Archives

Categories

Random Opinions, Expert Opinions, and Facts about AppArmor

My previous post titled AppArmor is Dead [1] has inspired a number of reactions. Some of them have been unsubstantiated opinions, well everyone has an opinion so this doesn’t mean much. I believe that opinions of experts matter more, Crispin responded to my post and made some reasonable points [2] (although I believe that he is overstating the ease of use case). I take Crispin’s response a lot more seriously than most of the responses because of his significant experience in commercial computer security work. The opinion of someone who has relevant experience in the field in question matters a lot more than the opinion of random computer users!

Finally there is the issue of facts. Of the people who don’t agree with me, Crispin seems to be the first to acknowledge that Novell laying off AppArmor developers and adding SE Linux support are both bad signs for AppArmor. The fact that Red Hat and Tresys have been assigning more people to SE Linux development in the same time period that SUSE has been laying people off AppArmor development seems to be a clear indication of the way that things are going.

One thing that Crispin and I understand is the amount of work involved in maintaining a security system. You can’t just develop something and throw it to the distributions. There is ongoing work required in tracking kernel code changes, and when there is application support there is also a need to track changes to application code (and replacements of system programs). Also there is a need to add new features. Currently the most significant new feature development in SE Linux is related to X access controls – this is something that every security system for Linux needs to do (currently none of them do it). It’s a huge amount of work, but the end result will be that compromising one X client that is running on your desktop will not automatically grant access to all the other windows.

The CNET article about Novell laying off the AppArmor developers [3] says ‘“An open-source AppArmor community has developed. We’ll continue to partner with this community,” though the company will continue to develop aspects of AppArmor‘ and attributes that to Novell spokesman Bruce Lowry.

Currently there doesn’t seem to be an AppArmor community, the Freshmeat page for AppArmor still lists Crispin as the owner and has not been updated since 2006 [4], it also links to hosting on Novell’s site. The Wikipedia page for AppArmor also lists no upstream site other than Novell [4].

The AppArmor development list hosted by SUSE is getting less than 10 posts per month recently [6]. The AppArmor general list had a good month in January with a total of 23 messages (including SPAM) [7], but generally gets only a few messages a month.

The fact that Crispin is still listed as the project leader [8] says a lot about how the project is managed at Novell!

So the question is, how can AppArmor’s prospects be improved? A post on linsec.ca notes that Mandriva is using AppArmor, getting more distribution support would be good [9], but the most important thing in that regard will be contributing patches back and dedicating people to do upstream work (Red Hat does a huge amount of upstream development for SE Linux and a significant portion of my Debian work goes upstream).

It seems to me that the most important thing is to have an active community. Have a primary web site (maybe hosted by Novell, maybe SourceForge or something else) that is accurate and current. Have people giving talks about AppArmor at conferences to promote it to developers. Then try to do something to get some buzz about the technology, my SE Linux Play Machines inspired a lot of interest in the SE Linux technology [10]. If something similar was done with AppArmor then it would get some interest.

I’m not interested in killing AppArmor (I suspect that Crispin’s insinuations were aimed at others). If my posts on this topic inspire more work on AppArmor and Linux security in general then I’m happy. As Crispin notes the real enemy is his employer (he doesn’t quite say that – but it’s my interpretation of his post).

11 comments to Random Opinions, Expert Opinions, and Facts about AppArmor

  • I’m not really sure if I like the last part of his blog entry, where he says “If AppArmor does die, then in some sense it just makes my job here of enhancing the Windows security value proposition vs. Linux that much easier.” and reiterates “So go ahead, make my day: ignore the popularity of AppArmor in the user community, keep blocking AppArmor from inclusion in Linus’ kernel. If all I have to do is make Windows security easier and more effective to deploy than SELinux, then my job is practically done for me.”. It seems to show some kind of resentment there.

