1. AppArmor LSM
Update
Introduce self
John Johansen

2. AppArmor - the year in retrospect
Land incremental improvements
Lay the Foundation
Eliminate out of tree patches
Improve and extend
What landed
What is close to landing
What else was worked on
Interesting year
work on minor improvements
- Working towards eliminating the out of tree patches
while at the same time working towards major improvements
- Slow progress towards completing the model
- Well aware that apparmor isn't complete and is missing some critical pieces
- especially the upstream version
Some of this has been in planning/dev for years

3. What landed? Released AppArmor 2.7, 2.8
Mostly under the hoods improvements
Kernel
Bug fixes
aafs introspection interface improvements
Userspace
Rewrote/updated some basic tools to python/python 3
Simple policy language improvements/consistency
Policy compiler improvements
Reduced memory usage
Improved compilation performance
Finished minimization
Better compression
Basic lxc integration
Kernel
- a few bugs fixes
- aafs – start of removing the out of tree introspection patch (procfs style)
- still missing loaded policy
- WIP should land soon
Userspace
- tools a hodgepodge of different languages just cleaning up and doing house keeping
- file, capability,
Completely changed the memory foot print
2-4x speed improvements
30-40% Reduced policy size
Very basic lxc integration, wrapping container to harden it, more to come

4. What is close to landing?
mount rules
RCU lock rework
policy introspection
Matching engine improvements
cleaned up matching/verification
Differential compression
Cache line alignment
policy templating – aa-easyprof
sandbox
dbus prototype
All of these have had patches/prototypes posted out
Mount rules – base is in testing in precise, pretty solid but there are some extensions that we would like to work in (lsm hook to update state for pivot_root)
Policy introspection – dir for each profile
First set of matching engine improvements faster, reduce size 2x+ (policy dependent),
Actually speeds up creation of dfa
Templating – improve policy generation, base “parameterized” base set of rules
Sandbox – similar to selinux sandbox
dynamically generated policy +chroot/container + nested xserver

5. What is being worked on? dfa → ehfa state machine sharing variables
audit refactor/learning
extended mediation
Environment variable matching/filtering
net
ipc, ...
improved internal labeling
namespaces improvements
improved lxc integration
stacking
delegation/tainting
user policy
Things that have been worked on but haven't laned yet
2nd set of matching engine improvements
- share states between domains, precompute intersections – reduces size, faster
- reduce size again, choke points, extend abilities – variables, back refs, embedded dfas
- don't dump our learning stream to audit
- better filtering than secure exec (which is very limited)
- finish up ipc
- finally have a network implementation worth upstreaming
- coarse af/proto mediation, socket labeling, some secmark
- and the big step
- internal labeling key to much of the extended mediation
- NS how much can be loaded, ...

6. Labels & Stacking Stacking label 1 profile A profile B profile C
user profile
profile B
profile C NS
Container
User NS
Stacking
Internal Labeling
- not really labeling as in selinux or type enforcement but similar
- currently cache a single profile off of some objects (short circuit lookups etc)
- is roughly a set of profiles (could be done as states, profiles:accept perm, domain internal label)
- label check is done before falling through to access path check (files pathname, ..)
- sid maps to a label
Stacking
- sadly not even at working prototype stage
- just a label with a little extra information
- track current profile/ns (top of stack)
- only current ns (top of stack), can be manipulated or seen from within that NS
- NS are hierarchical
- set up new policy NS for container, and it can load its only policy

7. Thank you for your time