System wide default-deny (process whitelisting) via AppArmor












0















I wanted a quick check to see if my understanding of AppArmor is correct.




  1. AppArmor by default confines only those applications that have profiles defined. Any other application that tries to run will not be blocked by AppArmor.


  2. AppArmor behaves in a "default-deny"/whitelist mode for confined applications: any permission not declared in the profile will be denied during runtime.


  3. AppArmor does not, by default, have a system-wide whitelisting behavior. I did find some info about creating a default profile (https://lists.ubuntu.com/archives/apparmor/2012-December/003241.html), but that looks like it would take some work: you'd have to ensure sufficient permissions are granted for system applications as well, otherwise they wouldn't work properly. But then, you might as well not have this default profile in the first place.



Am I missing something? AppArmor is not intended to provide system-wide process whitelisting capabilities, right?









share







New contributor




dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    I wanted a quick check to see if my understanding of AppArmor is correct.




    1. AppArmor by default confines only those applications that have profiles defined. Any other application that tries to run will not be blocked by AppArmor.


    2. AppArmor behaves in a "default-deny"/whitelist mode for confined applications: any permission not declared in the profile will be denied during runtime.


    3. AppArmor does not, by default, have a system-wide whitelisting behavior. I did find some info about creating a default profile (https://lists.ubuntu.com/archives/apparmor/2012-December/003241.html), but that looks like it would take some work: you'd have to ensure sufficient permissions are granted for system applications as well, otherwise they wouldn't work properly. But then, you might as well not have this default profile in the first place.



    Am I missing something? AppArmor is not intended to provide system-wide process whitelisting capabilities, right?









    share







    New contributor




    dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      I wanted a quick check to see if my understanding of AppArmor is correct.




      1. AppArmor by default confines only those applications that have profiles defined. Any other application that tries to run will not be blocked by AppArmor.


      2. AppArmor behaves in a "default-deny"/whitelist mode for confined applications: any permission not declared in the profile will be denied during runtime.


      3. AppArmor does not, by default, have a system-wide whitelisting behavior. I did find some info about creating a default profile (https://lists.ubuntu.com/archives/apparmor/2012-December/003241.html), but that looks like it would take some work: you'd have to ensure sufficient permissions are granted for system applications as well, otherwise they wouldn't work properly. But then, you might as well not have this default profile in the first place.



      Am I missing something? AppArmor is not intended to provide system-wide process whitelisting capabilities, right?









      share







      New contributor




      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I wanted a quick check to see if my understanding of AppArmor is correct.




      1. AppArmor by default confines only those applications that have profiles defined. Any other application that tries to run will not be blocked by AppArmor.


      2. AppArmor behaves in a "default-deny"/whitelist mode for confined applications: any permission not declared in the profile will be denied during runtime.


      3. AppArmor does not, by default, have a system-wide whitelisting behavior. I did find some info about creating a default profile (https://lists.ubuntu.com/archives/apparmor/2012-December/003241.html), but that looks like it would take some work: you'd have to ensure sufficient permissions are granted for system applications as well, otherwise they wouldn't work properly. But then, you might as well not have this default profile in the first place.



      Am I missing something? AppArmor is not intended to provide system-wide process whitelisting capabilities, right?







      linux security apparmor





      share







      New contributor




      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 5 mins ago









      dkctxdkctx

      1




      1




      New contributor




      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      dkctx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          dkctx is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502013%2fsystem-wide-default-deny-process-whitelisting-via-apparmor%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          dkctx is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          dkctx is a new contributor. Be nice, and check out our Code of Conduct.













          dkctx is a new contributor. Be nice, and check out our Code of Conduct.












          dkctx is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502013%2fsystem-wide-default-deny-process-whitelisting-via-apparmor%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          CARDNET

          Boot-repair Failure: Unable to locate package grub-common:i386

          濃尾地震