[prev in list] [next in list] [prev in thread] [next in thread]
List: suse-security
Subject: Re: [opensuse-security] Confining Java applications
From: pinguin74 <pinguin74 () gmx ! com>
Date: 2014-08-30 14:49:01
Message-ID: 5401E45D.1090500 () pinguin74 ! gmx ! com
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
>> Can you just confine the Java interpreter itself or can you confine
>> the Java *.jar package?
>
> Confining the interpreter is not a good idea IMHO - that would be like
> confining bash or perl, which is a) not a good idea, b) can break other
> users of $interpreter or c) you'll need a profile that allows everything
> every user of $interpreter needs - which means you won't have many
> restrictions left.
>
> I'm not aware of a way to confine a *.jar (but, see above, I don't know
> much about Java).
I solved it now this way, created a small wrapper script java-foo.sh
with this content:
#!/bin/sh
java -jar /bin/foo.jar
then I confined the wrapper script java-foo.sh.
Works well and has the advantage to have a profile for every individual
*.jar package.
As a basis I used abstractions/ubuntu-browsers.d/java and built a
profile upon this abstraction. Works like a charm.
I just don īt know yet how to handle links in AA.
I added
/usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/bin/java rix,
to my profile, because I wasn īt able to confine the link /usr/bin/java
Still need to learn proper link handling in AA...
["0xC91C307A.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic