home.social

#apparmor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #apparmor, aggregated by home.social.

  1. BTW, @BrodieOnLinux - I have to repeat my problems with #snap packages:

    * single vendor repos, the vendor being canonical
    * #AppArmor is painful - and "not invented here syndrome" in regards to SELinux (and is also a bit painful to configure)
    * Desktop integration was an afterthought, as evident by how the modal boxes and UI for snaps look tacked on and out of place, because snaps was meant as an alternative to docker

    Flatpak won because of not doing all this.

  2. [Перевод] От capabilities к AppArmor: что реально остановит атакующего в контейнере

    Скомпрометированный контейнер — это момент истины для всех настроек безопасности: злоумышленник уже внутри, команды выполняются, и дальше важно понять, что действительно ограничит его действия. В этой статье на одной рабочей нагрузке разбирается, как capabilities, seccomp и AppArmor закрывают разные участки атаки в Kubernetes, где каждый механизм упирается в свои пределы и почему защита контейнеров работает только как набор слоёв. Разобрать защиту

    habr.com/ru/companies/otus/art

    #безопасность_Kubernetes #безопасность_контейнеров #container_security #capabilities #seccomp #LSM #AppArmor #securityContext #защита_кластера

  3. Firefox crashes after replacing snap with APT build on Ubuntu 26.04 LTS - Sandbox: CanCreateUserNamespace() EPERM, Wayland bind error, AppArmor denial #firefox #wayland #apparmor #2604

    askubuntu.com/q/1566816/612

  4. @zhenech

    Why #AppArmor and sysctl hardening makes a good job by breaking exploit chains:

    Ubuntu note: AppArmor restricts unprivileged user namespaces by default. You must first run:
    
    sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
    
  5. These #apparmor profiles are checked when running 'apt update' on #Ubuntu and #LinuxMint, so the kernel log/dmesg would fill up just from the update manager running it periodically.

  6. @Imperor flatpak uses bubblewrap for sandboxing, unless I am mistaken, then flatseal configures those bubblewrap permissions. So, you could start your programs with it too. Another way would be AppArmor. Or, if you want something to keep your base system clean (this does not bring any security advantages) you could use distrobox.

    #linux #sandboxing #security #bubblewrap #apparmor #gnulinux #flatpak

  7. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  8. crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

    Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

    codeberg.org/mark22k/crazytrac
    codeberg.org/mark22k/crazytrac

    #crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

  9. [Перевод] Как защитить Kubernetes на уровне ядра Linux

    Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

    habr.com/ru/companies/flant/ar

    #security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

  10. Late night debugging session on , and .

  11. Безопасность Kubernetes-кластеров: вредные советы или bullshit bingo

    Как погубить кластер, действуя во благо? Подборка вредных советов из реальных кейсов и опыта от специалиста по безопасности контейнеров и Kubernetes. Вместе установим антивирус на ноды, просканируем хостовую ОС и заблокируем выкатки образов с чувствительной информацией. Привет, Хабр! Меня зовут Дмитрий Евдокимов. Я — Founder & CTO Luntry в компании по созданию решений для безопасности контейнеров и Kubernetes, CFP конференций DevOpsConf и Highload, автор курса «Cloud-Native безопасность в Kubernetes» и телеграм-канала k8s (in) security. Эта статья написана по мотивам моего доклада для DevOpsConf 2024. Так как я проработал в сфере информационной безопасности больше 15 лет и специализируюсь именно на безопасности контейнеров и кластеров, дам несколько «вредных» советов, как сделать Kubernetes-кластер «безопасным». Погубить кластер

    habr.com/ru/companies/oleg-bun

    #кубернетес #контейнеры #оркестрация_микросервисов #окружение #shift_left_security #уязвимости #distroless #zerotrust #NetworkPolicy #apparmor

  12. #apparmor local root: who's going to watch the watchers episode 202603! #ubuntu people should bump their #kernel and consider switching to unprivileged alternatives such as #sydbox ;): openwall.com/lists/oss-securit #linux #security

  13. Anyone upgrading #TrueNAS from their 24.10 release candidate to the full release should be aware that it clobbers a lot of purportedly local override configuration files not accessible from the GUI. Basically, anything not configured by their "middleware" (i.e. their custom #WebUI) is likely to go bye-bye. The #ZFS file systems and pools should be fine, though; just have a backup in case you've had to tweak #AppArmor, #Chrony, /etc/default/*, or anything else that isn't available via the web UI.

