[PATCH 00/59] LSM: Module stacking for AppArmor

Casey Schaufler casey at schaufler-ca.com
Wed Apr 10 15:36:56 UTC 2019


On 4/10/2019 5:52 AM, Stephen Smalley wrote:
> On Tue, Apr 9, 2019 at 5:40 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> This patchset provides the changes required for
>> the AppArmor security module to stack safely with
>> "exclusive" security modules, those being SELinux and
>> Smack.
> What's the use case?  Who would use such support?


A device uses a Smack three domain policy for system
protection. It Uses AppArmor policy to maintain application
isolation.
   
	-------------------------------------------------------------------
	| Smack floor domain                                              |
	-------------------------------------------------------------------
	| Smack System domain                                             |
	-------------------------------------------------------------------
	| Smack User domain                                               |
	| ----------  ----------  ---------  ----------  ----------       |
	| |AppArmor|  |AppArmor|  |AppArmor| |AppArmor|  |AppArmor|       |
	| | Fred   |  | Wilma  |  |Barney  | | Betty  |  | Dino   |       |
	| ----------  ----------  ---------- ----------  ----------       |
	-------------------------------------------------------------------

Each of the security modules is used in the way it was designed. Neither
has to be stretched beyond its original goals. Yes, you can implement the
system using either Smack or AppArmor (or maybe even SELinux) but by using
each for what it is best at you make it much easier.
  



More information about the Linux-security-module-archive mailing list