTS, I encountered the error: "The SUID sandbox helper binary was found, but is not configured correctly"
I don't know how fix it, that happens every upgrade the #Ubuntu #AppArmor sucks!
And some AppImage, they don't works, I have to use the option "--no-sandbox" and there are others problems related to that as usual. #linux
I've seen #AppArmor used primarily to *harden* the security of an existing program. Is it also reasonable to use it to *sandbox* known-malicious code? Or are other methods required?
Würdet ihr bei einem Laptop #SELinux aktivieren oder nutzt ihr dort eher #AppArmor?
#followerpower
@opensuse Tumbleweed rolling release moves from AppArmor to SELinux for its underlying security layer
https://www.linux-magazine.com/Online/News/openSUSE-Tumbleweed-Ditches-AppArmor-for-SELinux
#openSUSE #Tumbleweed #AppArmor #SELinux #Linux #OpenSource #distro #FOSS #security
One of my favorite apparmor trivia bits is, that Linux offers two ways of setting thread names, one is writing to /proc/<pid>/task/<tid>/comm and the other one is a prctl();
The prctl should be preferred for a multitude of reasons, but one of them is, that this doesn't require DAC or MAC permissions on /proc!
(And yet libc being libc uses the first variant for pthread_setname_np() 
)
Starting with snapshot 20250211, #SELinux becomes the default #MAC system for new installs, boosting security! 
#AppArmor is still optional. The first #boot might take a little time. #openSUSE #Tumbleweed https://news.opensuse.org/2025/02/13/tw-plans-to-adopt-selinux-as-default/
Безопасность Kubernetes-кластеров: вредные советы или bullshit bingo
Как погубить кластер, действуя во благо? Подборка вредных советов из реальных кейсов и опыта от специалиста по безопасности контейнеров и Kubernetes. Вместе установим антивирус на ноды, просканируем хостовую ОС и заблокируем выкатки образов с чувствительной информацией. Привет, Хабр! Меня зовут Дмитрий Евдокимов. Я — Founder & CTO Luntry в компании по созданию решений для безопасности контейнеров и Kubernetes, CFP конференций DevOpsConf и Highload, автор курса «Cloud-Native безопасность в Kubernetes» и телеграм-канала k8s (in) security. Эта статья написана по мотивам моего доклада для DevOpsConf 2024. Так как я проработал в сфере информационной безопасности больше 15 лет и специализируюсь именно на безопасности контейнеров и кластеров, дам несколько «вредных» советов, как сделать Kubernetes-кластер «безопасным». Погубить кластер
@kde@floss.social @kde@lemmy.kde.social
Thx for the info, then it is like that.
Here is the goal proposal
https://phabricator.kde.org/T17370
Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
I found an incompatibility between #SWIG 4.3 and #apparmor that I don't fully understand. A tuple created with %append_output contains an extra argument. This is noted in the SWIG 4.3.0 changelog but I don't know how to fix this while the typemaps are shared between python, perl and ruby.
I described the issue in the apparmor issue tracker, along with my analysis of 4.2 vs 4.3 wrapper at https://gitlab.com/apparmor/apparmor/-/issues/475
Do you know someone who knows swig and can shed some light on a possible solution?
