[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [opensuse-security] Confining Java applications
From:       pinguin74 <pinguin74 () gmx ! com>
Date:       2014-08-30 14:49:01
Message-ID: 5401E45D.1090500 () pinguin74 ! gmx ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


>> Can you just confine the Java interpreter itself or can you confine
>> the Java *.jar package?
> 
> Confining the interpreter is not a good idea IMHO - that would be like 
> confining bash or perl, which is a) not a good idea, b) can break other 
> users of $interpreter or c) you'll need a profile that allows everything 
> every user of $interpreter needs - which means you won't have many 
> restrictions left.
> 
> I'm not aware of a way to confine a *.jar (but, see above, I don't know 
> much about Java).


I solved it now this way, created a small wrapper script java-foo.sh
with this content:

#!/bin/sh
java  -jar /bin/foo.jar

then I confined the wrapper script java-foo.sh.

Works well and has the advantage to have a profile for every individual
*.jar package.

As a basis I used abstractions/ubuntu-browsers.d/java and built a
profile upon this abstraction. Works like a charm.

I just don īt know yet how to handle links in AA.

I added

/usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/bin/java rix,

to my profile, because I wasn īt able to confine the link /usr/bin/java

Still need to learn proper link handling in AA...


["0xC91C307A.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org


[prev in list] [next in list] [prev in thread] [next in thread]