[apparmor] FBAC-LSM as a front end for AppArmor

Cliffe z.cliffe at schreuders.org
Thu Aug 12 05:53:10 BST 2010 

AppArmor devs:

Earlier in the week I presented some of the results of my PhD research
at the Linux Security Summit. This included a usability assessment of
AppArmor (with the suse tools) and suggestions for improvements. I also
briefly discussed the lsm and tools I created which are designed to
improve the usability of policy specification for application
restrictions; this is achieved using a number of techniques such as
parameterised hierarchical abstractions and automation techniques. The
lsm is functional but needs a lot of work.

I gave a quick demonstration to John and Kees of a new feature of the
gui tool: export to AppArmor. This is achieved by exploding out an
FBAC-LSM application policy into AppArmor rules. It can also go into an
AppArmor managing mode where it basically uses AppArmor as the
underlying lsm and automatically exports and loads policies etc.

There is work to be done before it is ready for deployment (and my
highest priority at the moment is submitting my thesis) but I would love
to open a dialogue with you guys to know what you think and what you
would like to see. It would be great to see it as an available front end
for AppArmor.

Grab the code, more info, papers, general project todo etc:

http://schreuders.org/FBAC-LSM

(demo video is out of date)

It can create complete policies without the use of learning modes, based
on high level goals of the user. To give it a spin: run the gui, remove
one of the app policies (for a program installed on your system), and
try creating a new policy for the application. Other apps that perform
the same features should also be easily confined. The policy was
developed in a KDE3.5 environment, and is largely not tested/updated for
newer environments. Obviously adding more "functionalities" (FBAC-LSM
policy abstractions) and updating those that are there is important.

Keep in mind that this was developed as a research project and the code
could be cleaner. It is also currently a bit memory hungry.

Patches, comments and suggestions welcome :)


Cheers,

Z. Cliffe Schreuders.

PS: For discussion of FBAC-LSM you would rather keep off this list,
there is a (mostly silent) FBAC-LSM mailing list
(https://lists.sourceforge.net/lists/listinfo/fbac-lsm-general) or you
can contact me directly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/apparmor/attachments/20100812/22db3785/attachment-0001.htm

More information about the AppArmor mailing list