AppArmor running on RHEL/CentOS kernels
C Other
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
include
scripts
.gitignore
Kconfig
Makefile
README
aa_fus.h
apparmorfs.c
audit.c
capability.c
context.c
domain.c
file.c
fopskit.c
fopskit.h
ipc.c
lib.c
lsm.c
match.c
path.c
policy.c
policy_unpack.c
procattr.c
resource.c
sid.c

README

===============================================================================

AppArmor kmod for RHEL/CentOS 7

===============================================================================

PRE-ALPHA CODE!!

This code does compile and load, but functionality is extremely limited while
development is ongoing as I have spare time. If you'd like to contribute, I
will graciously accept pull requests.

Goals to enter alpha:

DONE:
* get this module to compile and load - DONE
* module unloads without causing issues - DONE
* init each running task with an unconfined policy at load time - DONE

IN PROGRESS - HAVING TROUBLE!
* properly handle cred_prepare and cred_free (aa_dup_task_context)

NOT STARTED:
* find/hook the symbols involved in the missing CONFIG_SECURITY_PATH

Goals to enter beta:

* module loads at boot time
* assigns a proper profile to all running processes at load time
* if SELINUX=disabled still load and work, but issue warning in logs
* port a basic upstream policy that functions on a Gnome Desktop

===============================================================================

About this module

AppArmor is a Linux Security Module that's meant to be built into the kernel
itself, and was designed to only allow one security framework to be loaded at
at time. As such, if your kernel loads another LSM instead (such as SELinux)
then you're out of luck and can't use AppArmor... or can you?

===============================================================================

Supported Kernels

 - RHEL/CentOS 7 (linux-3.10.0)

This project is following the above pre-packaged enterprise kernel with because
it has a stable kABI, and doesn't use AppArmor. 

===============================================================================

How it works

This module makes use of the kernel ftrace framework. In a nutshell, ftrace is
in charge of the first few bytes of most kernel symbols, and can redirect them
to other addresses. This module instructs ftrace to redirect security handlers
to kmod code, which then decides whether it's appropriate to continue or not.

As such, the AppArmor logic runs first, but still allows the SELinux code to
function as well.

===============================================================================

Compatibility Issues

Kernel modules that make use of kernel tracing (ftrace, kprobes, etc) may
conflict with this module if they touch the same kernel symbols. The only ones
I know of are "tpe-lkm" (this module's sister project), and "kpatch".

This module will not work on systems where loadable kernel module support is
disabled at compile time (CONFIG_MODULES not being set).

This module requires many LSM hooks in order to work, and will error out when
security is disabled at compile time (CONFIG_SECURITY not being set).

===============================================================================

BUGS

Lots. This is pre-alpha code. Use at your own risk!

===============================================================================

 - kpatch - https://github.com/dynup/kpatch

Looking at the kpatch implementation, I was able to build the framework that
makes loading a security module in this manner possible.

 - tpe-lkm - https://github.com/cormander/tpe-lkm

The use of the ftrace framework (fopskit) was initially developed in tpe-lkm.

===============================================================================

About the Author

website: http://cormander.com/
github: https://github.com/cormander/
email: corman /AT/ cormander /DOT/ com

===============================================================================