mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 22:05:27 +00:00
AppArmorRBAC: add initial markdown conversion
Steve Beattie
128
AppArmorRBAC.md
Normal file
128
AppArmorRBAC.md
Normal file
@@ -0,0 +1,128 @@
|
||||
**WARNING** this page is being heavily edited
|
||||
|
||||
Using AppArmor to confine users and do RBAC
|
||||
===========================================
|
||||
|
||||
To achieve RBAC apparmor uses a combination of
|
||||
two[PAM](http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules)
|
||||
security modules. The pam\_cap.so module is used to raise a users
|
||||
privileges while the pam\_apparmor.so module is used to further
|
||||
restrict the users processes from what would be possible with the
|
||||
granted capabilities.
|
||||
|
||||
This document only covers the suggested method of achieving RBAC
|
||||
in the current version of AppArmor (2.5), documentation on earlier
|
||||
versions is linked below.
|
||||
|
||||
Requirements
|
||||
============
|
||||
|
||||
- pam\_cap.so
|
||||
- pam\_apparmor.so
|
||||
|
||||
Setting up pam\_cap.so
|
||||
======================
|
||||
|
||||
This is just a quick overview of how to set up the pam\_cap.so module,
|
||||
for a more in depth explanation see following links
|
||||
|
||||
- [posix file caps](http://www.friedhoff.org/posixfilecaps.html)
|
||||
- [linuxjournal](http://www.linuxjournal.com/article/10249)
|
||||
|
||||
installing pam\_cap.so
|
||||
----------------------
|
||||
|
||||
- Ubuntu
|
||||
- from a terminal type - `sudo apt-get install libcap2 libcap2-bin`
|
||||
- synaptics - search for libcap2 and select libcap2, libcap2-bin for installation and click apply
|
||||
|
||||
configuring PAM to use pam\_cap.so
|
||||
----------------------------------
|
||||
|
||||
Editing the pam\_cap.so configuration file
|
||||
------------------------------------------
|
||||
|
||||
/etc/security/capability.conf
|
||||
|
||||
Setting up pam\_apparmor.so
|
||||
===========================
|
||||
|
||||
Use pam\_apparmor to assign profiles and or profile namespaces to a
|
||||
user or process.
|
||||
|
||||
installing pam\_apparmor.so
|
||||
---------------------------
|
||||
|
||||
- Ubuntu
|
||||
- from a terminal type - `sudo apt-get install libpam-apparmor`
|
||||
|
||||
configuring PAM to use pam\_apparmor.so
|
||||
---------------------------------------
|
||||
|
||||
Editing the pam\_apparmor.so configuration file
|
||||
-----------------------------------------------
|
||||
|
||||
### Specifying profiles
|
||||
|
||||
### Specifying namespaces
|
||||
|
||||
RBAC Policy choices
|
||||
===================
|
||||
|
||||
AppArmor provides three alternative ways that RBAC policy can be
|
||||
authored.
|
||||
|
||||
Single profile
|
||||
--------------
|
||||
|
||||
Instead of breaking up permission per application (standard AppArmor
|
||||
model), all permissions are encapsulated by a single profile that
|
||||
confines all applications run by the user. This results
|
||||
|
||||
ix transitions Any application that needs
|
||||
|
||||
Profile tree
|
||||
------------
|
||||
|
||||
Profile Namespace
|
||||
-----------------
|
||||
|
||||
Profile Stacking (AppArmor 2.6)
|
||||
-------------------------------
|
||||
|
||||
AppArmor 2.6 opens up another possible method of applying RBAC policy,
|
||||
by allowing for composition of profiles through profile stacking. This
|
||||
allow for the application of the regular profile set and a user
|
||||
confining profile without having to create a custom profile tree or
|
||||
custom profile namespace.
|
||||
|
||||
To do this a user profile is created that encompasses all the
|
||||
permissions the user should have, and then a new profile layer is
|
||||
created that is pointed at the other policy that should be applied
|
||||
(eg. the standard set of profiles). Now any tasks run by the confined
|
||||
user will have a combined policy applied.
|
||||
|
||||
### user profile considerations
|
||||
|
||||
- leaving / collapsing the stack??
|
||||
|
||||
Outer single user profile + layer of regular profiles or new namespace
|
||||
|
||||
Links
|
||||
=====
|
||||
|
||||
AppArmor has evolved over time, and with each new version features have
|
||||
been added that affect how RBAC style confinement can be achieved in
|
||||
AppArmor. In general each version of AppArmor builds on the previous
|
||||
version so that the techniques used in previous version can still be
|
||||
used. However each newer version either adds features that refine,
|
||||
and improve on previous techniques, or introduces new techniques
|
||||
making RBAC style policy easier and more flexible.
|
||||
|
||||
- 1.x - AppArmor versions prior to 2.0 exist only in the linux distro Immunix and are not covered here.
|
||||
- [ RBAC in AppArmor 2.0](RBAC_2_0) - Basic techniques with some notes on improvements
|
||||
- [ RBAC in AppArmor 2.1](RBAC_2_1) - openSUSE 10.3, Ubuntu 7.10 (Gutsy Gibbon), 2.1+ - Ubuntu 8.04 (Hardy Heron)
|
||||
- [ RBAC in AppArmor 2.3-2.4](RBAC_2_3) - openSUSE 11.0, openSUSE 11.1, Ubuntu 8.10 (Intrepid Ibex), Ubuntu 9.04, Ubuntu 9.10 (Karmic)
|
||||
- [ RBAC in AppArmor 2.5](RBAC_2_5) - development versions
|
||||
- [ Multilevel style security](AppArmorMLS) can be achieved by extending in AppArmor ??? by extending the RBAC techniques.
|
||||
|
||||
Reference in New Issue
Block a user