Mandatory Access Control with AppArmor
Roadmap
All active development efforts experience a constant hustle to update and improve. AppArmor strives to add new features – the current version has evolved from its nascent stage, which was bogged down with huge performance overhead to the kernel/CPU, as it was written in plain text. Version 2 added a compile state machine, which guaranteed execution time by restricting the CPU overload.
Version 3, which is currently in development, will add multiple cache support. Enhanced networking support will bring fine-grained access to networking, which will allow you to monitor network-oriented applications and will also grant access to specific port calls. Support for ZFS database operations, Cgroups, and chroot will add additional capabilities for security-minded users.
Conclusion
MACs, if implemented properly, can provide a very well defined security ring that can render any attack useless or make the damage very predictable. AppArmor creates a whitelist that can ward off any major damage and be independent of user and system, and it creates very lean and simple application-specific rules that are easy to discern and implement.
The only gripe with AppArmor is that it offers a limited security solution out of the box. It may work very well in a limited environment, but the need to manually create profiles in a more exhaustive setup can be cumbersome at best. Creating profiles for so many variables can be a daunting task and may ward off interest in using AppArmor in the first place. However, development of new profiles is an ongoing process; more profile features are being added with each passing release.
Does AppArmor guarantee security? Yes and no. Security will always be on an unstable footing, and this article has only scratched the surface towards securing your system. The price of freedom and security is eternal vigilance.
Infos
- AppArmor Wiki: https://gitlab.com/apparmor/apparmor/wikis/Documentation
- Oracle Docs: https://docs.oracle.com/en/
- Red Hat Documentation: https://access.redhat.com/documentation/en-us/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.