AppArmor: Much Ado About Nothing

Filed under
SUSE

When Novell released its AppArmor security suite under the GPL it created quite a media buzz. But since many people believe that the open source development model leads to better code quality, projects that are derived from a proprietary code base often arouse suspicion. The goal of AppArmor is to limit security breaches to a single process and to prevent compromising the entire system.

The most important question for AppArmor is to ask in which scenarios in can provide a reasonable security improvement. The problem is, there aren't many. The main benefit is for systems where there are multiple services running, so that if your mail server is compromised your Samba shares are still secure. But such things have been implemented using UNIX permission decades ago and this hardly justifies setting up a complex security suite.

Another shortcoming is the inability to effectively limit the harm a process can do.

Full Story.