LinuxConf Europe logo
LinuxConf Europe 2007
Conference and Tutorials
---------------------------------------------------
Sunday 2nd - Wednesday 5th September
University Arms Hotel, Cambridge, England

LinuxConf Europe 2007

Photos and reports

Timetable

Programme

Registration

LPI Exams

Conference Dinner (Sunday)

Duxford Excursion (Monday)

Exhibitors and Sponsors

Accommodation

Venue

Travel

About Cambridge

Kernel Summit 2007

Other GUUG events

Other UKUUG events

Seth Arnold - SuSE Labs / Novell

Sharing AppArmor security profiles

The AppArmor mandatory access control mechanism was designed with ease of creating profiles as a top priority. Users can confine their programs to specified interactions with files and POSIX draft capabilities. AppArmor's profile authoring tools can learn from watching an application's behaviour and prompt the user with policy decisions to match the user's exact requirements.

Particularly notable is that the AppArmor tools are very good at incrementally extending existing profiles. This allows a user to start with a profile authored by someone else and then only be concerned with new actions not covered by the borrowed profile. This even further reduces the work to create a profile by letting users build on previous work and extend it as necessary.

This talk presents a shared repository of profiles that leverages AppArmor's ability to quickly extend profiles; when users wish to confine an application, the profile building tool will first offer to download an existing profile from the community repository. Users will extend the profile to their needs as necessary. After the user is finished, the tool offers to upload the profile back to the community repository. The repository maintainer, in turn, can both leave the uploaded version as a fork of the community profile, and choose to incorporate the changes into the community reference profile for that application.

This allows groups of users to collaborate in creating security policy. Specific groups intent on collaboration can use a private copy of the portal to build their own specialized versions of application profiles. The general community can use the community portal to collectively iterate the reference profile towards a universal use case that covers the needs of everyone who has contributed to the profile.

We will make the server available at the same time as the tools, slated for first release with openSUSE 10.3, to help businesses and end users alike easily deploy mandatory access control systems.

Submitted paper

Paper (HTML) .


G O L D  S P O N S O R  S I L V E R  S P O N S O R 
Intel
Intel
Google
Google

S  P O N S O R S
Bytemark
Bytemark
Sun
Sun
Novell
Novell
Positive Internet
The Positive Internet Company
collabora
collabora

M  E D I A   S  P O N S O R S
Linux User
Linux User & Developer
Linux Magazine
Linux Magazine
The USENIX Association
The USENIX Association

For more information please contact UKUUG Problems? e-mail webmaster
© Copyright 2007 UKUUG Ltd