• note: .jl on the end of filename is for syntax highlighting only and "julia" just looked better and comments are corrected vs. vim

    Edited by Mr E
  • To the point of a traced (^whack-o) profile such as this one is, to give 'YOU' and me "allow" or "deny" for usually unseen files that other apparmor profiles do not offer and won't for "user convenience". [smiles wide] @ canonical, ubuntu, pop!_os

    My point is this: take a look at the below .so files

      /usr/lib/libcups.so{,*}            mr,
      /usr/lib/libavahi-common.so{,*}    mr,
      /usr/lib/libavahi-client.so{,*}    mr,

    These are used for printing/mdns/ipv6 as far as firefox is concerned. So, if you "do not" want or need to use those services, you should be able to opt-out and deny them. I can already hear the "but, you're breaking functionality" comments in the background from someone. If you have mmap'd .so files my take away from this is "less is better" and, what I've learned on my journey into security and from alpine linux, is that, a small footprint or attack surface is key to 'help' avoid some or all particular attack vector/s especially given 'cups' and 'avahi' are frequent visitors on cve. :)

    Don't you agree?

    final words: every effort has been made to 'help' with our security.

             * unix sockets, signals and peers in this profile are "very strict" and should provide mounds or secrecy/security.
             * Intentional denial of 'any' internet downloads provides better security. I've provided many file file extensions
               categorically for your consideration. (more extensions will be added asap)
             * pictureinpicture, screenshot & formautofill are denied by default .. recent cve's suggest chrome issues w/ those.

    Extra: * you'll notice far less network activity :)

    I do hope this little blog comes in handy in your journey my friend. :)


    Edited by Mr E
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment