AppArmor development and integration

Registered by Marc Deslauriers

Discuss where to focus AppArmor development and integration efforts, part 1 of 2.

Blueprint information

Jamie Strandboge
John Johansen
John Johansen
Series goal:
Milestone target:
Started by
Jamie Strandboge

Related branches



Work items:
[jjohansen] stacking update kernel to allow for a stack of profiles (medium) (5): POSTPONED
[jjohansen] stacking controls limiting policy namespace, #of profiles, amount of memory (medium) (2): POSTPONED
[jjohansen] stacking update kernel interfaces to report compound profile names (medium) (2): POSTPONED
[sbeattie] stacking regression tests for stacking (high) (1): POSTPONED
[sbeattie] stacking regression tests for full stacking (medium) (2): POSTPONED
[sbeattie] stacking regression tests for capabilities (medium) (1): POSTPONED
[sbeattie] stacking regression tests for rlimits (medium) (3): POSTPONED
[sbeattie] stacking regression tests for network (medium) (2): POSTPONED
[sbeattie] stacking regression tests for ipc (medium) (2): POSTPONED
[jjohansen] stacking update aa-status to work with compound profile names (medium) (1): POSTPONED
[jjohansen] stacking update genprof/logprof to handle compound profile names (low) (3): POSTPONED
[jdtrand] stacking update wiki documentation to include stacking information (low) (2): POSTPONED
[jdstrand] stacking update man pages where necessary for stacking (medium) (1): POSTPONED
[jjohansen] update documentation on handling disconnected paths in chroots and namespaces (low) (1): POSTPONED
[sbeattie] create ppa for testing of stacking (high) (0.5): POSTPONED
[jjohansen] ipc rules add to parser (medium) (1): TODO
[sbeattie] ipc rules add to parser tests (low) (1): TODO
[jjohansen] ipc rules add to kernel (medium) (5): TODO
[sbeattie] ipc rules regression tests (low) (2): TODO
[jdstrand] ipc - update documentation/man pages low (1): TODO
[jjohansen] update how labeling of unix domain sockets is done (high) (2): TODO
[jjohansen] cgroup based resource control - extend parser (high) (0.5): TODO
[sbeattie] cgroup based resource control - parser tests (medium) (0.5): TODO
[jjohansen] cgroup based resource control - extend kernel (high) (1): TODO
[jjohansen] cgroup based resource control - experiment on interaction with stacking and containers (high) (2): TODO
[jdstrand] cgroup based resource control - documentation (medium) (1): TODO
[sbeattie] cgroup based resource control - regression tests (medium) (1): TODO
[jjohansen] per kernel/features set cache files (low) (3): TODO
[jjohansen] match code in userspace to enable unit testing/better regression testing (medium) (1): TODO
[jjohansen] LSM module unload patch (low) (5): TODO
[jjohansen] fix missed transitions in handleChildren() (low) (1): TODO
[jjohansen] extend network mediation beyond socket level, stage 1 (kernel) (low) (5): TODO
[jjohansen] base extended capability support as part of v3 format change (low) (5): TODO
[jjohansen] dfa improvements, kernel vars (low) (30): TODO
[jjohansen] profile rcu patch (low) (1): TODO

• LSM module unload patch, needed for debian to turn on in kernel

• aa_stackcon api / stacking
  ∘ flag to indicate where ns changes take affect
  ∘ fake stacking
    ‣ child ns policy is enforced, parent is unconfined
    ‣ parent policy enforced child fail policy load
  ∘ full stacking
    ‣ carry more than one profile in context
    ‣ pass context deeper into apparmor fns
    ‣ compose permission request results
    ‣ split audit messages to namespace audit
• cmdline tool to setup a stack
• tracking of disconnected ns information for parent
  ∘ for fs oldname from pivot root?
  ∘ or kernel path + policydb entry for parent profile
• new policy interface on kernel
  ∘ do we want namespaces to remove themselves when last ref removed? optional flag?
  ∘ mmap of policydb
• mount rules
• extend change profile rules to cover stacking or new stack control rule
• make sure audit output is properly tagged for apparmor ns
• api steps to setup child namespace for container
  ∘ create profile namespace / loadpolicy (optional)
  ∘ aa_stackcon()
  ∘ create new namespace
  ∘ bind mount namespace policy to root of apparmorfs

DBus (
• Prototype patch
  ∘ Need to settle on the syntax and semantics
    ‣ do we want to be able to match against data stream?
    ‣ do we want syntax to be free of current ordering constraints
  ∘ cleanups
  ∘ apparmor control flag in dbus config file
    ‣ fail if apparmor isn't present
    ‣ complain if apparmor isn't present
    ‣ use apparmor if present
    ‣ don't use apparmor even if present
    ‣ what should the default be if apparmor is present and there is no flag in dbus config file
  ∘ aa_getpeercon
    ‣ change/update how unix domain socket labeling is done
• in kernel inode so we can grab after one end file object is closed
• full accumulation of current perms vs. full policydb query
  ∘ profile label conditional
  ∘ cache responses for performance
    ‣ needs policy update signal
  ∘ interface to kernel
    ‣ mmap policydb?
      • do policy queries in userspace
      • needs policy update signal
    ‣ updated kernel interface
• LSM style patch
  ∘ early dev, get first rev done and post upstream

