ソースを表示

=== Transparancy Through Familiarity ===

To achieve transparency, AppArmor uses all-classical UNIX security semantics, but applies them to programs. An AppArmor policy specifies the set of POSIX.1e capabilities that a program can have, and specifies the set of files it can access. The POSIX.1e capabilities are specified by name. The files are specified by absolute path names, including embedding shell-syntax wild cards, followed by access modes (R, W, and X, with a bit of embellishment). So an AppArmor policy to confine ntpd (the network time protocol daemon) looks like this:

 /usr/sbin/ntpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <program-chunks/ntpd>
  capability ipc_lock,
  capability net_bind_service,
  capability sys_time,
  capability sys_chroot,
  capability setuid,
  /etc/ntp.conf             r,
  /etc/ntp/drift*           rwl,
  /etc/ntp/keys             r,
  /etc/ntp/step-tickers     r,
  /tmp/ntp*                 rwl,
  /usr/sbin/ntpd            rix,
  /var/log/ntp              w,
  /var/log/ntp.log          w,
  /var/run/ntpd.pid         w,
  /var/lib/ntp/drift        rwl,
  /var/lib/ntp/drift.TEMP   rwl,
  /var/lib/ntp/var/run/ntp/ntpd.pid w,
  /var/lib/ntp/drift/ntp.drift      r,
  /drift/ntp.drift.TEMP     rwl,
  /drift/ntp.drift          rwl,
 }


From here, it would be relatively straightforward to hand-craft security policy for applications through a combination of expert knowledge and trial and error. However, that would be so tedious that the vast majority of developers and users would refuse to put in the work. To further improve transparency, AppArmor includes a "learning mode" to allow policy to be built by running the application and observing what it does. In learning mode, the rules are not actually enforced, but violations are logged, and process forking is tracked, so that the log of an application's execution builds up a characteristic description of the application's activities. AppArmor includes a log analysis program that scans the log, prompts the user with questions, and automatically creates a program profile. Learning mode and the log analyzer are also capable of incremental improvement of the profile if one already exists, but omits some necessary rules.