![Page 1: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/1.jpg)
1
Overview and Recent DevelopmentsAppArmor2018 Linux Security Summit – Europe
Presentation by
John Johansen
www.canonical.com
October 2018
![Page 2: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/2.jpg)
2
Now hosted on gitlab
![Page 3: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/3.jpg)
3
CII Best Practices
![Page 4: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/4.jpg)
4
Overview
![Page 5: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/5.jpg)
5
What is AppArmor
A Modified Domain Type Enforcement (DTE)
![Page 6: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/6.jpg)
6
What is AppArmor
A Modified Domain Type Enforcement (DTE)
+
Capability System*
![Page 7: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/7.jpg)
7
AppArmor Design
● Start with a target policy
● Make it easy to confine applications
● Controlled sharing
● Allow sandboxes to be built on top
● Allow confining more than just applications
● The user is the biggest problem
● Try to make it easy to use
● Let tooling do the work
● Get out of the way of admin or any improvements will get turned off
● Unconfined
● Work towards supporting strict confinement
![Page 8: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/8.jpg)
8
Profile
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 9: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/9.jpg)
9
Profile - preamble
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 10: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/10.jpg)
10
Profile - name
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 11: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/11.jpg)
11
Profile – attachment specification
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 12: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/12.jpg)
12
Profile – flags that modify behavior
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 13: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/13.jpg)
13
Profile – rule block
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 14: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/14.jpg)
14
Profile - abstractions
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 15: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/15.jpg)
15
Profile – class rules
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
allow dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 16: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/16.jpg)
16
Profile – domain transition
include <tunables/global>
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) { include <abstractions/audio> include <abstractions/cups-client> include <abstractions/dbus-strict> include <abstractions/dbus-session-strict>
allow file r /etc/firefox*/, allow file r /etc/firefox*/**, allow ixr /usr/bin/basename,
dbus bus=system path="/org/freedesktop/UPower" interface=org.freedesktop.Upower member="{Device,}Changed", ...}
![Page 17: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/17.jpg)
17
Policy
profile ping /{usr/,}bin/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice>
capability net_raw, capability setuid, network inet raw, network inet6 raw,
/{,usr/}bin/ping mixr, /etc/modules.conf r,
...
/sbin/dhclient { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl>
capability net_bind_service, capability net_raw, capability dac_override, capability net_admin,
network packet, network raw,
@{PROC}/[0-9]*/net/ r, @{PROC}/[0-9]*/net/** r,
/sbin/dhclient mr,
...
profile syslogd /{usr/,}sbin/syslogd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/consoles>
capability sys_tty_config, capability dac_override, capability dac_read_search, capability setuid, capability setgid, capability syslog,
/dev/log wl, /var/lib/*/dev/log wl,
...
![Page 18: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/18.jpg)
18
Handling Pattern matching
/**a** r,
A
/**b** w,
B
/**c** mr,
C
[^a]?
a/rA
[^c]?
c/ mCrC
rAwBmCrC
rAmCrC
rA
a
bc [^a]
[^b]
[^ab][^ac]
/
a
a
a cb
b bc
c
wB mCrC
rAwB wBmCrC
?
[^abc
]
[^bc]
[^c]
![Page 19: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/19.jpg)
19
Basic Policy Summary
profile Backend { allow file rw allow ipc Intermediary bind service address …}
TrustedHelper
Trustedcontext
ActivePolicy
PolicyCompilerApplication
profile Application { allow ipc intermediary ent=foo rw, …}
Applicationcontext
objlabel
Application
unconfinedcontext
AuditSubsystem
![Page 20: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/20.jpg)
20
Policy Namespaces
![Page 21: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/21.jpg)
21
Policy Namespaces
/usr/sbin/libvirtd (enforce)/usr/sbin/mdnsd (complain)/usr/sbin/ippusbxd (enforce)/usr/sbin/dovecot (complain)/usr/lib/snapd/snap-confine (enforce)/usr/lib/telepathy/telepathy-ofono (enforce)/usr/lib/telepathy/telepathy-* (enforce)/usr/lib/telepathy/mission-control-5 (enforce)/usr/sbin/identd (complain)/usr/sbin/cupsd (enforce)
/usr/sbin/libvirtd (enforce)/usr/sbin/mdnsd (complain)/usr/sbin/identd (complain)/usr/sbin/cupsd (enforce)firefox (enforce)firefox//sanitized_helper (enforce)firefox//lsb_release (enforce)firefox//browser_openjdk (enforce)firefox//browser_java (enforce)
Namespace 1 Namespace 2
![Page 22: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/22.jpg)
22
Policy Namespaces
:ns:profile
:ns://profile
![Page 23: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/23.jpg)
23
Policy Namespaces - Hierarchical
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
