Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppArmor Update 2014 Linux Security Summit

Published byGabriel Freeman Modified over 6 years ago

Similar presentations

Presentation on theme: "AppArmor Update 2014 Linux Security Summit"— Presentation transcript:

1 AppArmor Update 2014 Linux Security Summit
Presentation by Tyler Hicks August 2014

2 What's driving AppArmor development at Canonical?
Securing container workloads with the ability to place the container in its own AppArmor policy namespace Application isolation for Ubuntu phone and tablet images wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinem ent

3 Recent improvements

4 Confining the container and the processes inside
Rework of AppArmor labeling is underway to gain the ability to cache more than one label on an object Also allows for better caching of permissions to avoid some path lookups Compound labels and policy namespaces allow containers to be confined as a whole by one AppArmor profile in the “host” and then an entirely new set of AppArmor profiles can be used to confine the individual processes inside the container Potential for users to load their own AppArmor policy inside their user namespaces For more information, see the presentation from LSS 2013 selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling odp

5 Fine-grained mediation in dbus-daemon
Sending and receiving of messages can be filtered on bus name, path, interface, member name, peer name, and peer label dbus (receive, send) bus=session path=/com/ubuntu/connectivity1/NetworkingStatus, Bind rules can enforce a specific well-known name and a bus name dbus bind name=org.gnome.keyring, Eavesdropping rules can specify the bus name dbus eavesdrop bus=system, dbus-daemon patches have been submitted upstream

6 Mediation of signals and ptrace
Signal mediation allows for rules to specify the signal(s) and the peer # Send SIGHUP and SIGINT to any process signal (send) set=(hup, int), # Allow libvirtd to send us signals signal (receive) peer=/usr/sbin/libvirtd, Ptrace trace and tracedby permissions govern ptrace(2) Ptrace read and readby govern certain /proc accesses, kcmp(2), futexes (get_robust_list(2)) and perf trace events # Allow unconfined processes (eg, a debugger) to ptrace us ptrace (readby, tracedby) peer=unconfined, penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor- part-iv/

7 Other notable changes Userspace utilities were rewritten from Perl to Python3 aa-status, aa-enforce, aa-genprof, etc. Google Summer of Code project systemd unit config file support for specifying the name of an AppArmor profile to switch to when starting a new process Parser improvements Minimization changes provided an average of 40% to 50% improvement in compilation times Differential compression provides a 50% smaller binary policy and a 30% to 40% improvement in compilation times for large profiles Atomic loading of cache files that contain multiple profiles decreases load times

8 Looking forward

9 Network mediation UNIX domain sockets will soon have fine-grained mediation Can specify socket type, path, and socket label # Allow communication with D-Bus session bus unix (connect, send, receive) type=stream Still have course controls available for any protocol family that doesn't yet have fine-grained mediation Additional address families will receive fine-grained mediation INET INET6 NETLINK

10 Smarter binary policy caching
Multiple, versioned binary policy caches Each policy cache will be tied to a unique feature set advertised by AppArmor in securityfs Supports multiple policy versions so that hardware enablement kernels can be used on older releases Ubuntu will soon generate the policy cache during kernel install instead of doing it at boot Some cached policies for the Ubuntu phone images are already being generated server side to avoid having to compile them on the phone

11 Additional important pieces
Provide library interface for policy compiler and loader Needed for full systemd support More policy compiler performance enhancements Expose a wider permission set to the policy language For example, the write permission currently expands to setattr, create, delete, chmod, chown, open, and delete but it may be useful to expose more of these permissions Finish labeling and profile stacking work to provide full container confinement

12 Questions please Thank you
Tyler Hicks

Download ppt "AppArmor Update 2014 Linux Security Summit"

Similar presentations

What is an operating system? Is it software?

What is an operating system? Is it software?
RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group (www.opengroup.org) Provides a set of tools and.

 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.

CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Linux Operations and Administration

Linux Operations and Administration
Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland

Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Core System Services. INIT Daemon The init process is the patron of all processes. first process that gets started in any Linux/ UNIX -based system.

Core System Services. INIT Daemon The init process is the patron of all processes. first process that gets started in any Linux/ UNIX -based system.

Similar presentations

Ads by Google