WARNING: Draft - Work in progress
- Xapparmor XACE plug-in
- 3.0 AppArmor kernel query interface
- 4.0 AppArmor kernel for userspace caching of permission checks
- 2.?? AppArmor user space
WARNING: The AppArmor Xace plugg-in is a work in progress and changes may be made to policy and capabilities before development is done.
AppArmor provides a security extensions for the X server via the Xace framework. ...
- An AppArmor userspace that supports the Xapparmor language extension
- out of tree patches git://git.launchpad.net/~jjohansen/apparmor
- Policy updated with Xapparmor rules
- AppArmor Kernel module that supports the AppArmor policydb, aa_getpeercon, and the apparmor query interface
- 16.04 Xenial
- Suse - poinnter to OBS
- Out of tree patches: git://kernel.ubuntu.com/jj/apparmor-backports
- XServer that has been patched with the xapparmor security extension
- Ubuntu ppa
- Suse obs
- patches git://git.launchpad.net/~jjohansen/xorg-server
Configuring XAppArmor in the xorg.conf file
If the X-server AppArmor enforcement needs to be run in a specific mode, then the option may be added to the
xorg.conf file (normally in <tt/etc/X11/xorg.conf.d</tt>). The option entries are as follows:
- "AppArmor mode disabled"
- "AppArmor mode selective"
- "AppArmor mode enforcing"
Note that the entry must be exact otherwise it will be ignored. An example entry is:
Section "Module" SubSection "extmod" Option "AppArmor mode enforcing" EndSubSection EndSection
The current default mode is enforcing.
Security snappy applications on the ubuntu desktop
Thanks and Acknowledgements
This work would not have been possible without the hard work put in by the people who developed the Xace framework for the X Server and in particular the XSelunix security extension which was used as a starting point for the development of the AppArmor Xace plugg-in.