[apparmor] AppArmor APIs

Steve Beattie steve at nxnw.org
Tue Dec 15 18:45:30 UTC 2015 

Hey Colin,

On Tue, Dec 15, 2015 at 05:29:43PM +0000, Colin Ian King wrote:
> So far I've been successful from the info you have provided. I've
> compiled a policy into a binary blob and got it loaded into a buffer and
> successfully loaded this into the kernel.

That's great!

I'm  curious which elements of apparmor you're trying to stress with
what you're adding to stress-ng. The general process outline goes like
this:

  policy -> apparmor_parser -> kernel policy load interface -> policy enforcement

The first phase, of turning a textual policy into a binary blob,
occurs entirely in user space, and is likely of little interest to you.

The second phase, where a binary policy blob is loaded into the kernel
and stored in kernel data structures is certainly a valuable place to
look for problems[1], though it is at this point in time considered a
mostly trusted interface (you must have CAP_MAC_ADMIN to make use of
it). However, future plans include this becoming not true, and there
currently exist tools that auto-generate policy based on templates,
so it's still a sensitive interface. It seems that this is the area
you're focusing on?

It also seems to me that stressing the enforcement side of things
is valuable, as well as the related interfaces around policy
domain transitions (changing policy or not on exec(), change_hat(),
change_profile()). We also have relatively recently added interfaces
(which I think John referred to earlier) around querying confinement
status and querying permissions directly.  Exercising and stressing
these direct interfaces would be great; stressing access mediation
would be indirect via regular syscalls (e.g. open()).

There are some known existing performance limitations in some of the
interfaces; for example, change_hat() on a policy with 5 digits of
hats is slow, due to the in-kernel data structures used.

Thanks again for your work on this, both in general for stress-ng
and for specifically adding apparmor to it!

[1] For anyone looking for an interesting security relevant project
    to take on, extending one of the (syscall) fuzzing tools out
    there to exercise the policy loading interface and other apparmor
    kernel<->userspace interface layers would be a great thing to do.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151215/7d99bbbb/attachment.pgp>

More information about the AppArmor mailing list