[ubuntu-hardened] AppArmor for Ubuntu
Crispin Cowan
crispin at novell.com
Wed Mar 1 00:52:48 GMT 2006
Herman Bos wrote:
> Certainly looks interesting. If its packaged I would love to give it
> a test run. Too bad its too late to get the packages into dapper. But
> an external repository would be fine.
I had dinner this evening with an Ubuntu user in London, and he
explained to me that Ubuntu will go into a "specifications" phase in
about 6 weeks. It would therefore be useful for people who write such
specifications to have tried AppArmor at that time.
> I guess this stuff cannot be combined with the VSecurity module? If
> not can it also cover stuff like TPE (Trusted Path Execution) and
> other features VSecurity covers? As I understand they are both totally
> different in features and approach.
I am not familiar with VSecurity. I just had a 30-second look at the web
site, and there is some overlap: BSD Jails and AppArmor profiles are
related, and somewhat redundant. By analogy to programming languages,
Jails are confinement by value, and AppArmor profiles are confinement by
reference.
AppArmor does incorporate the OpenWall file linking security that
VSecurity provides.
AppArmor does not yet provide network access controls. Our goal is to
provide IPTables-level access controls per application, but there are
semantic issues with the LSM hooks that make this difficult.
AppArmor does not provide for Trusted Path Execution protection. TPE
could either be incorporated into the AppArmor module, or a simple TPE
module could be stacked with AppArmor.
We made a design decision to not manage process limits, as ulimits
already exists. What additional controls does VSecurity provide that
ulimits does not?
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Olympic Games: The Bi-Annual Festival of Corruption
More information about the ubuntu-hardened
mailing list