LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The AppArmor debate begins

The AppArmor debate begins

Posted Apr 27, 2006 12:02 UTC (Thu) by jamesh (guest, #1159)
In reply to: The AppArmor debate begins by drag
Parent article: The AppArmor debate begins

For some applications you might be able to restrict them enough for this to be true, but many apps will need fairly liberal policies.

Consider a text editor for example. The user expects to be able to edit files all over the system, so even if there is a final "deny all" rule, there will be many paths that the policy needs to allow. Each of these paths is a potential attack vector (assuming that they manage to create the hardlink or bind mount).

(Log in to post comments)

The AppArmor debate begins

Posted May 1, 2006 18:56 UTC (Mon) by perbu (subscriber, #14372) [Link]

I would think text editors are not the primary target of Apparmor. Talks and demos given seem to indicate that their focus seems to be on network-enabled services, such as Apache, Tomcat, PostgreSQL and lots of closed-source services.

I've been working as a sysadmin for 8 years and I must say I welcome Apparmor with open arms. It seems to be dead simple to set up - and you can do so without to much knowledge of the application you are trying to secure. It does not try to secure every aspect of every application - they seem to rule out support for complex beasts as shared memory because it would make the configuration process to complex - which I think is a good thing.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds