John Johansen AppArmor Maintainer [email protected] AppArmor 3 and Beyond Riding the Tumbleweed 

First, lets review 

RBAC & User Confnement 

pam_apparmor ● Mappings done through policy – Uses “hats” to do the mapping – Requires task calling into pam be confned ● Roles use policy inheritance – task and all its children confned by the same profle 

Policy Namespaces 

Policy Namespaces /usr/sbin/libvirtd (enforce) /usr/sbin/mdnsd (complain) /usr/sbin/ippusbxd (enforce) /usr/sbin/dovecot (complain) /usr/lib/snapd/snap-confine (enforce) /usr/lib/telepathy/telepathy-ofono (enforce) /usr/lib/telepathy/telepathy-* (enforce) /usr/lib/telepathy/mission-control-5 (enforce) /usr/sbin/identd (complain) /usr/sbin/cupsd (enforce) /usr/sbin/libvirtd (enforce) /usr/sbin/mdnsd (complain) /usr/sbin/identd (complain) /usr/sbin/cupsd (enforce) firefox (enforce) firefox//sanitized_helper (enforce) firefox//lsb_release (enforce) firefox//browser_openjdk (enforce) firefox//browser_java (enforce) Namespace 1 Namespace 2 

Policy Namespaces :ns:profle :ns://profle 

Policy Namespaces - Hierarchical System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: 

View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: 

Child NS View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: 

Grand Child NS View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: 

Policy Stacking 

Stacking frefior//&evince 

System View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task 

Reduced View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task 

Further Reduced View System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task 

AppArmor 3 

Policy Versioning include include # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { include include include include ... 

Policy Versioning - Include $ cat /etc/apparmor.d/version/3.0 feature-abi= @{version}=3.0 $ 

Multiple versions ● Each profle fle has a version – Versions do not have to be the same ● Policy in application packaging – Updated out ofi sync firom distro policy – Selectively use fieatures not in distro policy* 

Versioned policy on older releases? ● Versioning will not be back ported ● Ercept – Backported 2.13, 2.12. 2.11 – Considering 2.10 & 2.9 include if exists include profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { if defined @{version} { include 

Policy with out Versioning ● Will mostly continue to work – subset ofi current kernel abi and upstream 4.14 ● Compatibility “patches” – Without “unsupported” rules will be downgraded 

Pre-built policy & RO images 

Pre 3.0 - Single binary policy Cache bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... /etc/apparmor.d/cache 

Per Kernel binary policy bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... $(location)/cache/7f01cf2e.1 $(location)/7f01cf2e.0 $(location)/cache/a035ea11.0 

Binary policy overlays bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... $(loc1)/7f01cf2e.0 $(loc2)/7f01cf2e.0 bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... $(loc1)/a035ea11.0 $(loc2)/a035ea11.0 

Policy Overlays bin.ping sbin.klogd sbin.syslogd sbin.syslog-ng skype usr.bin.evince usr.bin.firefox usr.bin.pidgin usr.sbin.cupsd usr.sbin.dnsmasq usr.sbin.dovecot ... skype usr.bin.evince usr.bin.firefox usr.sbin.cupsd ... /var/lib/apparmor.d/ /etc/apparmor.d/ 

Support for new upstream features 

Network ● upstream Network socket mediation (4.16) ● fne grain unir socket mediation (4.19) unix, unix (accept, receive) addr=@foo peer=(label=/bar), unix receive peer=(label=@{profile_name}) unix bind addr=@example, unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"), 

DBus dbus send bus=session path=/com/example/path interface=com.example.Interface member=ExampleMethod peer=(name=(com.example.ExampleName1|com.example.ExampleName2)), dbus bind name=com.example.ExampleName, deny dbus bus=system interface=com.example.ExampleInterface, dbus eavesdrop bus=system, 

IMA interaction profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} { #include #include #include #include #include #include #include #include #include #include #include #include ... 

IMA interaction profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} xattrs=(security.ima=bar) { #include #include #include #include #include #include #include #include #include #include #include #include ... 

And beyond 

Systemd integration ● Use libapparmor directly ● Direct loading ofi binary policy ● Allows loading policy as early as possible 

Policy NS – Scope & Views System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task ● View ● Scope ● Admin 

System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :ns5: :ns3: Task nscd nscd nscd :ns5:nscd User sees: ● View ● Scope ● Admin 

System nscd dnsmasq :ns2: :ns4: :ns1: nscd dnsmasq :user_jj: :role: Task user admin chrome :chrome: sandbox 

User confnement revisited ● pam_apparmor – confg fle – change_profle instead ofi change_hat – doesn’t require total system confnement 

User confnement revisited profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} user=(jj,cboltz) { #include #include #include #include #include #include #include #include #include #include #include #include ... 

Policy Learning – kernel interface ● Boot Param to set bufer size ● Divert complain messages ● Allow applications to register to receive messages ● Read complain messages directly firom the kernel 

Fine grain ipv4/ipv6 networking ipv4 bind addr=192.168.1.100#53, ipv4 bind addr=#53, ipv4 (connect, send, receive) peer=(addr=192.168.1.200) ipv4 (connect, send) label:=foo peer=(addr=192.168.5) ipv4 (send, receive) label:=foo peer=bar 

Questions Please https://gitlab.com/apparmor/apparmor John Johansen [email protected] www.canonical.com 

License This slide deck is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. It can be shared and adapted fior any purpose (even commercially) as long as Attribution is given and any derivative work is distributed under the same license. Details can be fiound at https://creativecommons.org/licenses/by-sa/4.0/ General Disclaimer This document is not to be construed as a promise by any participating organisation to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or fiunctionality, and should not be relied upon in making purchasing decisions. openSUSE makes no representations or warranties with respect to the contents ofi this document, and specifcally disclaims any erpress or implied warranties ofi merchantability or ftness fior any particular purpose. The development, release, and timing ofi fieatures or fiunctionality described fior openSUSE products remains at the sole discretion ofi openSUSE. Further, openSUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notifiy any person or entity ofi such revisions or changes. All openSUSE marks refierenced in this presentation are trademarks or registered trademarks ofi SUSE LLC, in the United States and other countries. All third-party trademarks are the property ofi their respective owners. Credits Template Richard Brown [email protected] Design & Inspiration openSUSE Design Team http://opensuse.github.io/branding- guidelines/