[apparmor] Addressing limitations in DAC
Seth Arnold
seth.arnold at canonical.com
Mon Jun 28 20:05:36 UTC 2021
On Sun, Jun 27, 2021 at 03:01:10AM +0530, Murali Selvaraj wrote:
> - I would like to understand limitations in DAC which are addressed in
> Apparmor. Please share any simple examples to understand this query.
The usual example is users using chmod 777 on their own documents because
they heard once that this solves permissions problems. A MAC tool
restricts what processes can do with this file, even though the DAC
permisssions allow all processes to read and write the file.
A less user-oriented example is something like Apache: you may want it to
serve your website, but not serve your /etc/passwd file (which is
intentionally world readable.)
> - Does command line injection (SECVUL) issue be addressed if we use
> Apparmor? If so, give a real time example for the reference.
Not really, though it depends upon the specifics of your software: if
your software accepts filenames as command line parameters, AppArmor can
help ensure that it only has permission to open some subset of files on
the system.
> - In other words, by restricting the system resource using Apparmor,
> what are the major security leaks are we avoiding? Pls share
> additional details if available.
You can make sure that your web server can only serve web pages,
your database server can only import and export data through specific
locations, your interactive users over ssh can't perform administrative
actions without using your specific auditing tool, You could make sure
that the software that analyzes photos can't do networking and can't
run anything else that can do networking, either. Or you could make
sure that some proprietary tool that you must run but you can't audit
the source code for can't read your ssh and gpg keys and can only write
into its specific directory.
If you've got a computer that only does one thing, maybe a MAC isn't very
useful. But if your computer does two or more things, you can specify what
interactions are allowed, using which communication channels.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210628/a66e41f0/attachment.sig>
More information about the AppArmor
mailing list