Infoz Who: Hackers like you. What: ToorCon 9 When: October 19th-21st, 2007 Where: San Diego Convention Center Why: What could possibly go wrong?

AppArmor Profile Sharing Portal

The AppArmor mandatory access control mechanism was designed with ease of creating profiles as a top priority. Users can confine their programs to specified interactions with files and POSIX draft capabilities. AppArmor's profile authoring tools can learn from watching application's behavior and prompts the user with policy decisions to match the user's exact requirements.

Particularly notable is that the AppArmor tools are very good at incrementally extending existing profiles. This allows a user to start with a profile authored by someone else, and they only need be concerned with new actions not covered by the borrowed profile. This even further reduces the work to create a profile by letting users build on previous work and extend it as necessary.

This talk presents a shared repository of profiles that leverages AppArmor's ability to quickly extend profiles; when users wish to confine an application, the profile building tool will first offer to download an existing profile from the community repository. Users will extend the profile to their needs as necessary. After the user is finished, the tool offers to upload the profile back to the community repository. The repository maintainer, in turn, can both leave the uploaded version as a fork of the community profile, and choose to incorporate the changes into the community reference profile for that application.

This allows groups of users to collaborate in creating security policy. Specific groups intent on collaboration can use a private copy of the portal to build their own specialized versions of application profiles. The general community can use the community portal to collectively iterate the reference profile towards a universal use case that covers the needs of everyone who has contributed to the profile.

We will make the server available at the same time as the tools, slated for first release with openSUSE 10.3, to help businesses and end users alike easily deploy mandatory access control systems.