[apparmor] Reg.Apparmor vs Hardening
John Johansen
john.johansen at canonical.com
Tue Mar 30 20:38:17 UTC 2021
On 3/30/21 10:54 AM, Murali Selvaraj wrote:
> Hi All,
>
> As per my understanding with the help of Apparmor profile we are
> restricting the access to the process in terms of
> its resources/namespaces.
>
> It looks similar to hardening where we are restricting the resources to process.
>
correct
> Does it mean, technically Hardening and Apparmor profiles look the
> same or different? Can you please share your comments.
>
AppArmor is a form of hardening, specifically its a mandatory access control system.
Think of it like a sandbox with fine grained sharing.
Hardening is an umbrella term that covers a whole bunch of different things you can
do to protect an application or system. It can be things like: compiler hardening eg.
inserting check for stack frame overflow before return, address space layout
randomization (ASLR), mandatory access control, containerization, even memory
encryption.
You can get an idea of how broad the topic is by looking at the set of different
hardening techniques ubuntu has applied to different parts of their distro (other
distro do it to, I just happen to have this link handy).
https://wiki.ubuntu.com/Security/Features
More information about the AppArmor
mailing list