AppArmor

Joe posted an enthusiastic description of AppArmor: a Novell technology that uses the Linux security infrastructure to improve the security of your system. Novell originally acquired this proprietary product last year and included it with OpenSUSE and open sourced the effort.

Joe links to a recent presentation at FOSDEM which is worth watching as it explains how AppArmor works and demostrates how you can augment the rules in AppArmor for your own applications and how you can secure a web site.

I once got the demo live, and it was fairly impressive as I was given a root shell, but was basically unable to escape the "sandbox" that AppArmor had created.

Both AppArmor and SELinux use the same kernel infrastructure to create the sandbox. From the AppArmor FAQ I liked this explanation:

SELinux is an implementation of mandatory access controls that uses labeled security, ie, the application of a tag to each data file that identifies that file's appropriate security level. Labeled security has advantages in organizations where secrecy is paramount, that is, ensuring that only those authorized at appropriate clearance levels can view a given piece of data. The labels allow the operating system to handle data with appropriate controls, eliminating the need to store the information on multiple computers of varying security levels. Although this feature has value to organizations such as intelligence agencies whose main goal is to keep secret information secret, it introduces a significant level of complexity and has limited value to most commercial enterprises whose primary objective is data integrity, ie, preventing the corruption of data.

The FAQ goes into a larger comparison with SELinux if you are interested in that.

Posted on 07 Mar 2006 by Miguel de Icaza
This is a personal web page. Things said here do not represent the position of my employer.