undefined | Better HN

0 pointsvlovich1231y ago0 comments

Having read the article I could not find any example of what is impossible in AppArmor, just a statement repeated in various ways that SELinux is easier to provide a secure-by-default environment with the closest thing to justification being that SELinux models things with types whereas app armor deals with restrictions on specific applications. I’m sure this all makes sense to someone already well-versed in the space, but I’m left with the same question as OP.

0 comments

ruthmarx1y ago

> I could not find any example of what is impossible in AppArmor,

AppArmor is simply less granular. For example, it doesn't provide true RBAC or MLS security models. It also uses paths instead of inodes, so a hard link can be used to override some policies.

So it just depends on what the exploit or attack is trying to do. If an attacker gets root and is trying to overwrite a file, they may be able to. Maybe they can't, but they could probably still execute any code they can write and compile themselves. And perhaps they can write to other files and do damage.

SELinux and similar systems allow a lot more granularity. Programs and users can only talk to explicit what they are allowed to talk to, and maybe you want to limit the access to say, append instead of full write access.

It just allows a lot more granularity and restriction, that's the difference.

NewJazz1y ago

> It also uses paths instead of inodes, so a hard link can be used to override some policies

The link rules can get pretty granular and seem explicitly designed to prevent that scenario.

https://man.archlinux.org/man/extra/apparmor/apparmor.d.5.en...

> they could probably still execute any code they can write and compile themselves

Assuming the AppArmor profile allows writing to and executing the same files. Which isn't particularly common.

> maybe you want to limit the access to say, append instead of full write access

This is possible with AppArmor.

ruthmarx1y ago

> The link rules can get pretty granular and seem explicitly designed to prevent that scenario.

It's still an inherent weakness. No getting around that really.

> Assuming the AppArmor profile allows writing to and executing the same files. Which isn't particularly common.

I don't really want to try and come up with examples just so you can show there might be some hacky way of accomplishing something similar to what SELinux can offer - it would be missing my point.

Point is there's a lot more you can do under AppArmor than SELinux. AppArmor isn't as granular and you can't lock down a system to the same extent, period. Is it good enough, sure. Is it better than nothing? Absolutely. Is it comparable to an optimized SELinux config? Not remotely.

> This is possible with AppArmor.

See above.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ruthmarx1y ago

> I could not find any example of what is impossible in AppArmor,

AppArmor is simply less granular. For example, it doesn't provide true RBAC or MLS security models. It also uses paths instead of inodes, so a hard link can be used to override some policies.

It just allows a lot more granularity and restriction, that's the difference.

NewJazz1y ago

> It also uses paths instead of inodes, so a hard link can be used to override some policies

The link rules can get pretty granular and seem explicitly designed to prevent that scenario.

https://man.archlinux.org/man/extra/apparmor/apparmor.d.5.en...

> they could probably still execute any code they can write and compile themselves

Assuming the AppArmor profile allows writing to and executing the same files. Which isn't particularly common.

> maybe you want to limit the access to say, append instead of full write access

This is possible with AppArmor.

ruthmarx1y ago

> The link rules can get pretty granular and seem explicitly designed to prevent that scenario.

It's still an inherent weakness. No getting around that really.

> Assuming the AppArmor profile allows writing to and executing the same files. Which isn't particularly common.

I don't really want to try and come up with examples just so you can show there might be some hacky way of accomplishing something similar to what SELinux can offer - it would be missing my point.

> This is possible with AppArmor.

See above.

1 more reply

j / k navigate · click thread line to collapse