[apparmor] Need rewrite of http://wiki.apparmor.net/index.php/Main_Page#Description AND/OR http://wiki.apparmor.net/index.php/AppArmor:About
rowlett at cloud85.net
Sat May 21 19:02:45 UTC 2016
On 5/20/2016 2:29 PM, Seth Arnold wrote:
> On Fri, May 20, 2016 at 10:37:53AM -0500, Richard Owlett wrote:
>> I'm potentially a new user of AppArmor.
>> http://wiki.apparmor.net/index.php/Main_Page#Description states:
>> "AppArmor security policies completely define what system resources
>> individual applications can access, and with what privileges."
>> Is too vague to be useful to some one unfamiliar with the application.
>> http://wiki.apparmor.net/index.php/AppArmor:About is *EMPTY*.
> Hello Richard, thanks for the advice, I'll try to get to this soon. It's
> always nice to get feedback from fresh eyes.
I did some searching with different keywords and found
Edited to conform to what I would like to see as a brief
description it becomes:
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles
enforcement mode will result in enforcement of the policy defined
profile as well as reporting policy violation attempts (either via
syslog or auditd). Profiles in complain mode will not enforce
instead report policy violation attempts. AppArmor differs from some
other MAC systems on Linux: it is path-based, it allows mixing of
enforcement and complain mode profiles, it uses include files to ease
development, and it has a far lower barrier to entry than other
MAC systems. AppArmor is an established technology first seen in
and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Core
AppArmor functionality is in the mainline Linux kernel from 2.6.36
onwards; work is ongoing by AppArmor, Ubuntu and other developers to
merge additional AppArmor functionality into the mainline kernel.
Properties of AppArmor include:
* profiles are simple text files
* comments are supported in the profile
* absolute paths as well as file globbing can be used when
* various access controls for files are present.
* access controls for networking are present
* specificity in rule matching, ie the most specific rule matches
* include files are supported to ease development and simplify
* variables can be defined and manipulated outside the profile
* AppArmor profiles are easy to read and audit
More information about the AppArmor