#apparmor — Public Fediverse posts

BTW, @BrodieOnLinux - I have to repeat my problems with #snap packages:

* single vendor repos, the vendor being canonical
* #AppArmor is painful - and "not invented here syndrome" in regards to SELinux (and is also a bit painful to configure)
* Desktop integration was an afterthought, as evident by how the modal boxes and UI for snaps look tacked on and out of place, because snaps was meant as an alternative to docker

Flatpak won because of not doing all this.

[Перевод] От capabilities к AppArmor: что реально остановит атакующего в контейнере

Скомпрометированный контейнер — это момент истины для всех настроек безопасности: злоумышленник уже внутри, команды выполняются, и дальше важно понять, что действительно ограничит его действия. В этой статье на одной рабочей нагрузке разбирается, как capabilities, seccomp и AppArmor закрывают разные участки атаки в Kubernetes, где каждый механизм упирается в свои пределы и почему защита контейнеров работает только как набор слоёв. Разобрать защиту

https://habr.com/ru/companies/otus/articles/1039572/

#безопасность_Kubernetes #безопасность_контейнеров #container_security #capabilities #seccomp #LSM #AppArmor #securityContext #защита_кластера

New hardening in #sydbox #git: Deleted File Access Mediation, inspired by #AppArmor flag PATH_MEDIATE_DELETED: https://man.exherbo.org/syd.7.html#Deleted_File_Access_Mediation #exherbo #linux #security

New hardening in #sydbox #git: Deleted File Access Mediation, inspired by #AppArmor flag PATH_MEDIATE_DELETED: https://man.exherbo.org/syd.7.html#Deleted_File_Access_Mediation #exherbo #linux #security

New hardening in #sydbox #git: Deleted File Access Mediation, inspired by #AppArmor flag PATH_MEDIATE_DELETED: https://man.exherbo.org/syd.7.html#Deleted_File_Access_Mediation #exherbo #linux #security

New hardening in #sydbox #git: Deleted File Access Mediation, inspired by #AppArmor flag PATH_MEDIATE_DELETED: https://man.exherbo.org/syd.7.html#Deleted_File_Access_Mediation #exherbo #linux #security

Firefox crashes after replacing snap with APT build on Ubuntu 26.04 LTS - Sandbox: CanCreateUserNamespace() EPERM, Wayland bind error, AppArmor denial #firefox #wayland #apparmor #2604

https://askubuntu.com/q/1566816/612

@zhenech

Why #AppArmor and sysctl hardening makes a good job by breaking exploit chains:

Ubuntu note: AppArmor restricts unprivileged user namespaces by default. You must first run:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

AppArmor 5.0 porta sicurezza Linux a un nuovo livello con policy più flessibili 🔐 #Linux #Security #AppArmor #OpenSource

https://www.linuxeasy.org/apparmor-5-0-migliora-la-sicurezza-su-linux-con-policy-piu-avanzate/?utm_source=mastodon&utm_medium=jetpack_social

User space appamor profile #apparmor #electron

https://askubuntu.com/q/1565839/612

User land appamor profile #apparmor #electron

https://askubuntu.com/q/1565839/612

guix works fine…until I guix pull #packagemanagement #2404 #apparmor

https://askubuntu.com/q/1565715/612

These #apparmor profiles are checked when running 'apt update' on #Ubuntu and #LinuxMint, so the kernel log/dmesg would fill up just from the update manager running it periodically.

@Imperor flatpak uses bubblewrap for sandboxing, unless I am mistaken, then flatseal configures those bubblewrap permissions. So, you could start your programs with it too. Another way would be AppArmor. Or, if you want something to keep your base system clean (this does not bring any security advantages) you could use distrobox.

#linux #sandboxing #security #bubblewrap #apparmor #gnulinux #flatpak

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp

#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

Late night debugging session on #snapd, #apparmor and #dbus.