    I don’t have a clue on whether SELinux is better or worse than AppArmor, but this sentences somehow tell me that his answer might include some quite intense emotional content, and that is something that can usually taint the way someone thinks. I’m not doubting that he might have his reasons to think what he does, but I do have the feeling that if things were not really as he thinks, he might not be noticing or acknowledging them. I’m just a random computer user, I know, but I know enough of human nature to see some things :)

  • Is anyone posting AppArmor mitigations? I’m searching for mentions of AppArmor in SUSE security bulletins and all I can find is the updates for AppArmor itself.

  • etbe

    Miriam: I agree that his post didn’t have the most positive tone. But you have to keep in mind the fact that AppArmor is his creation, and even though he is now competing with it (after leaving Novell in a way that probably didn’t make him happy) he still has some attachment to the project. Some level of resentment is understandable.

    http://securityblog.org/brindle/2006/08/20/on-apparmor/
    http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/

    The above blog posts by Joshua Brindle (a Tresys employee and Gentoo developer who works on SE Linux) have some background information on the differences between SE Linux and AppArmor.

    Don: By “mitigations” do you mean analysis of exploits and how AppArmor would have prevented them or constrained them? I’m not aware of that. Even for SE Linux the work in that area is lagging.

  • Tresys was maintaining a list of CVE numbers where the exploit doesn’t work under SELinux. Don’t know if they’re still doing it.

  • James

    AppArmor is not dead.

    Look at the latest development snapshots, it is still going at a good rate. Crispin is still lists as head developer, because if it is a community effort, perhaps he still has something to do with it as a community member.

    You have given a very one sides, michael moorish view, leaving out a lot of relevant info. Ubuntu for example has apparmor enabled by default, perhaps they will start to pick up development, or already contribute.

    I myself use RSBAC, as I think it is superior to both offerings, and would like to see it get more press and attention like it deserves.

  • etbe

    http://en.wikipedia.org/wiki/Cognative_dissonance

    James: Please read the above URL.

    If Ubuntu have picked up development then please tell me where to find it. I checked all the usual locations (google search, wikipedia, and freshmeat) and they all pointed to the Novell pages.

    As for RSBAC, please package it for your favourite distribution and tell us where the packages are.

  • James

    Russel,

    Please try to refrain from being condescending if you can not respond to a well formed argument.

    I did not say Ubuntu have picked up development, but may do so. However:

    http://changelogs.ubuntu.com/changelogs/pool/main/a/apparmor/apparmor_2.3+1289-0ubuntu2/changelog

    You have already lost quite a bit of credibility by apparently judging a security framework based on the packages available for it.

  • etbe

    James: Claiming that an MS employee who is working on a project that is actively competing with AppArmor is still the “head developer” of AppArmor while also claiming that AppArmor is a live project is not a well formed argument. It’s a desperate attempt to try and find evidence that supports what you want to believe.

    If you want to talk about credibility, how about providing some information on the relevant work you have done. As I noted in the first paragraph of this post, unsubstantiated opinions of people who have no relevant experience don’t mean much to me.

  • James

    I don’t use AppArmor, and don’t have any reason to hope it is not dead, the evidence simply does not support that, only the selective evidence you tried to show inferred it.

    I have spent almost the 10 years working with this systems, and did a dissertation on the differences between them at monash. I really don’t feel I have to proove anything to you, if you can not hold an argument, or support your claims with non biased evidence.

    What have you done that makes you such an authority, apart from having an selinux play machine?

  • etbe

    James: Please provide the URL for your dissertation, I would like to read it.

    If you want to find out what I have done then ask Google.

    It seems very strange to me that an anonymous commentator on my blog expects their comments (and comments of other anonymous people) to be given the same weight as comments and posts by people such as the PaX developers and Crispin.

    Note that on the net anyone can claim to have a university degree. Merely claiming to have years of relevant experience is easy and proves nothing.

    As for whether you have to prove anything to me, 9 blog comments is rather a lot, so you seem to be trying hard.

  • David Lang

    It doesn’t surprise me that AA development has stalled, with the violent opposition to it’s inclusion in the kernel maintaining it seperatly is very questionable.

    however, if the nessasary pathname based hooks can get included (which one other project is working on, something like TOYMO) I would expect AA development to jump significantly