[Apparmor-general] apparmor vs chroot
Crispin Cowan
crispin at novell.com
Tue Mar 6 23:13:50 MST 2007
Michael James wrote:
> AppArmor provides a more flexible, more secure alternative to chroot.
>
> Is this true to the extent that it should completely replace chroot?
>
> Does this mean we can safely ditch all the chroot cruft
> surrounding daemons like dhcpd, named, postfix, etc?
>
Replacing chroot with AppArmor profiles has the advantages of:
* easier to do
* more flexible
* doesn't require extra storage for duplicate files, libraries, & such
* more secure: chroot can be escaped
Chroot has the advantage of:
* works on all Linux (and most UNIX) systems
> What's the philosophy of the profile writers, do we plan to do it?
>
> Are there sets of AppArmor profiles designed for un-chroot-ed daemons?
>
You can combine them, and apply an AppArmor profile to a daemon that is
also chrooted.
There is no security advantage to this combo. It actually is marginally
*less* secure than an AppArmor profile around a non-chrooted daemon. We
plan to fix this security problem, but no sooner than 10.3.
However, it lets you preserve the cross-platform packaging for the software.
> I'm asking this question largely in a SuSE context,
> hoping to reduce the named init script to something manageable.
>
It is probably not worth the effort to un-chroot something that really
wants to be chrooted.
However, if you have a choice about chroot, and you know you are going
to put an AppArmor profile around it, then de-select chroot if possible.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hacking is exploiting the gap between "intent" and "implementation"
More information about the Apparmor-general
mailing list