AppArmor security module [LWN.net]

From:		John Johansen <john.johansen@canonical.com>
To:		linux-security-module@vger.kernel.org
Subject:		[AppArmor 00/12] AppArmor security module
Date:		Tue, 22 Sep 2009 12:40:01 -0700
Cc:		John Johansen <john.johansen@canonical.com>
This is the beginning of submitting AppArmor upstream again.   The introduction
and documentation is a wip, but the code is now at point where review
and comment, would be greatly appreciated.

The AppArmor security module has been rewritten to use the security_path
hooks instead of the previous vfs approach.  The current implementation is
aimed at being as semantically close to previous versions of AppArmor as
possible while using the existing LSM infrastructure.

This version of AppArmor is a wip and is roughly equivalent to previous
versions with better control of exec transitions.  Development is on going
and improvements to file, capability, network, resource usage and ipc
mediation are planned.


In brief AppArmor is a security module that uses a white list to determine
permissions.  It provides rules for file, capability, and network mediation.
With its file mediation using path name based pattern matching.  Though it
is possible to confine an entire system, AppArmor by design allows for
application based mediation where only a subset of a running system is confined.

AppArmor allows for rules that black list permissions, but these rules
are used to annotate known items that will be encountered and should
be rejected.

AppArmor's base unit of confinement is a profile, which defines the
access permissions for tasks it is attached to.  Profiles are grouped in
to profile namespaces, and must have a unique name within the namespace.

Profile names provide context for when a profile should be used and
may determine the attachment of a profile to an application.  If a profile
name begins with a / character its name is considered to be a path name
and it may be matched against executable names to determine attachment.
Profile names that do not begin with a / character are not considered
during automatic profile attachment.

Profile names that begin with / characters can contain AppArmor pattern
matching and may match against multiple executables.  If multiple
profiles match an executable then the profile with the longest left
exact match wins.  If the winner can not be determined execution of the
task will fail.

Profile names that begin with / characters are consider for attachment
when an unconfined application calls exec, or when a confined application
uses a exec rules specifying that such a match should be done (px, cx).
They may also be attached using the change_profile, or change_hat directives.

Profile's names that don't begin with a / character are only attached
when they are specified by a profile exec transition, or through using
that change_profile, change_hat directives.

Further documentation can be found at

AppArmor documentation can currently be found at
  http://developer.novell.com/wiki/index.php/Apparmor

The AppArmor git tree can be found at
  git://kernel.ubuntu.com/jj/apparmor-mainline


John Johansen (12):
  AppArmor misc. base functions and defines
  AppArmor basic auditing infrastructure.
  AppArmor contexts used in attaching policy to system objects
  AppArmor core policy routines
  AppArmor dfa match engine
  AppArmor policy routines for loading and unpacking policy
  AppArmor userspace interfaces
  AppArmor file enforcement routines
  AppArmor mediation of non file objects
  AppArmor domain functions for domain transition
  AppArmor LSM interface, and security module initialization
  Enable configuring and building of AppArmor security module

 include/linux/audit.h                        |   10 +-
 security/Kconfig                             |    1 +
 security/Makefile                            |    2 +
 security/apparmor/Kconfig                    |   62 ++
 security/apparmor/Makefile                   |   25 +
 security/apparmor/apparmorfs-24.c            |  184 +++++
 security/apparmor/apparmorfs.c               |  245 ++++++
 security/apparmor/audit.c                    |  159 ++++
 security/apparmor/capability.c               |  122 +++
 security/apparmor/context.c                  |  227 ++++++
 security/apparmor/domain.c                   |  646 ++++++++++++++++
 security/apparmor/file.c                     |  423 +++++++++++
 security/apparmor/include/apparmor.h         |   65 ++
 security/apparmor/include/apparmorfs.h       |   30 +
 security/apparmor/include/audit.h            |   59 ++
 security/apparmor/include/capability.h       |   45 ++
 security/apparmor/include/context.h          |  153 ++++
 security/apparmor/include/domain.h           |   37 +
 security/apparmor/include/file.h             |  229 ++++++
 security/apparmor/include/ipc.h              |   28 +
 security/apparmor/include/match.h            |  105 +++
 security/apparmor/include/net.h              |   40 +
 security/apparmor/include/path.h             |   24 +
 security/apparmor/include/policy.h           |  303 ++++++++
 security/apparmor/include/policy_interface.h |   22 +
 security/apparmor/include/procattr.h         |   26 +
 security/apparmor/include/resource.h         |   46 ++
 security/apparmor/include/sid.h              |   46 ++
 security/apparmor/ipc.c                      |  106 +++
 security/apparmor/lib.c                      |  100 +++
 security/apparmor/lsm.c                      | 1029 ++++++++++++++++++++++++++
 security/apparmor/match.c                    |  290 ++++++++
 security/apparmor/net.c                      |  145 ++++
 security/apparmor/path.c                     |  153 ++++
 security/apparmor/policy.c                   |  672 +++++++++++++++++
 security/apparmor/policy_interface.c         |  855 +++++++++++++++++++++
 security/apparmor/procattr.c                 |  116 +++
 security/apparmor/resource.c                 |  104 +++
 security/apparmor/sid.c                      |  113 +++
 39 files changed, 7046 insertions(+), 1 deletions(-)
 create mode 100644 security/apparmor/Kconfig
 create mode 100644 security/apparmor/Makefile
 create mode 100644 security/apparmor/apparmorfs-24.c
 create mode 100644 security/apparmor/apparmorfs.c
 create mode 100644 security/apparmor/audit.c
 create mode 100644 security/apparmor/capability.c
 create mode 100644 security/apparmor/context.c
 create mode 100644 security/apparmor/domain.c
 create mode 100644 security/apparmor/file.c
 create mode 100644 security/apparmor/include/apparmor.h
 create mode 100644 security/apparmor/include/apparmorfs.h
 create mode 100644 security/apparmor/include/audit.h
 create mode 100644 security/apparmor/include/capability.h
 create mode 100644 security/apparmor/include/context.h
 create mode 100644 security/apparmor/include/domain.h
 create mode 100644 security/apparmor/include/file.h
 create mode 100644 security/apparmor/include/ipc.h
 create mode 100644 security/apparmor/include/match.h
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/include/path.h
 create mode 100644 security/apparmor/include/policy.h
 create mode 100644 security/apparmor/include/policy_interface.h
 create mode 100644 security/apparmor/include/procattr.h
 create mode 100644 security/apparmor/include/resource.h
 create mode 100644 security/apparmor/include/sid.h
 create mode 100644 security/apparmor/ipc.c
 create mode 100644 security/apparmor/lib.c
 create mode 100644 security/apparmor/lsm.c
 create mode 100644 security/apparmor/match.c
 create mode 100644 security/apparmor/net.c
 create mode 100644 security/apparmor/path.c
 create mode 100644 security/apparmor/policy.c
 create mode 100644 security/apparmor/policy_interface.c
 create mode 100644 security/apparmor/procattr.c
 create mode 100644 security/apparmor/resource.c
 create mode 100644 security/apparmor/sid.c

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html