[apparmor] FatRat profile

Seth Arnold seth.arnold at canonical.com
Tue Mar 19 21:27:01 UTC 2013 

On Tue, Mar 19, 2013 at 11:37:46PM +0400, "Артём Н." wrote:
> >> Also I've added @{TORRENT_CLIENT} in tunables/global and I've granted
> >> permissions on execution it in browser's rules.
> >>
> >> tunables/global:
> >> @{TORRENT_CLIENT}=/usr/bin/fatrat
> > This is going to lead to trouble. What we have now is admittedly
> > complex, but it is designed to avoid the user editing tunables/global
> > directly -- once the user modifies the file, it'll be prompted about for
> > upgrades for ever.
> > That's why the current approach includes the other files, which users
> > are encouraged to modify -- it'll be easier for them to accept/deny
> > changes on upgrades in the future, or preseed settings at installation
> > time.
> Yes, I understand, that inclusion <abstractions/ubuntu-bittorrent-clients> is
> more flexible, than setting variable.
> But, I think this is a really complex and give more rights, than a program needs.
> Am I wrong?

Well, there were multiple points I was (trying) to make:

- Your new variable should be in a new file:

  tunables/bittorrent-client:
  @{TORRENT_CLIENT}=/usr/bin/fatrat
  
  and then tunables/global should #include <tunables/bittorrent-client>

  This protects tunables/global against needless manipulation.

- Currently, some clients are given fairly broad privileges; as they are
  confined over time, we'll probably want to add their names to this
  variable and remove them from the ubuntu-bittorent-clients.


> >> abstractions/ubuntu-browsers.d/other (file, included in browser's profiles):
> >> @{TORRENT_CLIENT} rPx,
> > This doesn't really play nicely with the existing
> > ubuntu-bittorrent-clients portion of policy, which gives torrent clients
> > the sanitized_helper near-unconfined-status. (Not that near-unconfined
> > torrent clients are a good idea; just a pragmatic idea. :) 
> But I haven't found fatrat in ubuntu-bittorrent-clients and I didn't like
> sanitized_helper. :-)
> Why does torrent client need to run programs in /sbin or /usr/bin?
> Why is it not a good idea to make helper with more restrictions?

Because the half-dozen or so that are confined this way are better than
completely unconfined, and no one has taken the time to confine them any
better, as you have. :)

I hope this explains my intentions a little better. :)

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130319/d9a096ac/attachment.pgp>

More information about the AppArmor mailing list