[PATCH 00/58] LSM: Module stacking for AppArmor
John Johansen
john.johansen at canonical.com
Wed Jun 5 01:50:36 UTC 2019
On 6/4/19 5:29 AM, Stephen Smalley wrote:
> On 6/2/19 12:50 PM, Casey Schaufler wrote:
>> This patchset provides the changes required for
>> the AppArmor security module to stack safely with any other.
>
> Please explain the motivation - why do we want to allow AppArmor to stack with other modules, who would use it, how would it be used, what does it provide that isn't already possible in the absence of it.
>
Its another step towards making stacking generic. The current stacking in 5.2 only allows for a subset of blobs and limits what can be done by new security modules. This is another step towards achieving generic stacking. Whether it makes sense to stacking a given set of security modules is a different discussion. I am fairly sure if landlock/sara get in upstream they will at some point want access to parts of the LSM that are currently limited to a major LSM.
On the apparmor front stacking with other modules has been asked for in the context of containers, both application and system. For example snapd would like to be able to stack apparmor on an selinux system so the snap container can enforce its apparmor set of policy while the system as a whole is still being protected by selinux. Similar requests have been made for lxd doing system containers. lxd currently supports nested apparmor, so on an ubuntu system you can run suse container, where the ubuntu host is enforcing policy and the suse container is loading and enforcing its policy as well. In this case the policy of the container is bounded by the policy of the host. The goal is to be able to the same with selinux and smack based systems, LSM stacking is of course only part of what is required to make this work.
Currently with the stacking patches we can boot a fedora system, and run an ubuntu container with apparmor enforcing its policy inside the container and selinux enforcing its policy on the host.
> Also, Ubuntu fully upstreamed all of their changes to AppArmor, would this still suffice to enable stacking of AppArmor or do they rely on hooks that are not handled here?
Ubuntu actually has a very small apparmor delta these days, and we are working on eliminating it entirely. There are no patches in Ubuntu that require new hooks. As for the delta wrt to the stacking work, Ubuntu has pulled in a subset of this delta and has been shipping kernels with stacking enabled for 4 releases now and apparmor development is done with LSM stacking in mind.
More information about the Linux-security-module-archive
mailing list