User: Password:
|
|
Subscribe / Log in / New account

The AppArmor debate begins

The AppArmor debate begins

Posted Apr 27, 2006 12:02 UTC (Thu) by jamesh (guest, #1159)
In reply to: The AppArmor debate begins by drag
Parent article: The AppArmor debate begins

For some applications you might be able to restrict them enough for this to be true, but many apps will need fairly liberal policies.

Consider a text editor for example. The user expects to be able to edit files all over the system, so even if there is a final "deny all" rule, there will be many paths that the policy needs to allow. Each of these paths is a potential attack vector (assuming that they manage to create the hardlink or bind mount).


(Log in to post comments)

The AppArmor debate begins

Posted May 1, 2006 18:56 UTC (Mon) by perbu (guest, #14372) [Link]

I would think text editors are not the primary target of Apparmor. Talks and demos given seem to indicate that their focus seems to be on network-enabled services, such as Apache, Tomcat, PostgreSQL and lots of closed-source services.

I've been working as a sysadmin for 8 years and I must say I welcome Apparmor with open arms. It seems to be dead simple to set up - and you can do so without to much knowledge of the application you are trying to secure. It does not try to secure every aspect of every application - they seem to rule out support for complex beasts as shared memory because it would make the configuration process to complex - which I think is a good thing.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds