AppArmorProgramaticApplicationPolicy

From AppArmor
Jump to: navigation, search

WARNING

This document is a work in progress and requires at a minimum the development version of apparmor 4.x???

Requirements

  • AppArmor Kernel module - 4.x??
  • AppArmor Userspace - 4.x???

Related Documentation

AppArmor Policy Table of Contents

AppArmor Stacking Table of Contents

Introduction

When unprivileged policy is allowed via stacking and policy namespaces applications can you leverage AppArmor policy to create and manage sandboxes, voluntarily reducing their available resources and permissions to reduce attack surface.

1. Checking for AppArmor support

2. Creating Policy

auto creating unique name based on @{exec_name}, @{profile}, @{pid}

profile ? create=:app://@{exec_name}.@{pid} {

 hat foo { }

}

this way the application doesn't need to create its own unique name

3. Loading Policy

4. Switch to the application policy

 change_hat - allows changing back
 change_profile - permanent transition
 stack - may be the only thing allowed

Setting up policy to allow application policy

??? using policy ns vs. not