>>106818541
Bump. I knew how to properly set this up, anon. Keep going thanks

>>106818689
do you mean you never knew?

>>106818689
never* knew how to. anon how exactly does apparmor work and what does it do? should it and could it be used in tandem with firejail?

> did you want to cut your balls off? Here's how

>>106818541
Can you deny an application internet access? If it can, then this can be useful to block telemetry from Audacity

>>106818705
yeah, tht's what I meant, sorry

https://gitlab.com/apparmor/apparmor/-/wikis/Profiling_with_tools#example-confining-evolution

>Also, there are a few 'deny' rules that aren't strictly required. These could be hand edited, but the above demonstrates that while the tools did not generate an optimized profile, they did generate a working profile for Evolution.
>While the above works for the test cases given, it should not be considered a complete profile. Often you need to use the application for several days or more to be sure there aren't any profile bugs remaining.

hmm

I don't know what the fuck this is all about

come on tech ni/g/g/az teach us this shit please

>>106819035
AppArmor supports per-profile learning (complain) mode to help users
write and maintain policy. Learning mode allows for a profile to be
created by running a program normally and learning its behavior. After
AppArmor has sufficiently learned the behavior, the profile may
be turned to enforcing mode. While the resulting profile may be
more lenient than a hand-crafted profile tailored for a specific
environment and application, learning mode can greatly reduce the
effort and knowledge needed to use AppArmor and add an important
layer of security.

>>106819045
it's important to understand AppAmor first

https://gitlab.com/apparmor/apparmor/-/wikis/GettingStarted

>>106818826
Should be as a simple as,

sudo nano /etc/apparmor.d/usr.bin.audacity

(assuming your audacity exe is at/usr/bin/audacity)

# Deny network access
deny network,
deny network inet,
deny network inet6,

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.audacity

sudo aa-status

>>106818541
why wouldnt you deny everything by default and use explicit allows to get the most minimal permission set possible?

>>106819745
this, OP. why wouldn't you?

>>106819745
>>106819765
I'm new 2 this, I apologize, that seems much better

ok here

# audacity profile

# block everything by default
#include <tunables/global>
profile usr.bin.audacity flags=(attach_disconnected) {
    # deny all access
    deny network,
    deny file,
    deny signal,

    # allow specific files and directories needed by audacity
    /usr/bin/audacity rix,
    /usr/lib/audacity/** rix,

    # allow access to specific libraries and resources
    /usr/share/audacity/** r,
    /etc/audacity.conf r,

    # include other necessary whitelisted paths
    # add any other paths as per your needs
}

how do you add a program, like, say, Palemoon to apparmor and do certain restrictions?

>>106820387
https://wiki.archlinux.org/title/AppArmor

>>106820419
I appreciate this very much man, but, does this work for Debian? it says Arch

>>106820419
nevermind. it's working out and i'm getting it. thanks again.

It seems more pragmatic to just get the stuff you want to sandbox as flatpak and use that for sandboxing, because you probably do that anyway. That way you don't need to learn a whole additional configuration language for non-flatpak stuff.

>>106820419
how does this wiki ALWAYS btfo any other documentation ?

>>106818541
AppArmor is nice, I use it to prevent `micromamba` from shitting all over my filesystem.
There is no other way to make it stop because it is programmed by absolute retards.

File: ffsnap.png (40 KB, 435x288)

40 KB PNG

>>106820666
>Flatpak
>sandbox
That's a strong word. Flatpak sandboxing isn't great, it breaks things like browser process sandboxing.
AppArmor doesn't have this problem.

>>106820904
why are you using conda? I don't see it's purpose. does it do stuff venv can not?

>>106821013
You won't install Firefox or Qt in a venv.
conda is a superset of venv, it can manage non-python packages but in a way that is very similar to venvs, with the same workflows.
The downside is that conda itself is extremely slow, bloated, and rigid. It is impossible to cache its package metadata, which means that it downloads ~40MB of JSON on *every* operation. It is beyond retarded.

What is the use-case of AppArmor if you don't use proprietary software that has sketchy behaviour or you build/run/test software that might contain malware?

>>106821187
very... unexpected .. and ... odd...

I'd consider using docker compose at that point instead of that icky mess

>>106821295
avoid zero days and have piece of mind that Firefox didn't decide to start doing shady shit in the latest release (avoid always reviewing package updates)

>>106821314
docker is not an option because your account needs to have superuser privileges on the machine in order to interact with docker. Same with LXC/LXD.
Conda and virtualenvs have no such requirement.

>>106818541
I do not know any of those commands, if they can make gui like windows firewall or any number of commercial software firewalls where they allow to do all this by selecting an app/program/exe and selecting from a list what function/network acess to allow/block then I will use it.

>>106820830
Arch users care about quality.

>>106821799
oh, so this an administrated machine, with the dynamics similar to a work or school computer?

If you can install things, try podman. It doesn't require you to have sudo access to set it up.

File: 1731327326622136.gif (3.32 MB, 600x338)

3.32 MB GIF

https://github.com/roddhjav/apparmor.d
>>106821929
https://github.com/jack-ullery/AppAnvil

>>106823203
Thanks for the links... You seem to know some stuff.
Why the fuck does this have to be so verbose?
For example,

>wc /var/lib/snapd/apparmor/profiles/snap.kdenlive.kdenlive
>2888 8672 104264 /var/lib/snapd/apparmor/profiles/snap.kdenlive.kdenlive

It's ridiculous, I dont have the energy or patience to go through each apps profile when they're like THIS.

zump (good bread)