Can AppArmor prevent sudo password sniffing through abuse of X Windows System?

Quote Strong Linux User Account Isolation

X Windows System

Any graphical application running under X Windows System (X11) can see what any user is typing in any other application for any user. [1] For example, if user user running X11 would run lxsudo -u limited-user some-application that application if compromised could sniff anything that user user is writing. Including but not limited to any sudo password prompts.

See the footnote on that page too.

Can apparmor prevent that?

Related:

AppArmor prevent access to the the API that xinput is using for global keyboard sniffing?

1 Like

No. There is work on it though but I haven’t seen any progress AppArmorXace · Wiki · AppArmor / apparmor · GitLab

SELinux can do this though (among tons of other things apparmor cannot). Switching to SELinux might be a good idea in the future.

2 Likes

SELinux is in Debian. Are you familiar with its syntax?

2 Likes

No, I’m not familiar with the syntax. SELinux is far more complicated than apparmor and harder to learn. I only have a basic understanding of what can be done with it.

2 Likes

Here was some interesting news for SELinux in years.

2 Likes

Worth asking AppArmor upstream about this or was already discussed?

SELinux: not looking forward to research / debate NSA/SELinux. Best discussed in separate thread. Perhaps even one for technology and one for trustworthiness.

2 Likes

Another way to potential fix this:
Can we replace xfce window manager as an easy path to switch to wayland?

2 Likes

No point considering it when we don;t have someone proficient in profile writing. It would be absolutely worthless to us.

2 Likes

It was already discussed. See the apparmor wiki link above.

2 Likes