AppArmorRBAC

From AppArmor
Revision as of 17:34, 11 February 2010 by Jj (Talk | contribs) (Composing ?? (Not in 2.5))

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

WARNING this page is being heavily edited

Using AppArmor to confine users and do RBAC

To achieve RBAC apparmor uses a combination of twoPAM security modules. The pam_cap.so module is used to raise a users privileges while the pam_apparmor.so module is used to further restrict the users processes from what would be possible with the granted capabilities.

This document only covers the suggested method of achieving RBAC in the current version of AppArmor (2.5), documentation on earlier versions is linked below.

Requirements

  • pam_cap.so
  • pam_apparmor.so


Setting up pam_cap.so

This is just a quick overview of how to set up the pam_cap.so module, for a more in depth explanation see following links

installing pam_cap.so

  • Ubuntu
    • from a terminal type - sudo apt-get install libcap2 libcap2-bin
    • synaptics - search for libcap2 and select libcap2, libcap2-bin for installation and click apply

configuring PAM to use pam_cap.so

Editing the pam_cap.so configuration file

/etc/security/capability.conf


Setting up pam_apparmor.so

Use pam_apparmor to assign profiles and or profile namespaces to a user or process.

installing pam_apparmor.so

  • Ubuntu
    • from a terminal type - sudo apt-get install libpam-apparmor

configuring PAM to use pam_apparmor.so

Editing the pam_apparmor.so configuration file

Specifying profiles

Specifying namespaces

RBAC Policy choices

AppArmor provides three alternative ways that RBAC policy can be authored.

Single profile

Instead of breaking up permission per application (standard AppArmor model), all permissions are encapsulated by a single profile that confines all applications run by the user. This results

ix transitions Any application that needs

Profile tree

Profile Namespace

Profile Stacking (AppArmor 2.6)

AppArmor 2.6 opens up another possible method of applying RBAC policy, by allowing for composition of profiles through profile stacking. This allow for the application of the regular profile set and a user confining profile without having to create a custom profile tree or custom profile namespace.

To do this a user profile is created that encompasses all the permissions the user should have, and then a new profile layer is created that is pointed at the other policy that should be applied (eg. the standard set of profiles). Now any tasks run by the confined user will have a combined policy applied.


user profile considerations

- leaving / collapsing the stack??


Outer single user profile + layer of regular profiles or new namespace

Links

AppArmor has evolved over time, and with each new version features have been added that affect how RBAC style confinement can be achieved in AppArmor. In general each version of AppArmor builds on the previous version so that the techniques used in previous version can still be used. However each newer version either adds features that refine, and improve on previous techniques, or introduces new techniques making RBAC style policy easier and more flexible.