Slashdot Mirror

← Back to Stories (view on slashdot.org)

Novell Open Sources AppArmor

Posted by ScuttleMonkey on from the armoring-the-masses dept.

Crispin Cowan writes "Novell has announced the release of their AppArmor security system into open source. AppArmor is an application security system that confines programs, enforcing that they are permitted to do only what they are supposed to do, and nothing else. AppArmor is an LSM module that is an alternative to SELinux, but arguably much easier to use. Now in open source, AppArmor is included with every SUSE Linux distro, including openSUSE."

14 comments

  1. Icon? by bpd1069 · · Score: 0

    with a name like that I hope they use something like Red Armor from good'ol Quake, and not that weak green stuff...

    --
    --
  2. Translation please by Crayon+Kid · · Score: 4, Interesting

    IRTFA.

    But I suspect most of us will still need someone to put some things in plain English. I even read the "detailed description" and no go. Call me Dumbo.

    *Is it kernel space or userspace?
    *What's with those "3rd party config files"? If we wait for [all the] apps to catch up, good luck. See how "widely" the user home config file spec from FDO was implemented, and that one needs just an effort of good will.
    *Isn't it a bit strange to let a 3rd app specify its own security config on YOUR machine's context?
    *What exactly do they mean by "easy to use"? No, miles long text files where you have to write down what files each program can access are not "easy to use".

    --
    i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
    1. Re:Translation please by laptop006 · · Score: 1

      LSM implies kernel space, but the management would be in userspace. As for the rest, let's just say I'll stick with SELinux.

      --
      /* FUCK - The F-word is here so that you can grep for it */
    2. Re:Translation please by q.kontinuum · · Score: 5, Informative
      *Is it kernel space or userspace?


      I'd guess, some userspace tools to do the setting, but the security (enforcement of those rules) has to be implemented in kernel space


      *What's with those "3rd party config files"? If we wait for [all the] apps to catch up, good luck. See how "widely" the user home config file spec from FDO was implemented, and that one needs just an effort of good will.


      For AppArmor it would already help to do the configuration for the most exposed programs, e.g. mail client, ftp server, browser, etc.


      *Isn't it a bit strange to let a 3rd app specify its own security config on YOUR machine's context?


      Why? Most people install software as root without a blink. The default properties (e.g. does the ftp server run as root or does it get it's own user ID) are set by the package maintainer. People with knowledge can tweak the settings to match their standards, but per default the package maintainer maintained already security relevant default settings. Strange would it be if the user couldn't change the settings anymore.


      *What exactly do they mean by "easy to use"? No, miles long text files where you have to write down what files each program can access are not "easy to use".


      I didn't read everyhing about it, but as far as I got it, easy to use means:

      You can configure a single application without the need of configuring the whole system

      Profiling tools are available to track what an application does, so if You trust Your application for an evaluation period You could build a ruleset from the actions the application was required to perform during the test run

      --
      Trolling is a art!
    3. Re:Translation please by Crispin+Cowan · · Score: 5, Informative
      I don't understand what is unclear. The detailed description spends six paragraphs explaining how and why mediation is done in the kernel and not at other layers. It also goes into considerable detail on how the static analysis and dynamic learning tools mean that you do not have to write out long lists of what files each program can use; the software does that for you. That is what makes it "easy to use."

      You do not have to "wait for all the apps to catch up." Anyone can create a profile for an application, all you need is a decent use case for the application. You do not need to modify the application at all.

      IMHO, it is not so strange that the security policy for an application comse from the provider of the application. Consider that without AppArmor, you are completely trusting the application provider, because the application can do absolutely anything the invoking user can do. Providing an AppArmor profile means that you have an explicit declaration of what the application is permitted to do.

      You can even edit it to suit your taste, if you like. For instance, it annoys the crap out of me that Adobe Acrobat actually supports embedded Javascript inside PDF documents. This annoys me because vendors embed Javascript inside documents that act like web-bugs, reporting back to the vendor each time you open the document! Eww! So the Acrobat profile on my personal workstation has been hacked to not provide access to Javascript libraries to the Acrobat program, thus depriving spyware PDF files of the opportunity to execute and squeel on me.

      Crispin

    4. Re:Translation please by Anonymous Coward · · Score: 0

      How did you do that? There has to be a few people here besides me that would like to do similar.

  3. The license will be GNU GPL by H4x0r+Jim+Duggan · · Score: 1, Informative

    (see Subject)

    --
    Please help publicise swpat.org - the software patents wiki
    1. Re:The license will be GNU GPL by dndfan · · Score: 1

      Well, that still says nothing of its capabilities and usability.

      --
      echo "This is not a lame sig generated through a pipe." | cat - > .signature
  4. That says a lot about its capabilities & usabi by H4x0r+Jim+Duggan · · Score: 1

    That says you can use it - for any purpose, and it's capable of being studied, modified, patched, forked, audited, etc.

    --
    Please help publicise swpat.org - the software patents wiki
  5. Managed runtime? by Hard_Code · · Score: 1

    Instead of ad-hoc security sandboxes (jails, chroot, now apparmor) wouldn't it be better to just transition to a managed runtime where all apps get all of this for free? I believe Solaris (and maybe now the Linux kernel) supports some sort of kernel-level filter or instrumentation that can apply a policy on a per-application basis, but it seems like moving to a managed runtime with built-in security sandbox accross the board would be a better idea.

    --

    It's 10 PM. Do you know if you're un-American?
    1. Re:Managed runtime? by Bloater · · Score: 1

      > Instead of ad-hoc security sandboxes (jails, chroot, now apparmor) wouldn't it be better to just transition to a managed runtime where all apps get all of this for free?

      You can run your apps under qemu if you want, I however will go with the security module. All those apps are already compiled to the bytecode interpreted by some CPU, so your managed runtime needs to jit compile that as if it were an IL (intermediate language).

      Also, nowadays low-level languages like the intel architecture 32 and amd64 instruction sets actually *are* interpreted and jit compiled by a managed runtime in the CPU. The managed runtime calls back into plug-in code (the kernel, running in ring 0) written in the interpreted language itself. This call-back implements policy decisions and some functionality that doesn't need to be hardcoded into the managed runtime itself. A modern OS on a modern CPU is just like a really flexible managed runtime with a powerful policy and library plug-in, so I don't know what you are asking for exactly.

  6. Useful for TC by mojo-raisin · · Score: 1

    I think a system like this would be useful for a Trusted Computing (TC - http://en.wikipedia.org/wiki/Trusted_computing ) system on Linux. TC does have some good uses, and having the OS cooperate with Intel's hardware (La Grande - http://www.intel.com/technology/security/ )would be great.

  7. Re:windows linux by Anonymous Coward · · Score: 0

    windows > linux

    I don't understand.
    Why do you want put a BSoD image in a file called linux?