AppArmor Update 2015 Linux Security Summit

Slides:

Advertisements

Similar presentations

Introduction to Linux Video task 1. Five reasons to use Linux Data security Price Reliability It is modified for the needs of a user It is easy to use.

Advertisements

Operating Systems: Internals and Design Principles

Bringing Together Linux-based Switches and Neutron

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

OpenAFS for Windows Deep Dive: Reparse Points, Path Processing, and Implications for Namespace Design Jeffrey Altman Your File System Inc European.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Remote Unit Testing Brian Pruitt-Goddard Alex Riordan.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:

Android An open handset alliance project Janice Garcia September 18, 2008 MIS 304.

Self Stabilizing Distributed File System Implementing a VFS Module.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

OFED 1.x Roadmap & Release Process November 06 Jeff Squyres, Woodruff, Robert J, Betsy Zeller, Tziporet Koren,

RDMA Stacks MOFED, OFED & Linux Kernel

Current Status of OFED in SUSE Linux Enterprise Server John Jolly Senior Software Engineer SUSE.

Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

Presented By: Muhammad Tariq Software Engineer Android Training course.

An Overview of Berkeley Lab’s Linux Checkpoint/Restart (BLCR) Paul Hargrove with Jason Duell and Eric.

Unit - VI. Linux and Real Time: Real Time Tasks Hard and Soft Real Time Tasks Linux Scheduling Latency Kernel Preemption Challenges in Kernel Preemption.

1 Mobility Support by the Common API for Transparent Hybrid Multicast draft-irtf-samrg-common-api-03 Project Matthias Wählisch,

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

The Roadmap to New Releases Derek Wright Computer Sciences Department University of Wisconsin-Madison

Core System Services. INIT Daemon The init process is the patron of all processes. first process that gets started in any Linux/ UNIX -based system.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

OpenAFS Status Report Cartel 2008 Stanford University.

Application configures network: specifics, problems, solutions Vasiliy Tolstoy EMC RCOE v 0.5.

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

CSE 4939 Alex Riordan Brian Pruitt-Goddard. Design an interactive source control application that works between an android phone and a project located.

CSI WG / IETF741/12 Implementation of SeND/CGA and Extensions Beijing University of Posts and Telecommunications HUAWEI.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

Getting Started with the Kernel. Obtaining the Kernel Source

Mobile Packet Sniffer Ofer Borosh Vadim Lanzman Dr. Chen Avin

The Perfect Linux Security Firewalls. Introduction of Linux Firewall Security Linux Firewall is very stable, protect our system from malware, system performance.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Tgt: Framework Target Drivers FUJITA Tomonori NTT Cyber Solutions Laboratories Mike Christie Red Hat, Inc Ottawa Linux.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Overview of NSA Security Enhanced Linux Russell Coker.

Ubuntu Hardware Summit

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

QA Process within OEM Services Ethan Chang QA Engineer OEM Service, Canonical

Computer System Structures

application into a Flatpak

Understanding Android Security

Dockerize OpenEdge Srinivasa Rao Nalla.

Overview – SOE PatchTT November 2015.

chapter 6- Android Introduction

Cross-platform Libraries Technology Presentation

Running containers everywhere

CASE STUDY 1: Linux and Android

Ubuntu Touch Internals

Dovetail project update

AppArmor LSM Update Introduce self John Johansen.

AppArmor Update 2014 Linux Security Summit

SE Linux Implementation

Making the LSM available to containers FOSDEM18

ESSENTIAL WAYS TO SPEED UP ANDROID SMARTPHONE SIMPLE STEPS TO IMPROVE PHONES PERFORMANCE.

An Introduction to Device Drivers

Case Application Development Method

SharePoint 2019 Overview and Use SPFx Extensions

Understanding Android Security

System Calls System calls are the user API to the OS

NSA Security-Enhanced Linux (SELinux)

[Internal Use] for Check Point employees

Session Abstract This session will provide an overview of the latest improvements and enhancements made to the Ed-Fi ODS/API in 2016, as well as a preview.

Presentation transcript:

AppArmor Update 2015 Linux Security Summit Presentation by John Johansen john.johansen@canonical.com www.canonical.com August 2015

What's driving AppArmor development at Canonical? Securing container workloads with the ability to place the container in its own AppArmor policy namespace Application isolation for Ubuntu phone and tablet images wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement

Recent improvements

Kernel side Frame work for socket labeling Supports older simple af masking rules “Plug-in” arch for per AF finer grained mediation Unix domain sockets first AF “plug-in” implemented Labeling core Bug Fixing (apologies to our users) Revision & cleanup Improved backporting support (android kernels) Improved support for policy versions Revisions on the new features from last year (signal, ptrace, ...)

Userspace Upstreamed dbus daemon mediation support Lots of Bug fixing on new userspace tools (started as gsoc project) New library apis for: Compiled policy cache management Compiled policy loading Feature set support/abis supported by the kernel Basic systemd integration Server side policy compile for image based updates Policy compiler improvements (up to 40% faster)

Looking forward

Kernel Ideally nothing until ... Finish cleanup and upstream out tree kernel patches Extension to support userspace helper daemons Namespace stacking Secmark support Ioctl white listing (for some strange reason this has increased in priority) Filling in the gaps (kdbus, binder, …) Improvements to learning mode Better support of bring up mode Performance improvements

Userspace Finish systemd integration Directly use policy load api More policy compiler performance enhancements dconf/gsettings privsep Policy enforces no direct access Library reroutes to daemon, that consults and enforces policy Better policy versioning support Policy improvements Address developer complaints

Questions please Thank you John Johansen john.johansen@canonical.com www.canonical.com