An overview of AppArmor

1
An overview of AppArmor

• Doug Stanley07/17/2010
• An overview of AppArmor

2
What is it?

• Application Security System
• Mandatory Access Control
• Makes sure that applications behave as expected
• Can protect against zero day and unknown flaws

3
Brief History

• Originally created by Immunix
• Immunix acquired by Novell in 2005
• In 2007, Novell laid off the AppArmor staff
• Currently seems to be maintained by the community

4
Why AppArmor?

• Discretionary access control is not enough
• Hard to make applications 100 secure
• Define what "good" application behavior is.
• It's relatively easy to use

5
So, how does it work?

• Implemented as an LSM
• Protects individual applications
• More precisely, protects system from applications
• Profiles define appropriate behavior
• Uses Posix Capabilites

6
Some features of AppArmor

• Automated tools for created profiles are
  available
• Profiles are human readable text files
• Path based restrictions
• Filesystem neutral
• Ability to "include" profiles in other profiles
• Allows for having both enforced and complain
  profiles
• Can also restrict network operations
• Tamperproof

7
Some drawbacks of AppArmor

• Path based restrictions
• Too "easy"?
• Not truly complete mediation
• Only protects applications for which a profile
  exists

8
AppArmor vs SELinux

• Path based vs Label based
• How they're integrated in the system
• Managed differently

9
Anatomy of a profile

• Sample profile for tcpdump from the Ubuntu wiki
  1include lttunables/globalgt/usr/sbin/tcpdump
  include ltabstractions/basegtinclude
  ltabstractions/nameservicegtinclude
  ltabstractions/user-tmpgtcapability
  net_raw,capability setuid,capability
  setgid,capability dac_override,network
  raw,network packet,

10
Anatomy of a profile continued

• for -Dcapability sys_module,_at_PROC/bus/usb/
  r,_at_PROC/bus/usb/ r, for -F and -waudit
  deny _at_HOME/. mrwkl,audit deny _at_HOME/./
  rw,audit deny _at_HOME/./ mrwkl,audit deny
  _at_HOME/bin/ rw,audit deny _at_HOME/bin/
  mrwkl,_at_HOME/ r,_at_HOME/ rw,/usr/sbin/tcpdu
  mp r,For a complete list of capabilities, see
  18

11
Principles of Secure Design

• Least Privilege
• Fail-Safe Defaults
• Complete Mediation
• For protected applications
• Defense in Depth
• Open Design
• Privilege Separation
• Psychological Acceptance

12
Conclusion

• Psychologically acceptable
• Good balance of ease of use and security
• Not overly confusing
• Application developers can create profiles for
  users
• Effective

13
References

• https//wiki.ubuntu.com/AppArmor
• http//en.wikipedia.org/wiki/AppArmor
• http//www.linux-magazine.com/Issues/2006/69/COUNT
  ERPOINT
• http//developer.novell.com/wiki/index.php/Apparmo
  r_FAQ
• http//www.novell.com/linux/security/apparmor/seli
  nux_comparison.html
• http//developer.novell.com/wiki/index.php/Apparmo
  r_FAQ
• https//help.ubuntu.com/9.10/serverguide/C/apparmo
  r.html
• http//www.nuxified.org/blog/novells_comparison_of
  _apparmor_and_selinux
• https//apparmor.wiki.kernel.org/index.php/Documen
  tation
• http//en.wikipedia.org/wiki/SELinux
• http//en.wikipedia.org/wiki/Linux_Security_Module
  s
• http//en.wikipedia.org/wiki/Immunix
• http//www.defcon.org/images/defcon-15/dc15-presen
  tations/dc-15-cowan.pdf
• http//www.linux-magazine.com/w3/issue/69/AppArmor
  _vs_SELinux.pdf
• http//www.ratliff.net/blog/2007/10/03/security-de
  sign-principles/
• http//selinuxproject.org/page/FAQ
• http//manpages.ubuntu.com/manpages/karmic/en/man7
  /apparmor.7.html
• http//manpages.ubuntu.com/manpages/karmic/en/man7
  /capabilities.7.html