This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown

https://fed.brid.gy/r/https://hackaday.com/2026/03/20/this-week-in-security-linux-flaws-python-ownage-and-a-botnet-shutdown/

This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown

https://fed.brid.gy/r/https://hackaday.com/2026/03/20/this-week-in-security-linux-flaws-python-ownage-and-a-botnet-shutdown/

Безопасность Kubernetes-кластеров: вредные советы или bullshit bingo

Как погубить кластер, действуя во благо? Подборка вредных советов из реальных кейсов и опыта от специалиста по безопасности контейнеров и Kubernetes. Вместе установим антивирус на ноды, просканируем хостовую ОС и заблокируем выкатки образов с чувствительной информацией. Привет, Хабр! Меня зовут Дмитрий Евдокимов. Я — Founder & CTO Luntry в компании по созданию решений для безопасности контейнеров и Kubernetes, CFP конференций DevOpsConf и Highload, автор курса «Cloud-Native безопасность в Kubernetes» и телеграм-канала k8s (in) security. Эта статья написана по мотивам моего доклада для DevOpsConf 2024. Так как я проработал в сфере информационной безопасности больше 15 лет и специализируюсь именно на безопасности контейнеров и кластеров, дам несколько «вредных» советов, как сделать Kubernetes-кластер «безопасным». Погубить кластер

https://habr.com/ru/companies/oleg-bunin/articles/875114/

#кубернетес #контейнеры #оркестрация_микросервисов #окружение #shift_left_security #уязвимости #distroless #zerotrust #NetworkPolicy #apparmor

#apparmor local root: who's going to watch the watchers episode 202603! #ubuntu people should bump their #kernel and consider switching to unprivileged alternatives such as #sydbox ;): https://www.openwall.com/lists/oss-security/2026/03/12/7 #linux #security

Anyone upgrading #TrueNAS from their 24.10 release candidate to the full release should be aware that it clobbers a lot of purportedly local override configuration files not accessible from the GUI. Basically, anything not configured by their "middleware" (i.e. their custom #WebUI) is likely to go bye-bye. The #ZFS file systems and pools should be fine, though; just have a backup in case you've had to tweak #AppArmor, #Chrony, /etc/default/*, or anything else that isn't available via the web UI.

Solventar conflicto de Apparmor con ntpd

https://www.ochobitshacenunbyte.com/2023/09/19/solventar-conflicto-de-apparmor-con-ntpd/

#Apparmor #ntp #ntpd #linux #suse #sles

snap on, snap off - https://randombytes.substack.com/p/snap-on-snap-off

(Patching around the breaking change.)

#wsl #snapd #apparmor

CrackArmor : failles AppArmor Linux - corrigez Ubuntu et Debian maintenant

https://goodtech.info/crackarmor-failles-apparmor-linux-ubuntu-debian-escalade-root-correctifs/

#CrackArmor #AppArmor #Linux #Debian #Ubuntu #CVE

🛡️ MariaDB's new AppArmor profile is now enforcing in Debian unstable and heading to Ubuntu 26.04. I developed it against 7,000+ tests to minimize false positives, full story at https://optimizedbyotto.com/post/new-apparmor-profile-for-mariadb/

If you are a dba/sysadmin, check your logs and share feedback via the Debian bug tracker.

#AppArmor #MariaDB #opensource

CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root
#AppArmor
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root

#CrackArmor : neuf vulnérabilités ont été découvertes dans #AppArmor remontant au noyau #Linux 4.11 (2017) et pourraient affecter plus de 12,6 millions de systèmes.

https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root

If you are using Ubuntu or Debian with AppArmor, please update your systems immediately: https://ubuntu.com/security/vulnerabilities/crackarmor

#linux #apparmor #vulnerability #security

#Ubuntu's #AppArmor Hit By Several Security Issues - Can Yield Local Privilege Escalation
https://www.phoronix.com/news/Ubuntu-AppArmor-Security-Issues

#Linux

A 7-year-old Linux flaw dubbed #CrackArmor exposes 12.6 million systems using AppArmor. Researchers found that it can enable root access, container escape, and security bypass. Patch immediately.

