Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppArmor Update 2015 Linux Security Summit

Published byLucas McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "AppArmor Update 2015 Linux Security Summit"— Presentation transcript:

1 AppArmor Update 2015 Linux Security Summit
Presentation by John Johansen August 2015

2 What's driving AppArmor development at Canonical?
Securing container workloads with the ability to place the container in its own AppArmor policy namespace Application isolation for Ubuntu phone and tablet images wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement

3 Recent improvements

4 Kernel side Frame work for socket labeling
Supports older simple af masking rules “Plug-in” arch for per AF finer grained mediation Unix domain sockets first AF “plug-in” implemented Labeling core Bug Fixing (apologies to our users) Revision & cleanup Improved backporting support (android kernels) Improved support for policy versions Revisions on the new features from last year (signal, ptrace, ...)

5 Userspace Upstreamed dbus daemon mediation support
Lots of Bug fixing on new userspace tools (started as gsoc project) New library apis for: Compiled policy cache management Compiled policy loading Feature set support/abis supported by the kernel Basic systemd integration Server side policy compile for image based updates Policy compiler improvements (up to 40% faster)

6 Looking forward

7 Kernel Ideally nothing until ...
Finish cleanup and upstream out tree kernel patches Extension to support userspace helper daemons Namespace stacking Secmark support Ioctl white listing (for some strange reason this has increased in priority) Filling in the gaps (kdbus, binder, …) Improvements to learning mode Better support of bring up mode Performance improvements

8 Userspace Finish systemd integration Directly use policy load api
More policy compiler performance enhancements dconf/gsettings privsep Policy enforces no direct access Library reroutes to daemon, that consults and enforces policy Better policy versioning support Policy improvements Address developer complaints

9 Questions please Thank you
John Johansen

Download ppt "AppArmor Update 2015 Linux Security Summit"

Similar presentations

Introduction to Linux Video task 1. Five reasons to use Linux Data security Price Reliability It is modified for the needs of a user It is easy to use.

Introduction to Linux Video task 1. Five reasons to use Linux Data security Price Reliability It is modified for the needs of a user It is easy to use.
Operating Systems: Internals and Design Principles

Operating Systems: Internals and Design Principles
Bringing Together Linux-based Switches and Neutron

Bringing Together Linux-based Switches and Neutron
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
OpenAFS for Windows Deep Dive: Reparse Points, Path Processing, and Implications for Namespace Design Jeffrey Altman Your File System Inc. 2014 European.

OpenAFS for Windows Deep Dive: Reparse Points, Path Processing, and Implications for Namespace Design Jeffrey Altman Your File System Inc European.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Remote Unit Testing Brian Pruitt-Goddard Alex Riordan.

Remote Unit Testing Brian Pruitt-Goddard Alex Riordan.
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Android An open handset alliance project Janice Garcia September 18, 2008 MIS 304.

Android An open handset alliance project Janice Garcia September 18, 2008 MIS 304.
Self Stabilizing Distributed File System Implementing a VFS Module.

Self Stabilizing Distributed File System Implementing a VFS Module.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.

Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.

An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
OFED 1.x Roadmap & Release Process November 06 Jeff Squyres, Woodruff, Robert J, Betsy Zeller, Tziporet Koren,

OFED 1.x Roadmap & Release Process November 06 Jeff Squyres, Woodruff, Robert J, Betsy Zeller, Tziporet Koren,
RDMA Stacks MOFED, OFED & Linux Kernel

RDMA Stacks MOFED, OFED & Linux Kernel
Current Status of OFED in SUSE Linux Enterprise Server John Jolly Senior Software Engineer SUSE.

Current Status of OFED in SUSE Linux Enterprise Server John Jolly Senior Software Engineer SUSE.
Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:

Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

Similar presentations

Ads by Google