#apparmor — Public Fediverse posts on home.social

Hackaday [Unofficial] @[email protected] · 2026-03-20 · 14:00 UTC

This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown

https://fed.brid.gy/r/https://hackaday.com/2026/03/20/this-week-in-security-linux-flaws-python-ownage-and-a-botnet-shutdown/

#hackadaycolumns #securityhacks #apparmor #botnet #git #python

Hackaday [Unofficial] @[email protected] · 2026-03-20 · 14:00 UTC

This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown

https://fed.brid.gy/r/https://hackaday.com/2026/03/20/this-week-in-security-linux-flaws-python-ownage-and-a-botnet-shutdown/

#unifi #ubuntu #thisweekinsecurity #snapd #python #git

alip @[email protected] · 2026-03-13 · 16:14 UTC

#apparmor local root: who's going to watch the watchers episode 202603! #ubuntu people should bump their #kernel and consider switching to unprivileged alternatives such as #sydbox ;): https://www.openwall.com/lists/oss-security/2026/03/12/7 #linux #security

#apparmor #ubuntu #kernel #sydbox #linux #security

Marek @[email protected] · 2025-12-08 · 00:04 UTC

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

#networking #programming #dn42 #multicast #landlock #apparmor

Marek @[email protected] · 2025-11-19 · 23:58 UTC

crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp

#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

#crazytrace #traceroute #networking #programming #security #apparmor

Habr @[email protected] · 2025-10-10 · 05:02 UTC

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

#linux #безопасность_kubernetes #runasuser #linux_namespace #noroot_containers #kubernetes

Zygmunt Krynicki @zygoon · 2025-10-06 · 17:22 UTC

Late night debugging session on #snapd, #apparmor and #dbus.

#snapd #apparmor #dbus

Apollo @[email protected] · 2025-09-28 · 16:30 UTC

@Imperor flatpak uses bubblewrap for sandboxing, unless I am mistaken, then flatseal configures those bubblewrap permissions. So, you could start your programs with it too. Another way would be AppArmor. Or, if you want something to keep your base system clean (this does not bring any security advantages) you could use distrobox.

#linux #sandboxing #security #bubblewrap #apparmor #gnulinux #flatpak

#linux #sandboxing #security #bubblewrap #apparmor #gnulinux

Habr @[email protected] · 2025-01-21 · 11:32 UTC

Безопасность Kubernetes-кластеров: вредные советы или bullshit bingo

Как погубить кластер, действуя во благо? Подборка вредных советов из реальных кейсов и опыта от специалиста по безопасности контейнеров и Kubernetes. Вместе установим антивирус на ноды, просканируем хостовую ОС и заблокируем выкатки образов с чувствительной информацией. Привет, Хабр! Меня зовут Дмитрий Евдокимов. Я — Founder & CTO Luntry в компании по созданию решений для безопасности контейнеров и Kubernetes, CFP конференций DevOpsConf и Highload, автор курса «Cloud-Native безопасность в Kubernetes» и телеграм-канала k8s (in) security. Эта статья написана по мотивам моего доклада для DevOpsConf 2024. Так как я проработал в сфере информационной безопасности больше 15 лет и специализируюсь именно на безопасности контейнеров и кластеров, дам несколько «вредных» советов, как сделать Kubernetes-кластер «безопасным». Погубить кластер

https://habr.com/ru/companies/oleg-bunin/articles/875114/

#кубернетес #контейнеры #оркестрация_микросервисов #окружение #shift_left_security #уязвимости #distroless #zerotrust #NetworkPolicy #apparmor

#apparmor #networkpolicy #zerotrust #distroless #уязвимости #shift_left_security

Todd A. Jacobs | Rubyist @[email protected] · 2024-11-04 · 17:32 UTC

Anyone upgrading #TrueNAS from their 24.10 release candidate to the full release should be aware that it clobbers a lot of purportedly local override configuration files not accessible from the GUI. Basically, anything not configured by their "middleware" (i.e. their custom #WebUI) is likely to go bye-bye. The #ZFS file systems and pools should be fine, though; just have a backup in case you've had to tweak #AppArmor, #Chrony, /etc/default/*, or anything else that isn't available via the web UI.