What is AppArmor for and how it improves security in Linux

Diego Germán González

4 minutes

What is AppArmor for

For a long time, Linux users were like the protagonists of the tale of the three little pigs. A false feeling led us to believe that we were safe from the security problems of which Windows were frequent victims.

Reality showed us that we were not as invulnerable as we thought. Although, to be fair, most of the reported vulnerabilities were detected in computer security labs and, the conditions necessary to exploit them are unlikely to exist in the real world, there are still enough problems so that we do not lower our guard.

Linux kernel security measures

The general consensus among IT security specialists is that measures to prevent unauthorized entry into the system such as firewalls or intrusion detection mechanisms are no longer sufficient to stop increasingly sophisticated attacks. It is necessary to establish a new line of defense that, in the event of an unauthorized entry into the system, does not allow the invader to do anything harmful.

The principle of least privileges

The principle of least privileges establishes as a fundamental security rule that users of a computer system should only be given the minimum set of privileges and resources that are necessary for them to perform their specific function. In this way, the improper or negligent use of an application is reduced or prevented from being the entry vector of a computer attack.

For a long time, linuxers have built our confidence in the security of our operating system on a kernel mechanism known as Discretionary Access Control. Discretionary Access Control determines which system resources users and applications can access.

The problem is that its range of options is very limited and that, as the word discretionary indicates, some users with sufficient permissions can make modifications that could be exploited by cybercriminals.

Mandatory Access Control

Mandatory Access Control differs from Discretionary Access Control in that the operating system restricts what the applications can do according to the instructions established by the system administrator and that the rest of users are unable to modify.

In the Linux kernel this is the responsibility of the Linux Security Subsystem Module that offers different procedures that can be invoked from tools like the one mentioned in this article.

What is AppArmor for?

AppArmor uses the Mandatory Access Control paradigm to enhance the security of Linux distributions. It relies on the Linux Security Subsystem Module to limit the behavior of individual applications according to policies set by the administrator.

These directives are expressed in the form of plain text files known as profiles. Thanks to profiles, the system administrator can restrict access to files, condition interactions between processes, establish in which cases a file system can be mounted, limit network access, determine the capacity of an application. and how many resources you can use. In other words, an AppArmor profile contains a whitelist of acceptable behaviors for each application.

The advantages of this approach are:

  • It allows administrators to apply the principle of least privilege to applications. In the event that an application is compromised, it will not be able to access the files or perform actions outside of what is established as a normal operating parameter.
  • The profiles are written in an administrator friendly language and stored in locations that you can easily access.
  • The application of individual profiles can be enabled or disabled regardless of what happens to the rest of the profiles. This allows administrators to disable and debug a specific profile for a specific application without affecting the operation of the rest of the system.
  • In the event that an application tries to perform any action that conflicts with what is established in the corresponding profile, the event is logged. In this way administrators receive an early warning.

AppArmor does not replace Discretionary Access ControlIn other words, you cannot authorize something that is prohibited, but you can prohibit something that is allowed.

AppArrmour comes with some tools pre-installed on the major Linux distributions, and you can find more in the repositories.

You can find more information at page of the project


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Ghost said
    ago 3 years

    Is AppArmor not armor …….???????????????

    Reply to Fantasmon
    1.    Diego German Gonzalez said
      ago 3 years

      Certain. As soon as I can I correct it
      Graciad

      Reply to Diego Germán González