On Sun, Jun 27, 2021 at 03:01:10AM +0530, Murali Selvaraj wrote: > - I would like to understand limitations in DAC which are addressed in > Apparmor. Please share any simple examples to understand this query.
The usual example is users using chmod 777 on their own documents because they heard once that this solves permissions problems. A MAC tool restricts what processes can do with this file, even though the DAC permisssions allow all processes to read and write the file. A less user-oriented example is something like Apache: you may want it to serve your website, but not serve your /etc/passwd file (which is intentionally world readable.) > - Does command line injection (SECVUL) issue be addressed if we use > Apparmor? If so, give a real time example for the reference. Not really, though it depends upon the specifics of your software: if your software accepts filenames as command line parameters, AppArmor can help ensure that it only has permission to open some subset of files on the system. > - In other words, by restricting the system resource using Apparmor, > what are the major security leaks are we avoiding? Pls share > additional details if available. You can make sure that your web server can only serve web pages, your database server can only import and export data through specific locations, your interactive users over ssh can't perform administrative actions without using your specific auditing tool, You could make sure that the software that analyzes photos can't do networking and can't run anything else that can do networking, either. Or you could make sure that some proprietary tool that you must run but you can't audit the source code for can't read your ssh and gpg keys and can only write into its specific directory. If you've got a computer that only does one thing, maybe a MAC isn't very useful. But if your computer does two or more things, you can specify what interactions are allowed, using which communication channels. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
