AppArmor Update 2014 Linux Security Summit

Slides:



Advertisements
Similar presentations
What is an operating system? Is it software?
Advertisements

RIP V1 W.lilakiatsakun.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Linux Operations and Administration
Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Core System Services. INIT Daemon The init process is the patron of all processes. first process that gets started in any Linux/ UNIX -based system.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
2: Operating Systems Networking for Home & Small Business.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.
D-Bus with Perl Emmanuel Rodriguez Vienna What is D-Bus? ● A message bus system (IPC) – Influenced by KDE's DCOP – Language independent (C/C++,
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
Computer Basics.
application into a Flatpak
Understanding Android Security
File System Implementation
ONYX 12.2.
Credits: 3 CIE: 50 Marks SEE:100 Marks Lab: Embedded and IOT Lab
UBUNTU INSTALLATION
Chapter 2: Operating-System Structures
Overview – SOE PatchTT December 2013.
Chapter 2: System Structures
Ubuntu Touch Internals
Dovetail project update
GLAST Release Manager Automated code compilation via the Release Manager Navid Golpayegani, GSFC/SSAI Overview The Release Manager is a program responsible.
Containers and Virtualisation
AppArmor LSM Update Introduce self John Johansen.
Introduction to Operating System (OS)
AppArmor Update 2015 Linux Security Summit
Virtualization overview
CMPE419 Mobile Application Development
Making the LSM available to containers FOSDEM18
Chapter 3: Windows7 Part 4.
Introduction to the Kernel and Device Drivers
Knowledge Byte In this section, you will learn about:
An Introduction to Device Drivers
IIS.
Agenda Intro Why use containers at all? Linux Kernel: a pop of history
Exploring the UNIX File System and File Security
Network management system
Computers: Hardware and Software
Chapter 2: The Linux System Part 2
By - Ricardo Sanchez, Ken Wolters and William Hibbard
Chapter 2: The Linux System Part 1
Chapter 2: Operating-System Structures
Linux Architecture Overview.
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
Linux and TCP/IP Networking
Understanding Android Security
Chapter 2: Operating-System Structures
System Calls System calls are the user API to the OS
Chapter 2: Operating-System Structures
Anant Mudambi, U. Virginia
CMPE419 Mobile Application Development
Presentation transcript:

AppArmor Update 2014 Linux Security Summit Presentation by Tyler Hicks tyhicks@canonical.com www.canonical.com August 2014

What's driving AppArmor development at Canonical? Securing container workloads with the ability to place the container in its own AppArmor policy namespace Application isolation for Ubuntu phone and tablet images wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinem ent

Recent improvements

Confining the container and the processes inside Rework of AppArmor labeling is underway to gain the ability to cache more than one label on an object Also allows for better caching of permissions to avoid some path lookups Compound labels and policy namespaces allow containers to be confined as a whole by one AppArmor profile in the “host” and then an entirely new set of AppArmor profiles can be used to confine the individual processes inside the container Potential for users to load their own AppArmor policy inside their user namespaces For more information, see the presentation from LSS 2013 selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling- 2013.odp

Fine-grained mediation in dbus-daemon Sending and receiving of messages can be filtered on bus name, path, interface, member name, peer name, and peer label dbus (receive, send) bus=session path=/com/ubuntu/connectivity1/NetworkingStatus, Bind rules can enforce a specific well-known name and a bus name dbus bind name=org.gnome.keyring, Eavesdropping rules can specify the bus name dbus eavesdrop bus=system, dbus-daemon patches have been submitted upstream https://bugs.freedesktop.org/show_bug.cgi?id=75113

Mediation of signals and ptrace Signal mediation allows for rules to specify the signal(s) and the peer # Send SIGHUP and SIGINT to any process signal (send) set=(hup, int), # Allow libvirtd to send us signals signal (receive) peer=/usr/sbin/libvirtd, Ptrace trace and tracedby permissions govern ptrace(2) Ptrace read and readby govern certain /proc accesses, kcmp(2), futexes (get_robust_list(2)) and perf trace events # Allow unconfined processes (eg, a debugger) to ptrace us ptrace (readby, tracedby) peer=unconfined, penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor- part-iv/

Other notable changes Userspace utilities were rewritten from Perl to Python3 aa-status, aa-enforce, aa-genprof, etc. Google Summer of Code project systemd unit config file support for specifying the name of an AppArmor profile to switch to when starting a new process Parser improvements Minimization changes provided an average of 40% to 50% improvement in compilation times Differential compression provides a 50% smaller binary policy and a 30% to 40% improvement in compilation times for large profiles Atomic loading of cache files that contain multiple profiles decreases load times

Looking forward

Network mediation UNIX domain sockets will soon have fine-grained mediation Can specify socket type, path, and socket label # Allow communication with D-Bus session bus unix (connect, send, receive) type=stream path=”@/tmp/dbus-*”, Still have course controls available for any protocol family that doesn't yet have fine-grained mediation Additional address families will receive fine-grained mediation INET INET6 NETLINK

Smarter binary policy caching Multiple, versioned binary policy caches Each policy cache will be tied to a unique feature set advertised by AppArmor in securityfs Supports multiple policy versions so that hardware enablement kernels can be used on older releases Ubuntu will soon generate the policy cache during kernel install instead of doing it at boot Some cached policies for the Ubuntu phone images are already being generated server side to avoid having to compile them on the phone

Additional important pieces Provide library interface for policy compiler and loader Needed for full systemd support More policy compiler performance enhancements Expose a wider permission set to the policy language For example, the write permission currently expands to setattr, create, delete, chmod, chown, open, and delete but it may be useful to expose more of these permissions Finish labeling and profile stacking work to provide full container confinement

Questions please Thank you Tyler Hicks tyhicks@canonical.com www.canonical.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.