[Apparmor-dev] Network definitions in profile

John Johansen jjohansen at suse.de
Wed Dec 5 14:52:15 MST 2007 

On Wed, Dec 05, 2007 at 10:19:26PM +0800, Lincoln Yeoh wrote:
> At 06:04 PM 12/4/2007, Markku Savela wrote:
>> My vision for the profiles is that they should be generated by the
>> application writers, and included in packages in signed
>> repositories. An installer install the profile, and either refuse to
>> install or install with some predefined default profile, if profile is
>> missing.
>
>> The idea is that application comes with clear statement what resources
>> it intends to use (AppArmor profile). The repository maintainer or
>> anyone looking at the package could view the profile and evaluate
>> whether it is reasonable for the application in question.
>
> I agree that this sort of thing is a better approach, a bit like "security 
> by contract" :).
>
> Would it be possible to have templates for such profiles? Either a template 
> is a more high level description of a profile, or profiles are generalized 
> to fit more apps that are similar.
>
yes, it is possible.  The trade off is more lack security.

> The idea is to reduce the number of possible profiles for popular 
> applications to a more manageable number of templates which normal users 
> might be more able to cope with.
>
There are a few possible ways to go about this, but the basis of any
approach is setting up good abstractions for the classes that are
desired.  Of course identifying meaningful classes and making generic
abstractions isn't easy, but it is possible.

One thing that would make it easier is defining a good set of variables
for those classes and let installation of new apps modify the variables
so the abstraction get expanded as new applications are installed.

Profile wise you can then setup application profiles that include those
abstractions or you can setup a generic profile, for each abstraction
and a master profile that can control entering that abstraction.

This latter approach in its full form isn't possible with current
releases of AppArmor, it needs the generalized transition model which I
haven't pushed out yet.


> It may require a lot more standardization of apps - installation 
> directories, temporary files, where to share read-only files with other 
> apps, logging etc.
>
standardizing apps would make security better but it just isn't going
to happen.  There are too many apps, and too much legacy

> If such standardization is not possible (maybe only Apple could pull such a 
> thing off), we might have to have trusted parties audit profiles (with 
> corresponding app), labelling/classifying them (from maybe a dozen or so 
> standard types) and then sign them. e.g. "Basic screensaver", "Guest 
> applet", "web browser", "Administrator privileges", "Full user privileges". 
> This is less desirable of course.
>
It is possible, and perhaps even desirable but there are many apps that
fall into multiple catagories depending on their use, or even because
of different confinement strategies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20071205/18897619/attachment.pgp

More information about the Apparmor-dev mailing list