summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-07-19 12:20:33 +0000
committerintrigeri <intrigeri@boum.org>2015-07-19 13:27:46 +0000
commit88d070be3882347cb35e324d2c36eb86ef688bb3 (patch)
tree0e4655e0de90bc443903b2392ea3beec6572a400
parent34ee46f7512f8ecb09fe1557e76dc1f92ca96de0 (diff)
WIP: Set to enforce mode a few AppArmor profiles that are shipped in complain mode in Debian.feature/9764-enforce-more-apparmor-profiles
And to this end, install apparmor-utils, that ships aa-enforce. XXX: doesn't work.
-rwxr-xr-xconfig/chroot_local-includes/lib/live/config/1200-enforce-AppArmor-profiles17
-rw-r--r--config/chroot_local-packageslists/tails-common.list1
2 files changed, 18 insertions, 0 deletions
diff --git a/config/chroot_local-includes/lib/live/config/1200-enforce-AppArmor-profiles b/config/chroot_local-includes/lib/live/config/1200-enforce-AppArmor-profiles
new file mode 100755
index 0000000..7b7b2f3
--- /dev/null
+++ b/config/chroot_local-includes/lib/live/config/1200-enforce-AppArmor-profiles
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+echo "- enforcing AppArmor profiles"
+
+# These profiles are shipped in complain mode in Debian,
+# but we want to enforce them.
+
+(
+ cd /etc/apparmor.d
+ /usr/sbin/aa-enforce \
+ bin.ping \
+ usr.sbin.avahi-daemon \
+ usr.sbin.traceroute
+)
+
+# Creating state file
+touch /var/lib/live/config/enforce-AppArmor-profiles
diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index 790e848..cadf237 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -68,6 +68,7 @@ aircrack-ng
apparmor
apparmor-profiles
apparmor-profiles-extra
+apparmor-utils
audacity
barry-util
bilibop-udev