  14. 🛡️ MariaDB's new AppArmor profile is now enforcing in Debian unstable and heading to Ubuntu 26.04. I developed it against 7,000+ tests to minimize false positives, full story at optimizedbyotto.com/post/new-a

    If you are a dba/sysadmin, check your logs and share feedback via the Debian bug tracker.

    #AppArmor #MariaDB #opensource

  15. A 7-year-old Linux flaw dubbed #CrackArmor exposes 12.6 million systems using AppArmor. Researchers found that it can enable root access, container escape, and security bypass. Patch immediately.

    Read: hackread.com/crackarmor-vulner

    #Linux #CyberSecurity #AppArmor #Vulnerability

  16. CrackArmor: Multiple vulnerabilities in #AppArmor "Bypassing Ubuntu's user-namespace restrictions
    AppArmor + Sudo + Postfix = root
    Kernel vulnerabilities". seclists.org/oss-sec/2026/q1/3 #infosec #qualys

  17. #CrackArmor: Multiple vulnerabilities in #AppArmor

    Blogpost: blog.qualys.com/vulnerabilitie

    Advisory: cdn2.qualys.com/advisory/2026/

    These vulnerabilities allow a local attacker to bypass the security normally provided by AppArmor. Also, in some situations, it allows privilege escalation to root by selectively blocking specific syscalls.

    #infosec #cybersecurity #qualys

  18. What's that? #ubuntusnaps are badly designed for desktop usage? Who knew?

    Scroll my feed whydontcha.

    #Flatpak, #AppImage, take your pick. Much better integration and uses standard #SELinux - instead of having to suffer #Canonical and their #NotInventedHere syndrome with #AppArmor.

    Microsoft's VS Code in Ubuntu's Snap Format Eats Up Disk Space Like Bloatware Even After Removal
    itsfoss.com/news/vscode-snap-d

  19. #apparmor error in #debian after update:

    AppArmor-Analysefehler f?r /etc/apparmor.d in profile /etc/apparmor.d/tunables/home in Zeile 15: syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

    It seems, that I am not the only one:

    forums.debian.net/viewtopic.ph

    Any tips?

  20. #apparmor output on my system and according to my search as seen on a lot of #ubuntu based systems:

    apparmor="STATUS" operation="profile_load" profile="unconfined" name=4D6F6E676F444220436F6D70617373

    So where does this entry "4D..." reside ?
    All the other entries in the otuput of dmesg have an equivalent in /etc/apparmor.d
    And no, there is no such profile with that name on my machine.

  21. 把 rsyslog 訊息串到 Slack 與 Pushover 上

    把之前想弄的東西弄出來了,直接在 rsyslog 上設定條件,然後串到 Slack 以及 Pushover 上。 rsyslog 這邊有不少眉眉角角要處理,本來查到 omhttp,想直接透過 omhttp 打到 HTTPS endpoint,但發現 omhttp 沒有也沒打算包進標準套件裡面 (因為不是由官方開發的),但文件上面有... 在 2018 年的「rsyslogd: could not load module 'omhttp' #3302」這邊就有提到這個問題了: Sadly, the omhttp module is currently not part of the def…

    blog.gslin.org/archives/2025/0

    #api #apparmor #curl #omhttp #omprog #pushover #rsyslog #rsyslogd #script #shell #slack #syslog #webhook

  22. 🚀 Oh, the thrilling saga of playing Russian nesting dolls with #containers on Proxmox! 🤯 Watch as our hero battles #AppArmor and cryptic errors, only to discover the ancient scrolls of #GitHub held the mystical solution all along. 🎉 Apparently, the answer was just a version upgrade – who would've thought? 🙄
    blog.vasi.li/adventures-in-upg #Proxmox #VersionUpgrade #TechSaga #HackerNews #ngated

  23. [Перевод] Как защитить Kubernetes на уровне ядра Linux

    Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

    habr.com/ru/companies/flant/ar

    #security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

  24. [Перевод] Как защитить Kubernetes на уровне ядра Linux

    Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

    habr.com/ru/companies/flant/ar

    #security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

  25. [Перевод] Как защитить Kubernetes на уровне ядра Linux

    Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

    habr.com/ru/companies/flant/ar

    #security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

  26. Just finished some testing on #VoidLinux and i'm pretty impressed. It feels like using #ArchLinux, still it's different. The documentation is really good and i've successfully tested everything i needed, like #printerdriver, #apparmor and #nvidia drivers. #XBPS is really fast and intuitive. This might really well be my next distro.

    #linux #unix #void #arch

  27. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  28. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  29. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  30. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng