Ubuntu got AppArmor support

.

This is bad news. AppArmor is a weak design. IMHO it gives the users a false impression of security, while leaving too much open to bypass security.

But the biggest problem IMHO is that noone at Ubuntu seems to be working on their SELinux support. All I’ve seen is Ubuntu users breaking their system to a point where they didn’t know how to fix it in the attempt to install their SELinux packages. The packages are mostly a 1:1 copy of the Debian packages I guess, but for example their new ‘upstart’ init-replacement likely isn’t capable of actually starting a SELinux enabled system. Oh, and Debian didn’t include the relevant package in any ‘stable’ release, Ubuntu had it in ‘universe’ since ‘warty’. Right now, feisty will include the package, though it reportedly can’t be installed.

In the example used in the blog, evince is maybe protected from exploits by bad PDF files, but if you do a cp /usr/bin/evince /tmp and run that copy, all the protection is gone. A symlink might already be sufficient! So AppArmor is heavily relying on the user playing nicely.

You might want to read this Article at LWN about AppArmor and why it’s having a hard time getting into Linux mainline and “Security Anti-Pattern: Path based access control” in Joshua Brindle’s “SecurityBlog” for a detailed article on the weaknesses in AppArmors approach.

And their constant claim of being easier to use than SELinux isn’t true either:

the ‘learning’ mode itself will only generate you an incomplete policy. It’s about as much as you can achieve in SELinux by transforming audit errors to allow rules using the “audit2allow” tool. Maybe even less; for example when an application accesses a font file, SELinux audit2allow will generate a rule that allows access to all font files (since they have the same type). This doesn’t rely on any directory globbing magic, but because there is a type for font files. I expect that future versions of audit2allow will actually recommend which interfaces to add instead of just listing raw allow statements.

AppArmors ‘abstractions’ seems to match what is called ‘interfaces’ in SELinux, except that interfaces in the SELinux reference policy are well documented and much more extensive. The ‘abstractions’ offered look like an early, incomplete version of the old NSA policy to me, before this was restructured to become the ‘reference policy’.

Interaction between processes also seems to be completely ignored by AppArmor. So it seems to me that “preventing evince from trashing your home directory when opening a malicious PDF file” is pretty much all you can do with AppArmor?

But again, this isn’t so much about bashing AppArmor or Ubuntu. I’m just disappointed that noone at Ubuntu seems to work on the more sound and solid SELinux. Most of SELinux is already in Ubuntu (inherited by their Debian roots), but it’s lacking some integration work and such. Ubuntu is often said to be more agile than Debian and better at adopting new technologies, but in my experience, this often is limited to ‘visual’ stuff. If Debian were better at recruiting new people (for example in the SELinux section, we also seriously lack manpower), I’d probably be annoyed by Ubuntu ‘trying to be first with all the pretty stuff’ (yes, saying this would not be fair, that’s why I’m putting it in quotes). Right now I’m mostly happy that they ‘divert’ many newbies off Debian and to their huge forums. Although it occasionally means I need to help an Ubuntu user to fix his system when he doesn’t get any help there.