This talk tells the story of how we build the largest working set of apparmor profiles. The default set of apparmor profiles in Linux is small. It makes Apparmor less useful to prevent thread. apparmor.d is a work in progress project that aims to provide a full set of profiles tailored for all major Linux distributions: Debian, Ubuntu, OpenSUSE, Archlinux and Ubuntu Core. It includes over 1400 profiles; together, they ensure that most Linux processes remain confined. In this talk, we will be going over the main challenges we faced while working on these profiles. The security architecture of the profiles. How did we select the program to confine and why? As there are over 50000 Linux packages, we need to carefully select the profiles to write. How we use integration testing that uses Go, some VM and hundreds of both manually created and automatically generated tests to ensure the profiles do not break your setup. The profiles, tooling and documentation for the project has been published at https://github.com/roddhjav/apparmor.d
Session author's bio
Alexandre Pujol is a French security researcher at The Collaboratory @TUDublin. He is is graduated from a PhD Student in computer security & privacy in University College Dublin, Ireland. His area of work includes user privacy, secret management, and system security. He is the author of multiple password extensions such as pass-tomb and pass-import as well as the maintainer of apparmor.d, a large repository of apparmor profiles.
|Level of Difficulty||Intermediate|