AppArmor
Encyclopedia
AppArmor is a security module for the Linux kernel
, released under the GNU General Public License
. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control
(DAC) model by providing mandatory access control
(MAC). It was included as of the 2.6.36 version of the mainline Linux kernel. Since 2009, Canonical contributes to the ongoing AppArmor development.
In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.
AppArmor is implemented using the Linux Security Modules
(LSM) kernel interface.
AppArmor is offered in part as an alternative to SELinux
, which critics consider difficult for administrators to set up and maintain. Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux. They also claim that AppArmor requires fewer modifications to work with existing systems: for example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is filesystem-neutral.
The SELinux system generally takes a similar approach to AppArmor. One important difference is that it identifies file system objects by inode
number instead of path. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link
is created to it, while SELinux would deny access through the newly created hard link. On the other hand, data that is inaccessible may become accessible under SELinux when applications update the file by replacing it with a new version (a frequently used technique), while AppArmor would continue to deny access to the data. (In both cases, a default policy of "no access" avoids the problem.)
While there has been considerable debate about which approach is better, there is as yet no strong evidence that either approach is preferable. Discussion about their relative merits often revolves around which approach is more aligned with existing Unix/Linux access control mechanisms, but Unix and Linux use a combination of path-based and inode-based access control. Note also that existing access control mechanisms remain in place with either system.
SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.
Isolation of processes can also be accomplished by mechanisms like virtualization; the One Laptop per Child (OLPC) project, for example, sandboxes individual applications in lightweight Vserver.
In 2007, the Simplified Mandatory Access Control Kernel was introduced.
In 2009, a new solution called Tomoyo
was included in Linux 2.6.30; like AppArmor, it also uses path-based access control.
Linux 1998-2003; at the time, AppArmor was known as SubDomain, a reference to the ability for a security profile for a specific program to be segmented into different domains, which the program can switch between dynamically. AppArmor was first made available in SUSE and openSUSE, and was first enabled by default in SUSE Linux Enterprise Server
10 and in openSUSE
10.1.
From 2005 through September 2007, AppArmor was maintained by Novell
.
AppArmor was first successfully ported/packaged for Ubuntu
in April 2007. AppArmor comes installed by default in Ubuntu 7.10 Gutsy Gibbon, and came as a part of the release of Ubuntu 8.04, protecting only CUPS
by default. As of Ubuntu 9.04 Jaunty Jackalope more items such as MySQL have installed profiles. AppArmor hardening continued to improve in Ubuntu 9.10 Karmic Koala as it ships with profiles for its guest session, libvirt
virtual machines, the Evince document viewer, and an optional Firefox profile.
AppArmor was integrated into the October 2010, 2.6.36 kernel release.
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
, released under the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control
Discretionary access control
In computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) model by providing mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
(MAC). It was included as of the 2.6.36 version of the mainline Linux kernel. Since 2009, Canonical contributes to the ongoing AppArmor development.
In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.
AppArmor is implemented using the Linux Security Modules
Linux Security Modules
Linux Security Modules is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux...
(LSM) kernel interface.
AppArmor is offered in part as an alternative to SELinux
Security-Enhanced Linux
Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules in the Linux kernel...
, which critics consider difficult for administrators to set up and maintain. Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux. They also claim that AppArmor requires fewer modifications to work with existing systems: for example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is filesystem-neutral.
Other systems
AppArmor represents one of several possible approaches to the problem of restricting the actions that installed software may take.The SELinux system generally takes a similar approach to AppArmor. One important difference is that it identifies file system objects by inode
Inode
In computing, an inode is a data structure on a traditional Unix-style file system such as UFS. An inode stores all the information about a regular file, directory, or other file system object, except its data and name....
number instead of path. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link
Hard link
In computing, a hard link is a directory entry that associates a name with a file on a file system. . The term is used in file systems which allow multiple hard links to be created for the same file. This has the effect of creating multiple names for the same file, causing an aliasing effect: e.g...
is created to it, while SELinux would deny access through the newly created hard link. On the other hand, data that is inaccessible may become accessible under SELinux when applications update the file by replacing it with a new version (a frequently used technique), while AppArmor would continue to deny access to the data. (In both cases, a default policy of "no access" avoids the problem.)
