Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
=============================================================================== AppArmor kmod for RHEL/CentOS 7 =============================================================================== PRE-ALPHA CODE!! This code does compile and load, but functionality is extremely limited while development is ongoing as I have spare time. If you'd like to contribute, I will graciously accept pull requests. Goals to enter alpha: DONE: * get this module to compile and load - DONE * module unloads without causing issues - DONE * init each running task with an unconfined policy at load time - DONE IN PROGRESS - HAVING TROUBLE! * properly handle cred_prepare and cred_free (aa_dup_task_context) NOT STARTED: * find/hook the symbols involved in the missing CONFIG_SECURITY_PATH Goals to enter beta: * module loads at boot time * assigns a proper profile to all running processes at load time * if SELINUX=disabled still load and work, but issue warning in logs * port a basic upstream policy that functions on a Gnome Desktop =============================================================================== About this module AppArmor is a Linux Security Module that's meant to be built into the kernel itself, and was designed to only allow one security framework to be loaded at at time. As such, if your kernel loads another LSM instead (such as SELinux) then you're out of luck and can't use AppArmor... or can you? =============================================================================== Supported Kernels - RHEL/CentOS 7 (linux-3.10.0) This project is following the above pre-packaged enterprise kernel with because it has a stable kABI, and doesn't use AppArmor. =============================================================================== How it works This module makes use of the kernel ftrace framework. In a nutshell, ftrace is in charge of the first few bytes of most kernel symbols, and can redirect them to other addresses. This module instructs ftrace to redirect security handlers to kmod code, which then decides whether it's appropriate to continue or not. As such, the AppArmor logic runs first, but still allows the SELinux code to function as well. =============================================================================== Compatibility Issues Kernel modules that make use of kernel tracing (ftrace, kprobes, etc) may conflict with this module if they touch the same kernel symbols. The only ones I know of are "tpe-lkm" (this module's sister project), and "kpatch". This module will not work on systems where loadable kernel module support is disabled at compile time (CONFIG_MODULES not being set). This module requires many LSM hooks in order to work, and will error out when security is disabled at compile time (CONFIG_SECURITY not being set). =============================================================================== BUGS Lots. This is pre-alpha code. Use at your own risk! =============================================================================== - kpatch - https://github.com/dynup/kpatch Looking at the kpatch implementation, I was able to build the framework that makes loading a security module in this manner possible. - tpe-lkm - https://github.com/cormander/tpe-lkm The use of the ftrace framework (fopskit) was initially developed in tpe-lkm. =============================================================================== About the Author website: http://cormander.com/ github: https://github.com/cormander/ email: corman /AT/ cormander /DOT/ com ===============================================================================