WARNING this page is being heavily edited
- 1 Using AppArmor to confine users and do RBAC
- 2 Requirements
- 3 Setting up pam_cap.so
- 4 Setting up pam_apparmor.so
- 5 RBAC Policy choices
- 6 Links
Using AppArmor to confine users and do RBAC
To achieve RBAC apparmor uses a combination of twoPAM security modules. The pam_cap.so module is used to raise a users privileges while the pam_apparmor.so module is used to further restrict the users processes from what would be possible with the granted capabilities.
This document only covers the suggested method of achieving RBAC in the current version of AppArmor (2.5), documentation on earlier versions is linked below.
Setting up pam_cap.so
This is just a quick overview of how to set up the pam_cap.so module, for a more in depth explanation see following links
- from a terminal type - sudo apt-get install libcap2 libcap2-bin
- synaptics - search for libcap2 and select libcap2, libcap2-bin for installation and click apply
configuring PAM to use pam_cap.so
Editing the pam_cap.so configuration file
Setting up pam_apparmor.so
Use pam_apparmor to assign profiles and or profile namespaces to a user or process.
- from a terminal type - sudo apt-get install libpam-apparmor
configuring PAM to use pam_apparmor.so
Editing the pam_apparmor.so configuration file
RBAC Policy choices
AppArmor provides three alternative ways that RBAC policy can be authored.
Instead of breaking up permission per application (standard AppArmor model), all permissions are encapsulated by a single profile that confines all applications run by the user. This results
ix transitions Any application that needs
Profile Stacking (AppArmor 2.6)
AppArmor 2.6 opens up another possible method of applying RBAC policy, by allowing for composition of profiles through profile stacking. This allow for the application of the regular profile set and a user confining profile without having to create a custom profile tree or custom profile namespace.
To do this a user profile is created that encompasses all the permissions the user should have, and then a new profile layer is created that is pointed at the other policy that should be applied (eg. the standard set of profiles). Now any tasks run by the confined user will have a combined policy applied.
user profile considerations
- leaving / collapsing the stack??
Outer single user profile + layer of regular profiles or new namespace
AppArmor has evolved over time, and with each new version features have been added that affect how RBAC style confinement can be achieved in AppArmor. In general each version of AppArmor builds on the previous version so that the techniques used in previous version can still be used. However each newer version either adds features that refine, and improve on previous techniques, or introduces new techniques making RBAC style policy easier and more flexible.
- 1.x - AppArmor versions prior to 2.0 exist only in the linux distro Immunix and are not covered here.
- RBAC in AppArmor 2.0 - Basic techniques with some notes on improvements
- RBAC in AppArmor 2.1 - openSUSE 10.3, Ubuntu 7.10 (Gutsy Gibbon), 2.1+ - Ubuntu 8.04 (Hardy Heron)
- RBAC in AppArmor 2.3-2.4 - openSUSE 11.0, openSUSE 11.1, Ubuntu 8.10 (Intrepid Ibex), Ubuntu 9.04, Ubuntu 9.10 (Karmic)
- RBAC in AppArmor 2.5 - development versions
- Multilevel style security can be achieved by extending in AppArmor ??? by extending the RBAC techniques.