noisy icon indicating copy to clipboard operation
noisy copied to clipboard

Published 20 hours ago verified publisher icon 1tayH

[Feature request] Add sandboxing options and apparmor profile

Open knlnlo opened this issue 3 years ago • 4 comments

Hi!

The systemd services can now use sandboxing options, which has a positive effect on security. I would like noisy to use these settings as well. Also, additionally consider creating an apparmor profile.

Thanks for noisy!

knlnlo avatar Nov 22 '21 06:11 knlnlo

I have already done it in my fork fireneat/Noisy here also I think it would be better to have seccomp profile because you can use ioctl which I don't think apparmor has. And if you want to sandbox Noisy then I think you would need to sandbox Python3 completly, anyways here is the profile if you're still interested:

#include <tunables/global>

/usr/bin/python3.9 {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/python>

  /usr/bin/python3.9 mr,
  owner /noisy/ r,
  owner /noisy/config.json r,
  owner /noisy/noisy.py r,

}

fireneat avatar Nov 27 '21 23:11 fireneat

Thank you very much. I understand that this version is no longer in development?

knlnlo avatar Nov 28 '21 04:11 knlnlo

@fireneat,You do realize that you are restricting all python and all scripts written in it, right?

Zbergen-cli avatar Dec 04 '21 15:12 Zbergen-cli

@Zbergen-cli Yes, I've also mentioned it, therefore I think it's only use case would be in Docker

fireneat avatar Dec 30 '21 14:12 fireneat