![Page 24: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/24.jpg)
24
Policy Namespace - View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
![Page 25: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/25.jpg)
25
Policy Namespaces – Child NS View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
![Page 26: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/26.jpg)
26
Policy Namespaces – Grand Child NS View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
![Page 27: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/27.jpg)
27
Policy Stacking&
Dynamic Policy
![Page 28: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/28.jpg)
28
Stacking - System View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
![Page 29: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/29.jpg)
29
Stacking Across Policy NS can Reduce View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
![Page 30: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/30.jpg)
30
Stacking – Further Reduced View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
![Page 31: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/31.jpg)
31
Policy NS & Stacking – Scope & View
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
● View● Scope● Admin
![Page 32: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/32.jpg)
32
Policy NS & Stacking – Scope & View* - NOT yet available
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
nscd
nscd
nscd :ns5:nscdUser sees:
● View● Scope● Admin
![Page 33: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/33.jpg)
33
Application and User Defined Policy* - NOT yet available
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:user_jj:
:role:
Task
useradmin
chrome
:chrome:sandbox
![Page 34: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/34.jpg)
34
Stacking – not just across namespaces
Systemnscddnsmasq
:ns2:
:ns4:
:ns1:nscddnsmasq
:ns5:
:ns3:
Task
![Page 35: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/35.jpg)
35
Delegation of Authority* - NOT yet available
Profile
file r /etc/firefox*/,file r /etc/firefox*/**,...
file rw /**,...
Delegated Rules
&
Delegated Authority
+
Targeted Task Profile
rmPx /usr/bin/evince,px /usr/bin/bug-buddy,...
![Page 36: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/36.jpg)
36
Stacking – Domain Label
firefox//&evince
![Page 37: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/37.jpg)
37
Recent Developments
![Page 38: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/38.jpg)
38
Upstreaming
Everything except
af_unix
![Page 39: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/39.jpg)
39
Upstreaming cont.
● Secids – 4.18
● audit rule filtering (SUBJ_ROLE) – 4.18
● socket mediation – 4.17
● Profile attachment – 4.17
● EVM
● Improved overlapping exec attachment resolution
● nnp subset test
![Page 40: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/40.jpg)
40
Policy tagged with ABI info
profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>
capability net_raw, capability setuid, network inet raw, network inet6 raw,
file mixr /{,usr/}bin/ping, file r /etc/modules.conf,
![Page 41: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/41.jpg)
41
Policy tagged with ABI info
abi=<features/upstream-4.18>
profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>
capability net_raw, capability setuid, network inet raw, network inet6 raw,
file mixr /{,usr/}bin/ping, file r /etc/modules.conf,
![Page 42: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/42.jpg)
42
Single Binary Policy Cache
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
/etc/apparmor.d/cache
![Page 43: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/43.jpg)
43
Per Kernel binary policy
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
$(location)/cache/7f01cf2e.1$(location)/7f01cf2e.0 $(location)/cache/a035ea11.0
![Page 44: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/44.jpg)
44
Binary Policy Overlay
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
skypeusr.bin.evinceusr.bin.firefox
usr.sbin.cupsd
...
$(loc1)/7f01cf2e.0 $(loc2)/7f01cf2e.0
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
skypeusr.bin.evinceusr.bin.firefox
usr.sbin.cupsd
...
$(loc1)/a035ea11.0 $(loc2)/a035ea11.0
![Page 45: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/45.jpg)
45
WIP
![Page 46: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/46.jpg)
46
Current WIP
● Internal cleanups and improvements
● Rework early policy loading
● Systemd integration
● Default profile
● initrd/initramfs hooks
● Fine grained networking
● af_unix
● ipv4/ipv6
● Improved mount mediation
● Missing mediation
● Keys mediation
● ioctl mediation
● ...
![Page 47: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/47.jpg)
47
WIP continued
● Improvements to auditing
● Get audit data off the stack
● Caching and grouping
● Improvements to complain/learning
● Caching of recently audited events
● Direct to daemon logging
● Daemon interaction, similar to the seccomp notify work
● Further attachment conditionals (user, …)
● Extended conditionals, and permissions
● Policy namespaces
● Separate scope & view work
● Open up policy to users and applications
● Delegation
![Page 48: Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen john.johansen@canonical.com](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cc9cc7e708231d4372256/html5/thumbnails/48.jpg)
48
WIP continued
● no_new_priv improvements
● pam_apparmor
● Interaction with system namespaces
● Documentation
●