An overview of App Armor Doug Stanley 07 17 2010

An overview of App. Armor Doug Stanley 07/17/2010 An overview of App. Armor

What is it? Application Security System Mandatory Access Control Makes sure that applications behave as expected Can protect against zero day and unknown flaws

Brief History Originally created by Immunix acquired by Novell in 2005 In 2007, Novell laid off the App. Armor staff Currently seems to be maintained by the community

Why App. Armor? Discretionary access control is not enough Hard to make applications 100% secure Define what "good" application behavior is. It's relatively easy to use

So, how does it work? Implemented as an LSM Protects individual applications More precisely, protects system from applications Profiles define appropriate behavior Uses Posix Capabilites

Some features of App. Armor Automated tools for created profiles are available Profiles are human readable text files Path based restrictions Filesystem neutral Ability to "include" profiles in other profiles Allows for having both enforced and complain profiles Can also restrict network operations Tamperproof

Some drawbacks of App. Armor Path based restrictions Too "easy"? Not truly complete mediation Only protects applications for which a profile exists

App. Armor vs SELinux Path based vs Label based How they're integrated in the system Managed differently

Anatomy of a profile Sample profile for tcpdump from the Ubuntu wiki [1] #include /usr/sbin/tcpdump { #include #include #include capability net_raw, capability setuid, capability setgid, capability dac_override, network raw, network packet,

Anatomy of a profile continued # for -D capability sys_module, @{PROC}/bus/usb/ r, @{PROC}/bus/usb/** r, # for -F and -w audit deny @{HOME}/. * mrwkl, audit deny @{HOME}/. */ rw, audit deny @{HOME}/. */** mrwkl, audit deny @{HOME}/bin/ rw, audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** rw, /usr/sbin/tcpdump r, } For a complete list of capabilities, see [18]

Principles of Secure Design Least Privilege Fail-Safe Defaults Complete Mediation For protected applications Defense in Depth Open Design Privilege Separation Psychological Accpetance

Conclusion Psychologically acceptable Good balance of ease of use and security Not overly confusing Application developers can create profiles for users Effective

References 1. https: //wiki. ubuntu. com/App. Armor 2. http: //en. wikipedia. org/wiki/App. Armor 3. http: //www. linux-magazine. com/Issues/2006/69/COUNTERPOINT 4. http: //developer. novell. com/wiki/index. php/Apparmor_FAQ 5. http: //www. novell. com/linux/security/apparmor/selinux_comparison. html 6. http: //developer. novell. com/wiki/index. php/Apparmor_FAQ 7. https: //help. ubuntu. com/9. 10/serverguide/C/apparmor. html 8. http: //www. nuxified. org/blog/novells_comparison_of_apparmor_and_selinux 9. https: //apparmor. wiki. kernel. org/index. php/Documentation 10. http: //en. wikipedia. org/wiki/SELinux 11. http: //en. wikipedia. org/wiki/Linux_Security_Modules 12. http: //en. wikipedia. org/wiki/Immunix 13. http: //www. defcon. org/images/defcon-15/dc 15 -presentations/dc-15 cowan. pdf 14. http: //www. linux-magazine. com/w 3/issue/69/App. Armor_vs_SELinux. pdf 15. http: //www. ratliff. net/blog/2007/10/03/security-design-principles/ 16. http: //selinuxproject. org/page/FAQ 17. http: //manpages. ubuntu. com/manpages/karmic/en/man 7/apparmor. 7. html 18. http: //manpages. ubuntu. com/manpages/karmic/en/man 7/capabilities. 7. html