[apparmor] FBAC-LSM as a front end for AppArmor

John Johansen john.johansen at canonical.com
Thu Aug 12 15:04:34 BST 2010 

On 08/12/2010 12:48 AM, Cliffe wrote:
> AppArmor devs:
> 
> Earlier in the week I presented some of the results of my PhD research at the Linux Security Summit. This included a usability assessment of AppArmor (with the suse tools) and suggestions for improvements. I also briefly discussed the lsm and tools I created which are designed to improve the usability of policy specification for application restrictions; this is achieved using a number of techniques such as parameterised hierarchical abstractions and automation techniques. The lsm is functional but needs a lot of work.
> 
> I gave a quick demonstration to John and Kees of a new feature of the gui tool: export to AppArmor. This is achieved by exploding out an FBAC-LSM application policy into AppArmor rules. It can also go into an AppArmor managing mode where it basically uses AppArmor as the underlying lsm and automatically exports and loads policies etc.
> 
> There is work to be done before it is ready for deployment (and my highest priority at the moment is submitting my thesis) but I would love to open a dialogue with you guys to know what you think and what you would like to see. It would be great to see it as an available front end for AppArmor.
> 
> Grab the code, more info, papers, general project todo etc:
> 
> http://schreuders.org/FBAC-LSM
> 
> (demo video is out of date)
> 
> It can create complete policies without the use of learning modes, based on high level goals of the user. To give it a spin: run the gui, remove one of the app policies (for a program installed on your system), and try creating a new policy for the application. Other apps that perform the same features should also be easily confined. The policy was developed in a KDE3.5 environment, and is largely not tested/updated for newer environments. Obviously adding more "functionalities" (FBAC-LSM policy abstractions) and updating those that are there is important.
> 
> Keep in mind that this was developed as a research project and the code could be cleaner. It is also currently a bit memory hungry.
> 
> Patches, comments and suggestions welcome :)
> 
> 
Hey Cliffe,

thanks for posting, this is really interesting and well worth taking
a look at.

More information about the AppArmor mailing list