Task Confinement

From AppArmor
Jump to: navigation, search

Task confinement

At the most basic level a task is either in an unconfined state or confined by a profile, where the profile contains the set of permissions the task is permitted.

In fact this basic level of confinement was all that was possible in versions of AppArmor up until ??

Profiles are attached from a set of profiles known as a namespace

The can be multiple namespaces

Multiple profiles

profile stacks

server to containerize AppArmor policy

insert, replace move at position in stack

profiles applied in order, first reject stops search. Permission considered independently for each profile

profile composition - firefox runs evince, evince confined by firefox and evince profile


 px ->
 px -+
 p+ ->

User define profiles

doesn't have full access to everything system profiles do.

always last profile in the stack