-
Notifications
You must be signed in to change notification settings - Fork 268
Expand file tree
/
Copy pathapparmor_intro.xml
More file actions
131 lines (129 loc) · 4.74 KB
/
apparmor_intro.xml
File metadata and controls
131 lines (129 loc) · 4.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?xml version="1.0"?>
<!DOCTYPE chapter [
<!ENTITY % entities SYSTEM "generic-entities.ent">
%entities;
]>
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:its="http://www.w3.org/2005/11/its" version="5.0" xml:id="cha-apparmor-intro">
<title>Introducing &aa;</title>
<info>
<meta name="description" its:translate="yes">Configure applications with AppArmor using security profiles that control access to files and operations, ensuring secure operation</meta>
<dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
<dm:bugtracker>
</dm:bugtracker>
<dm:translation>yes</dm:translation>
</dm:docmanager>
<revhistory xml:id="rh-cha-apparmor-intro">
<revision>
<date>2026-03-31</date>
<revdescription>
<para/>
</revdescription>
</revision>
</revhistory>
</info>
<para>
Many security vulnerabilities result from bugs in
<emphasis>trusted</emphasis> programs. A trusted program runs with
privileges that attackers want to possess. The program fails to keep that
trust if there is a bug in the program that allows the attacker to acquire
said privilege.
</para>
<para>
&aareg; is an application security solution designed specifically to
apply privilege confinement to suspect programs. &aa; allows the
administrator to specify the domain of activities the program can perform
by developing a security <emphasis>profile</emphasis>. A security profile
is a listing of files that the program may access and the operations the
program may perform. &aa; secures applications by enforcing good
application behavior without relying on attack signatures, so it can
prevent attacks even if previously unknown vulnerabilities are being
exploited.
</para>
<sect1>
<title>&aa; components</title>
<para>
&aa; consists of:
</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>
A library of &aa; profiles for common Linux* applications, describing
what files the program needs to access.
</para>
</listitem>
<listitem>
<para>
A library of &aa; profile foundation classes (profile building
blocks) needed for common application activities, such as DNS lookup and
user authentication.
</para>
</listitem>
<listitem>
<para>
A tool suite for developing and enhancing &aa; profiles, so that you
can change the existing profiles to suit your needs and create new
profiles for your own local and custom applications.
</para>
</listitem>
<listitem>
<para>
Several specially modified applications that are &aa; enabled to
provide enhanced security in the form of unique subprocess confinement
(including Apache).
</para>
</listitem>
<listitem>
<para>
The &aa;-related kernel code and associated control scripts to
enforce &aa; policies on your &productnamereg; system.
</para>
</listitem>
</itemizedlist>
</sect1>
<sect1 xml:id="sec-apparmor-intro-background">
<title>Background information on &aa; profiling</title>
<para>
For more information about the science and security of &aa;, refer to
the following papers:
</para>
<variablelist>
<varlistentry>
<term><citetitle>SubDomain: Parsimonious Server Security</citetitle> by
Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle,
and Virgil Gligor</term>
<listitem>
<para>
Describes the initial design and implementation of &aa;. Published
in the proceedings of the USENIX LISA Conference, December 2000, New
Orleans, LA. This paper is now out of date, describing syntax and
features that are different from the current &aa; product. This
paper should be used only for background, and not for technical
documentation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><citetitle>Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack</citetitle>
by Crispin Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega</term>
<listitem>
<para>
A good guide to strategic and tactical use of &aa; to solve severe
security problems in a short period of time. Published in the
Proceedings of the DARPA Information Survivability Conference and Expo
(DISCEX III), April 2003, Washington, DC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><citetitle>AppArmor for Geeks</citetitle> by Seth Arnold</term>
<listitem>
<para>
This document tries to convey a better understanding of the technical
details of &aa;. It is available at
<link xlink:href="https://en.opensuse.org/SDB:AppArmor_geeks"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect1>
</chapter>