apparmor update 2018 - linux foundation events · 1 apparmor update 2018 2018 linux security summit...
TRANSCRIPT
![Page 1: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/1.jpg)
1
AppArmor Update 20182018 Linux Security Summit – North America
Presentation by
John Johansen
www.canonical.com
August 2018
![Page 2: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/2.jpg)
2
New Logo
![Page 3: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/3.jpg)
3
Moved from launchpad to gitlab
![Page 4: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/4.jpg)
4
Wiki moved to gitlab too
![Page 5: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/5.jpg)
5
CII Best Practices
![Page 6: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/6.jpg)
6
Upstreaming
Everything except
af_unix
![Page 7: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/7.jpg)
7
Upstreaming cont.
● Secids – 4.18
● audit rule fltering (SUBJ_ROLE) – 4.18
● socket mediation – 4.17
● Profle attacment – 4.17
● IMA
● Improved overlapping exec attachment resolution
● nnp subset test
![Page 8: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/8.jpg)
8
4.14A New Direction
![Page 9: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/9.jpg)
9
Policy tagged with ABI info
profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>
capability net_raw, capability setuid, network inet raw, network inet6 raw,
file mixr /{,usr/}bin/ping, file r /etc/modules.conf,
![Page 10: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/10.jpg)
10
Policy tagged with ABI info
feature-abi=<features/upstream-4.18>
profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>
capability net_raw, capability setuid, network inet raw, network inet6 raw,
file mixr /{,usr/}bin/ping, file r /etc/modules.conf,
![Page 11: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/11.jpg)
11
Single Binary Policy Cache
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
/etc/apparmor.d/cache
![Page 12: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/12.jpg)
12
Per Kernel binary policy
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
$(location)/cache/7f01cf2e.1$(location)/7f01cf2e.0 $(location)/cache/a035ea11.0
![Page 13: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/13.jpg)
13
Binary Policy Overlay
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
skypeusr.bin.evinceusr.bin.firefox
usr.sbin.cupsd
...
$(loc1)/7f01cf2e.0 $(loc2)/7f01cf2e.0
bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...
skypeusr.bin.evinceusr.bin.firefox
usr.sbin.cupsd
...
$(loc1)/a035ea11.0 $(loc2)/a035ea11.0
![Page 14: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/14.jpg)
14
WIP
![Page 15: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/15.jpg)
15
Current WIP
● Internal cleanups and improvements
● Rework early policy loading
● Systemd integration
● Default profle
● initrd/initramfs hooks
● Fine grained networking
● af_unix
● ipv4/ipv6
● Improved mount mediation
● Missing mediation
● Keys mediation
● ioctl mediation
![Page 16: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August](https://reader034.vdocuments.site/reader034/viewer/2022052001/6013e486a6861a0c15061d48/html5/thumbnails/16.jpg)
16
WIP continued
● Improvements to auditing
● Get audit data of the stack
● Caching and grouping
● Improvements to complain/learning
● Caching of recently audited events
● Direct to daemon logging
● Daemon interaction
● Further attachment conditionals (user, …)
● Extended conditionals, and permissions
● Policy namespaces
● Separate scope & view work
● Open up policy to users and applications
● Delegation