AppArmor

Revision 2 as of 2006-05-22 17:24:44

Clear message

Summary

Implement an easy to use application security framework based on AppArmor in Ubuntu, to be available by default. The kernel packages must be patched to include a small kernel patch. The rest of the AppArmor framework will have its own packages. Profiles (security profiles) must be created for suid:ed applications and server daemons. The profiles can either be provided in a dedicated packages or in the packages which the profile is created for.

Rationale

[http://en.opensuse.org/Apparmor AppArmor] proactively protects the system from security threats, both internal and external. It enforce the applications to only be able to access resources aimed to be accessed by the application. In this way the system is protected to both known and unknown threats.

For each application we want to protect or increase the security around, a security profile is created. The profile describes what files or devices the application is allowed to read, write and/or execute.

Use cases

  • A new security flaw is presented as a zero-day in a daemon based application, eg ssh and httpd. The security flaw allows an unauthorized user to upload and execute any code of the intruder's choice. Since the server daemon will be protected by an AppArmor security profile, the possible intruder on the Ubuntu system will not be able to upload and then run the code. Since the application's profile describes that the application do not have the right to execute files it has the right to edit.

  • We have a malware that is distributed using email that installs a root-kit on system it is executed on. When a user click on the attached file in the mail the malware is executed and uses a security flaw in a suid:ed application to install the root-kit. Since all suid:ed applications in Ubuntu is protected by AppArmor security profiles the malware will not be able to use the security flaw and install the root-kit

Scope

The scope is, in the first stage, to protect all applications that are suid:ed or listens for network connections (such as sshd, web-servers, and web-applications) and included in main. In later stages we even want to create profiles for cron-jobs and other applications that are executed in priviliged mode (run as root).

Design

  • Copy as much as possible from Suse and adapt it to Ubuntu.

Implementation

  1. Apply patch too linux-image-*

  2. Build packages for the AppArmor application (proof of concept exists, see below.)

  3. Create profiles for all suid:ed and network agents in main.
  4. Continue with cron and other priviliged applications.

Later it may be interesting to port the YAST-GUI to a clean GNOME-GUI, this will need some coding.

Code

It may need minor corrections in scripts.

Data preservation and migration

None

Outstanding issues

BoF agenda and discussion

References

CategorySpec CategorySpec