Read: https://hackread.com/crackarmor-vulnerability-apparmor-linux-systems/

#Linux #CyberSecurity #AppArmor #Vulnerability

#linux #apparmor #решето @rf
https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=281f36d4a9970c206c2c44042904d4e34c092fbe

CrackArmor: Multiple vulnerabilities in #AppArmor "Bypassing Ubuntu's user-namespace restrictions
AppArmor + Sudo + Postfix = root
Kernel vulnerabilities". https://seclists.org/oss-sec/2026/q1/303 #infosec #qualys

#CrackArmor: Multiple vulnerabilities in #AppArmor

Blogpost: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root

Advisory: https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt

These vulnerabilities allow a local attacker to bypass the security normally provided by AppArmor. Also, in some situations, it allows privilege escalation to root by selectively blocking specific syscalls.

#infosec #cybersecurity #qualys

So the AppArmor Guix issue 6501 finally resolved:
https://codeberg.org/guix/guix/issues/6501

Thanks for @efraim for merging https://codeberg.org/guix/guix/pulls/6935 !

#guix #guix_patches #apparmor

What's that? #ubuntusnaps are badly designed for desktop usage? Who knew?

Scroll my feed whydontcha.

#Flatpak, #AppImage, take your pick. Much better integration and uses standard #SELinux - instead of having to suffer #Canonical and their #NotInventedHere syndrome with #AppArmor.

Microsoft's VS Code in Ubuntu's Snap Format Eats Up Disk Space Like Bloatware Even After Removal
https://itsfoss.com/news/vscode-snap-disk-space-issue/

'ere you go:

https://jan.krutisch.de/en/2026/01/26/using-ghostscript-on-ubuntu.html

#Ghostscript #Ubuntu #Apparmor #ZUGFeRD

#apparmor error in #debian after update:

AppArmor-Analysefehler f?r /etc/apparmor.d in profile /etc/apparmor.d/tunables/home in Zeile 15: syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

It seems, that I am not the only one:

https://forums.debian.net/viewtopic.php?t=165501

Any tips?

#apparmor output on my system and according to my search as seen on a lot of #ubuntu based systems:

apparmor="STATUS" operation="profile_load" profile="unconfined" name=4D6F6E676F444220436F6D70617373

So where does this entry "4D..." reside ?
All the other entries in the otuput of dmesg have an equivalent in /etc/apparmor.d
And no, there is no such profile with that name on my machine.

把 rsyslog 訊息串到 Slack 與 Pushover 上

把之前想弄的東西弄出來了，直接在 rsyslog 上設定條件，然後串到 Slack 以及 Pushover 上。 rsyslog 這邊有不少眉眉角角要處理，本來查到 omhttp，想直接透過 omhttp 打到 HTTPS endpoint，但發現 omhttp 沒有也沒打算包進標準套件裡面 (因為不是由官方開發的)，但文件上面有... 在 2018 年的「rsyslogd: could not load module 'omhttp' #3302」這邊就有提到這個問題了： Sadly, the omhttp module is currently not part of the def…

https://blog.gslin.org/archives/2025/03/20/12312/%e6%8a%8a-rsyslog-%e8%a8%8a%e6%81%af%e4%b8%b2%e5%88%b0-slack-%e8%88%87-pushover-%e4%b8%8a/

#api #apparmor #curl #omhttp #omprog #pushover #rsyslog #rsyslogd #script #shell #slack #syslog #webhook

🚀 Oh, the thrilling saga of playing Russian nesting dolls with #containers on Proxmox! 🤯 Watch as our hero battles #AppArmor and cryptic errors, only to discover the ancient scrolls of #GitHub held the mystical solution all along. 🎉 Apparently, the answer was just a version upgrade – who would've thought? 🙄
https://blog.vasi.li/adventures-in-upgrading-proxmox/ #Proxmox #VersionUpgrade #TechSaga #HackerNews #ngated

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

Just finished some testing on #VoidLinux and i'm pretty impressed. It feels like using #ArchLinux, still it's different. The documentation is really good and i've successfully tested everything i needed, like #printerdriver, #apparmor and #nvidia drivers. #XBPS is really fast and intuitive. This might really well be my next distro.

#linux #unix #void #arch

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng