summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-04-29 11:41:29 +0000
committerintrigeri <intrigeri@boum.org>2015-04-29 11:42:11 +0000
commit6d2a9a4ca9c807fb8c20d26f6ed42e2ecbbe23cd (patch)
treec85d9690371589b61057a23f2bd888a3989c744c /wiki/src/blueprint/audit_AppArmor_profiles.mdwn
parentf3413c4dce5fb8a0ed827441d9759ba75fb5fe42 (diff)
More AppArmor policy auditing.
Diffstat (limited to 'wiki/src/blueprint/audit_AppArmor_profiles.mdwn')
-rw-r--r--wiki/src/blueprint/audit_AppArmor_profiles.mdwn5
1 files changed, 5 insertions, 0 deletions
diff --git a/wiki/src/blueprint/audit_AppArmor_profiles.mdwn b/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
index 6d585bc..ff9dcec 100644
--- a/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
+++ b/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
@@ -8,9 +8,14 @@ Things to check
* the kludges needed to make them work with aufs
* access to files via alternate paths specific to Debian Live systems,
e.g.
+ - check `private-files` and `private-files-strict` abstractions, in
+ particular wrt. whatever can be accessed via the following paths
- `/live/persistence/TailsData_unlocked/`
- `/lib/live/mount/rootfs/`
- `/lib/live/mount/overlay/`
+ * `apparmor-adjust-home-tunable.diff` adds
+ `/lib/live/mount/overlay/home/` to `HOMEDIRS`, so at least
+ `$HOME` is OK
* access to webcam
* access to microphone (can we easily block that while still allowing
sound output?)