[Whonix-devel] Apparmor: Interpreter Access Restrictions

bancfc bancfc at openmailbox.org
Sun Jun 21 21:29:09 CEST 2015


Hi Micah,

At Whonix we are trying to fine tune our Apparmor profiles and I saw an
interesting concept in your profile for torbrowser-launcher, the access
restriction of the script/process to the interpreter running it:

>   # This script doesn't really need to read the interpreter that's
running it.
>   deny /usr/bin/python{2,3}.[0-7]* r,


Can/Should writes to usr/bin/python be denied too to further harden the
profile?

I was under the impression that unless permitted, any path access is
implicitly denied by default in Apparmor, so I'm not sure if its already
covered.

By replying to this mail, your answer will be posted on the whonix-devel
public mailing list, so all of our coders can benefit from your
answer.


More information about the Whonix-devel mailing list