AppArmor

AppArmor

Infobox Software
name = AppArmor



caption =
author =
developer =
released =
latest release version =
latest release date =
latest preview version =
latest preview date =
programming language =
operating system = Linux
platform =
language =
status =
genre = Security
license = GNU General Public License
website = http://en.opensuse.org/AppArmor

AppArmor ("Application Armor") is security software for Linux, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile which restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.

AppArmor is implemented using the Linux Security Modules kernel interface.

AppArmor was created in part as an alternative to SELinux, which critics claim is difficult for administrators to set up and maintain. [cite web
url=http://www.linux.com/articles/58942
title = Linux.com :: SELinux: Comprehensive security at the price of usability
author = Mayank Sharma
date=2006-12-11
] Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux. [cite web
title=Protective armor: Shutting out intruders with AppArmor
author=Ralf Spenneberg
url=http://www.linux-magazine.com/issues/2006/69/protective_armor
date=August 2006
accessdate=2008-08-02
publisher=Linux Magazine
] They also claim that AppArmor requires fewer modifications to work with existing systems:Fact|date=October 2007 for example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is file-system agnostic.

In September 2007, Novell laid off most of the AppArmor team. [cite web
title=Novell lays off AppArmor programmers
url=http://www.news.com/8301-13580_3-9796140-39.html?part=rss&subj=news&tag=2547-1_3-0-5
date=2007-10-10
publisher=CNET
]

Other systems

AppArmor represents one of several possible approaches to the problem of restricting the actions that installed software can take.

The SELinux system generally takes a similar approach to AppArmor. One important difference is that it identifies file system objects by inode number instead of path. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link. On the other hand, data that is inaccessible may become accessible when applications update the file by replacing it with a new version (a frequently used technique), while AppArmor would continue to deny access to the data. (In both cases, a default policy of "no access" avoids the problem.)

While there has been considerable debate about which approach is better, there is as yet no strong evidence that either approach is preferable. Discussion about their relative merits often revolves around which approach is more aligned with existing UNIX/Linux access control mechanisms, but UNIX and Linux use a combination of path-based and inode-based access control. Note also that existing access control mechanisms remain in place with either system.

SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.

Isolation of processes can also be accomplished by mechanisms like virtualization; the OLPC project, for example, sandboxes individual applications in lightweight Vserver.

Availability

AppArmor was first used in Immunix Linux 1998-2003. AppArmor was first made available in SUSE and openSUSE, and was first enabled by default in SUSE Linux Enterprise Server 10 and in openSUSE 10.1. AppArmor was first successfully ported/packaged for Ubuntu in April 2007. AppArmor comes installed default in Ubuntu 7.10 Gutsy Gibbon, and came as a part of the release of Ubuntu 8.04, although it only protects CUPS by default, the user can install new profiles and enforce them.

References

See also

* Immunix, the original developers of AppArmor
* Systrace

External links

* [http://en.opensuse.org/AppArmor AppArmor] description from openSUSE.org
* [http://lkml.org/lkml/2006/4/19/199 LKML thread] containing comments and criticism of AppArmor
* [http://blog.drinsama.de/erich/en/linux/selinux/2007042101-apparmor-fud.html "More information concerning AppArmor"] , by Erich Schubert
* [https://wiki.ubuntu.com/AppArmor Apparmor packages for Ubuntu]
* [http://developer.novell.com/wiki/index.php/Apparmor_FAQ Apparmor FAQ]
* [http://gentoo-wiki.com/Access_Control_Comparison_Table Comparison of different Access Control Systems]
* [http://forge.novell.com/modules/xfmod/project/?apparmor AppArmor project developer page]
* [http://www.linux-magazine.com/issues/2006/69/counterpoint Counterpoint:] Novell and Red Hat security experts face off on AppArmor and SELinux


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • AppArmor — Saltar a navegación, búsqueda AppArmor Desarrollador Novell Información general Sistema operativo Linux …   Wikipedia Español

  • AppArmor — (Application Armor) est un logiciel de sécurité pour Linux édité sous Licence publique générale GNU. AppArmor permet à l administrateur système d associer à chaque programme un profil de sécurité qui restreint ses accès au système d exploitation …   Wikipédia en Français

  • AppArmor — Тип Защита информации Разработчик Novell Операционная система Linux Лицензия GNU GPL Сайт novell.com/linux …   Википедия

  • Apparmor — Entwickler: Novell / Mercendary Linux Aktuelle Version: 2.3 (21.8.2008) Betriebssystem: GNU/Linux Kategorie: Sicherheitssoftware …   Deutsch Wikipedia

  • AppArmor — Entwickler Novell / Mercenary Linux / Canonical Aktuelle Version 2.6.1 (24.3.2011) Betriebssystem GNU/Linux Kategorie Sicherheitssoftware Lizenz …   Deutsch Wikipedia

  • Comparison of Linux distributions — Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security,… …   Wikipedia

  • Security-Enhanced Linux — The SELinux administrator in Fedora 8 Security Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls,… …   Wikipedia

  • Immunix — Infobox OS name = Immunix caption = website = developer = Immunix, Inc. family = Linux source model = released = latest release version = 7.3 latest release date = November 27, 2003 latest test version = latest test date = marketing target =… …   Wikipedia

  • SELinux — (англ. Security Enhanced Linux  Linux с улучшенной безопасностью)  реализация системы принудительного контроля доступа, которая может работать параллельно с классической дискреционной системой контроля доступа. Входит в стандартное …   Википедия

  • Mandatory access control — In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”