While there has been considerable debate about which approach is better, there is as yet no strong evidence that either approach is preferable. Discussion about their relative merits often revolves around which approach is more aligned with existing Unix/Linux access control mechanisms, but Unix and Linux use a combination of path-based and inode-based access control. Note also that existing access control mechanisms remain in place with either system.
SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.
Isolation of processes can also be accomplished by mechanisms like virtualization; the One Laptop per Child (OLPC) project, for example, sandboxes individual applications in lightweight Vserver.
In 2007, the Simplified Mandatory Access Control Kernel was introduced.
In 2009, a new solution called Tomoyo
TOMOYO Linux
TOMOYO Linux is a Mandatory Access Control implementation for Linux operating systems.Despite its name, it is not a Linux distribution.Overview=...
was included in Linux 2.6.30; like AppArmor, it also uses path-based access control.
Availability
AppArmor was first used in ImmunixImmunix
Immunix was a commercial operating system that provided host-based application security solutions. The last release of Immunix's GNU/Linux distribution was version 7.3 on November 27, 2003. Immunix, Inc. was the creator of AppArmor, an application security system.On May 10, 2005, Novell acquired...
Linux 1998-2003; at the time, AppArmor was known as SubDomain, a reference to the ability for a security profile for a specific program to be segmented into different domains, which the program can switch between dynamically. AppArmor was first made available in SUSE and openSUSE, and was first enabled by default in SUSE Linux Enterprise Server
SUSE Linux Enterprise Server
SUSE Linux Enterprise Server is a Linux distribution supplied by SUSE and targeted at the business market. It is targeted for servers, mainframes, and workstations but can be installed on desktop computers for testing as well. New major versions are released at an interval of 3-4 years, while...
10 and in openSUSE
OpenSUSE
openSUSE is a general purpose operating system built on top of the Linux kernel, developed by the community-supported openSUSE Project and sponsored by SUSE...
10.1.
From 2005 through September 2007, AppArmor was maintained by Novell
Novell
Novell, Inc. is a multinational software and services company. It is a wholly owned subsidiary of The Attachmate Group. It specializes in network operating systems, such as Novell NetWare; systems management solutions, such as Novell ZENworks; and collaboration solutions, such as Novell Groupwise...
.
AppArmor was first successfully ported/packaged for Ubuntu
Ubuntu (operating system)
Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
in April 2007. AppArmor comes installed by default in Ubuntu 7.10 Gutsy Gibbon, and came as a part of the release of Ubuntu 8.04, protecting only CUPS
Common Unix Printing System
CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server...
by default. As of Ubuntu 9.04 Jaunty Jackalope more items such as MySQL have installed profiles. AppArmor hardening continued to improve in Ubuntu 9.10 Karmic Koala as it ships with profiles for its guest session, libvirt
Libvirt
libvirt is an open source API, daemon and management tool for managing platform virtualization. It can be used to manage Linux KVM, Xen, VMware ESX and other virtualization technologies...
virtual machines, the Evince document viewer, and an optional Firefox profile.
AppArmor was integrated into the October 2010, 2.6.36 kernel release.
See also
- ImmunixImmunixImmunix was a commercial operating system that provided host-based application security solutions. The last release of Immunix's GNU/Linux distribution was version 7.3 on November 27, 2003. Immunix, Inc. was the creator of AppArmor, an application security system.On May 10, 2005, Novell acquired...
, the original developers of AppArmor - Linux Intrusion Detection System (LIDS)Linux Intrusion Detection SystemIn computer security, the Linux Intrusion Detection System is a patch to the Linux kernel and associated administrative tools that enhances the kernel's security by implementing Mandatory Access Control...
- Security-Enhanced LinuxSecurity-Enhanced LinuxSecurity-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules in the Linux kernel...
- SystraceSystraceSystrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities...
- GrsecurityGrsecuritygrsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.Released under the GNU General...
External links
- AppArmor Wiki
- AppArmor description from openSUSE.org
- LKML thread containing comments and criticism of AppArmor
- Apparmor packages for Ubuntu
- Counterpoint: Novell and Red Hat security experts face off on AppArmor and SELinux
- http://www.novell.com/linux/security/apparmor/