Standard API
• complain, enforce, enable, disable profile
• aa_stackcon, aa_stackprofile, aa_stackuser
• to get a files labeling
• load policy to kernel
• load and manipulate profiles
• compile and build hfas

• aa_genprofi/logprof
  ∘ update
• aa-profiles (tool for integrating with application developer SDK to generate profiles)
  ∘ better name?
  ∘ use autodep
  ∘ what should it really be (part of app isolation discussion as well)
• aa-profile-dump (like apparmor_parser -p, but normalized. already in audit_check from QRT)
• sandboxing
  ∘ aa-sandbox (during the session)
• monitoring - nagios/munin/ganglia integration

- Continuous integration and testing requirements

Env Filtering
• use @bprm_check_security lsm hook to block exec
• can pattern match against argv, and envp
  ∘ probably shouldn't change the match choice based on env filter check
    ‣ it is possible and then could fall back to wider match
  ∘ probably shouldn't filter env/args at kernel level as we aren't doing full semantic parse just pattern matching, would be difficult to get upstream
  ∘ if policy doesn't contain env matching then skipped (backwards comp)
  ∘ Possible syntax
    ‣ env={FOO=*,BAR=*} arg={-O,fred="blah"} /foo/bar px,
    ‣ env=^(FOO=.*|BAR=.*)$ /foo/bar px,

• location of cache file
  ∘ move /etc/apparmor.d/cache to /var/cache/apparmor?
  ∘ what of situations where /var isn't available? - have a symlink to switch locations?
  ∘ What of situations where /etc/ is read-only? - have a flag to tell compiler not to complain about not being able to update cache
• how can we improve environment filtering?
  ∘ is it worth it?
  ∘ can we specify certain env variables to clear out or set?
  ∘ Since the kernel knows the env for each process, can we take adv of this? Eg have a flag to mark that the env is immutable? Eg, make environ const. How about just certain vars?
• upstartification of initscripts

Permission Rework/PolicyDB transition
• eHFA
  ∘ format/layout
    ‣ remapping on load for matching
      • base perms remap
      • owner conditional
      • table layout to cacheline for performance (later)
    ‣ flags
      • handle flags in dfa
  ∘ state relative compression
    ‣ kernel implementation
    ‣ user space compression
      • find best state
  ∘ reduced memory usage
    ‣ shared sets (computed in expr)
  ∘ shared eHFAs
    ‣ hats
    ‣ profiles
    ‣ attachment
    ‣ global
  ∘ compression algo rework
  ∘ expr
    ‣ native aare parse
    ‣ inline expr expansion, reduce need for factoring
    ‣ tree optimization rewrite
      • character class combining
      • flattened tree sort/merge factor
  ∘ kernel vars
    ‣ match implementation
    ‣ extended dfa computation to support
    ‣ Var types
      • implicit vars
      • profile local vars
      • global vars
      • sub hfa
      • binary var
  ‣ kernel regression tests
  ‣ userspace speed test
  ‣ userspace cross validation test
∘ Border state computation
  ‣ optimization to border state constraints

Regression Test suite expansion
• new tests under new framework?
• split out profile generation to be shared

• alias bug - handle in eHFA instead of front end
• logprof not updating for denials

Extended Perms
• permission mapping
• conditional owner
• Extended permission mediation
• Extended Capabilities
  ∘ mount
• Network
  ∘ user interface
• Delegation
  ∘ userspace
  ∘ kernel enforcement
• rlimits
  ∘ which rlimits do we need to extend and enable?
• resources
  ∘ cgroups
• mode2 seccomp
  ∘ load
  ∘ map
  ∘ enforce
  ∘ userspace
• Introspection interface
  ∘ Basic level to just report the profile (and children)
    ‣ how can we virtualize it
  ∘ Report more information later
• Static labeling

Misc cleanups
  ∘ .39 compat patches
  ∘ complain mode for cap_read
  ∘ string read for .39
  ∘ rcu profiles patch
  ∘ null profile auto removal
  ∘ atomic unload of profiles
  ∘ audit/quiet/kill/nokill mask cleanup
    ‣ global masks
    ‣ per profile masks
  ∘ Revalidate on exec
  ∘ conditional profile attachment
  ∘ conditional change_hat attachment
  ∘ revalidation vs. revocation at profile load

Xace plugin
• not now
[jjohansen] dfa improvements, reordering of the structure: POSTPONED
[jjohansen] dfa improvements, reordering of the structure: POSTPONED


Work Items

This blueprint contains Public information 
Everyone can see this information.