#apparmor — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #apparmor, aggregated by home.social.
-
BTW, @BrodieOnLinux - I have to repeat my problems with #snap packages:
* single vendor repos, the vendor being canonical
* #AppArmor is painful - and "not invented here syndrome" in regards to SELinux (and is also a bit painful to configure)
* Desktop integration was an afterthought, as evident by how the modal boxes and UI for snaps look tacked on and out of place, because snaps was meant as an alternative to dockerFlatpak won because of not doing all this.
-
[Перевод] От capabilities к AppArmor: что реально остановит атакующего в контейнере
Скомпрометированный контейнер — это момент истины для всех настроек безопасности: злоумышленник уже внутри, команды выполняются, и дальше важно понять, что действительно ограничит его действия. В этой статье на одной рабочей нагрузке разбирается, как capabilities, seccomp и AppArmor закрывают разные участки атаки в Kubernetes, где каждый механизм упирается в свои пределы и почему защита контейнеров работает только как набор слоёв. Разобрать защиту
https://habr.com/ru/companies/otus/articles/1039572/
#безопасность_Kubernetes #безопасность_контейнеров #container_security #capabilities #seccomp #LSM #AppArmor #securityContext #защита_кластера
-
Why #AppArmor and sysctl hardening makes a good job by breaking exploit chains:
Ubuntu note: AppArmor restricts unprivileged user namespaces by default. You must first run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 -
AppArmor 5.0 porta sicurezza Linux a un nuovo livello con policy più flessibili 🔐 #Linux #Security #AppArmor #OpenSource
-
guix works fine…until I guix pull #packagemanagement #2404 #apparmor
-
These #apparmor profiles are checked when running 'apt update' on #Ubuntu and #LinuxMint, so the kernel log/dmesg would fill up just from the update manager running it periodically.
-
CrackArmor : failles AppArmor Linux - corrigez Ubuntu et Debian maintenant
https://goodtech.info/crackarmor-failles-apparmor-linux-ubuntu-debian-escalade-root-correctifs/
-
This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown
-
This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown
-
🛡️ MariaDB's new AppArmor profile is now enforcing in Debian unstable and heading to Ubuntu 26.04. I developed it against 7,000+ tests to minimize false positives, full story at https://optimizedbyotto.com/post/new-apparmor-profile-for-mariadb/
If you are a dba/sysadmin, check your logs and share feedback via the Debian bug tracker.
-
CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root
#AppArmor
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root -
#CrackArmor : neuf vulnérabilités ont été découvertes dans #AppArmor remontant au noyau #Linux 4.11 (2017) et pourraient affecter plus de 12,6 millions de systèmes.
-
If you are using Ubuntu or Debian with AppArmor, please update your systems immediately: https://ubuntu.com/security/vulnerabilities/crackarmor
-
#Ubuntu's #AppArmor Hit By Several Security Issues - Can Yield Local Privilege Escalation
https://www.phoronix.com/news/Ubuntu-AppArmor-Security-Issues -
A 7-year-old Linux flaw dubbed #CrackArmor exposes 12.6 million systems using AppArmor. Researchers found that it can enable root access, container escape, and security bypass. Patch immediately.
Read: https://hackread.com/crackarmor-vulnerability-apparmor-linux-systems/
-
CrackArmor: Multiple vulnerabilities in #AppArmor "Bypassing Ubuntu's user-namespace restrictions
AppArmor + Sudo + Postfix = root
Kernel vulnerabilities". https://seclists.org/oss-sec/2026/q1/303 #infosec #qualys -
#CrackArmor: Multiple vulnerabilities in #AppArmor
Advisory: https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt
These vulnerabilities allow a local attacker to bypass the security normally provided by AppArmor. Also, in some situations, it allows privilege escalation to root by selectively blocking specific syscalls.
-
So the AppArmor Guix issue 6501 finally resolved:
https://codeberg.org/guix/guix/issues/6501Thanks for @efraim for merging https://codeberg.org/guix/guix/pulls/6935 !
-
What's that? #ubuntusnaps are badly designed for desktop usage? Who knew?
Scroll my feed whydontcha.
#Flatpak, #AppImage, take your pick. Much better integration and uses standard #SELinux - instead of having to suffer #Canonical and their #NotInventedHere syndrome with #AppArmor.
Microsoft's VS Code in Ubuntu's Snap Format Eats Up Disk Space Like Bloatware Even After Removal
https://itsfoss.com/news/vscode-snap-disk-space-issue/ -
#apparmor error in #debian after update:
AppArmor-Analysefehler f?r /etc/apparmor.d in profile /etc/apparmor.d/tunables/home in Zeile 15: syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
It seems, that I am not the only one:
https://forums.debian.net/viewtopic.php?t=165501
Any tips?
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
#apparmor output on my system and according to my search as seen on a lot of #ubuntu based systems:
apparmor="STATUS" operation="profile_load" profile="unconfined" name=4D6F6E676F444220436F6D70617373
So where does this entry "4D..." reside ?
All the other entries in the otuput of dmesg have an equivalent in /etc/apparmor.d
And no, there is no such profile with that name on my machine. -
crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.
Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp
-
🚀 Oh, the thrilling saga of playing Russian nesting dolls with #containers on Proxmox! 🤯 Watch as our hero battles #AppArmor and cryptic errors, only to discover the ancient scrolls of #GitHub held the mystical solution all along. 🎉 Apparently, the answer was just a version upgrade – who would've thought? 🙄
https://blog.vasi.li/adventures-in-upgrading-proxmox/ #Proxmox #VersionUpgrade #TechSaga #HackerNews #ngated -
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
Flatpak is broken in Ubuntu 25.10 Questing Quokka. Here's a temporary solution to fix broken flatpak issue in Ubuntu 25.10.
Step-by-Step: https://ostechnix.com/fix-broken-flatpak-ubuntu-25-10-questing-quokka/
-
[Перевод] Как защитить Kubernetes на уровне ядра Linux
Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.
https://habr.com/ru/companies/flant/articles/952012/
#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux
-
[Перевод] Как защитить Kubernetes на уровне ядра Linux
Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.
https://habr.com/ru/companies/flant/articles/952012/
#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux