[Fwd: Re: AppArmor - makes mod_perl/mod_php safer on linux]

Should this go somewhere on perl.apache.org? We don't have a section on
securing apps, may be one needs to be started?

I've forwarded the two relevant messages from the users list

-------- Original Message --------
Subject: FYI: AppArmor - makes mod_perl/mod_php safer on linux
Date: Fri, 07 Apr 2006 17:09:20 -0700
From: Stas Bekman <stas@...>
Organization: Hope, Humanized
To: mod_perl Mailing List <modperl@...>

I was just at cansecwest (http://cansecwest.com/) here in Vancouver, and
went to a talk by Crispin Cowan from Novell. He presented AppArmor which
confines the application into a restricted mode (which files it can access
and what it can and cannot do). Unlike jail/chroot AppArmor allows you to
provide different profiles per script, so it might be very useful to ISPs
which need to protect one user from another. It works as a linux security
module (LSM) so there is very little overhead and no need to patch your
kernel.

I haven't used it myself, but I think some of the mod_perl users can
benefit from it. I don't know why Novell folks didn't announce it to this
list.

more info at:
http://www.novell.com/products/apparmor/
http://www.novell.com/documentation/apparmor/
mod_perl is specifically mentioned on page 4 at:
http://www.novell.com/collateral/4821055/4821055.pdf

-------- Original Message --------
Subject: Re: AppArmor - makes mod_perl/mod_php safer on linux
Date: Mon, 10 Apr 2006 14:31:13 +0200
From: Clinton Gormley <clint@...>
To: Jonathan Vanasco <jon@...>
CC: mod_perl Mailing List <modperl@...>
References: <4436FF30.2060906@...>
<012601c65bb4$658a2130$960b0a0a@...>
<3D6FCB29-B601-4E29-8BBD-DF6BE046539F@...>

On Sun, 2006-04-09 at 13:45 -0400, Jonathan Vanasco wrote:
> On Apr 9, 2006, at 5:02 AM, Kevin A. McGrail wrote:
>
> > I'm under the impression that this is the same as SELinux
> > (http://www.nsa.gov/selinux/info/faq.cfm)
>
> SELinux is at the kernel level + a few libraries, and from what i  
> read appArmor is just a library

No, appArmor plugs into the kernel via LSM (Linux Security Modules),
which SELinux uses as well. It is really impressive. Have a look at this
demo (272 meg of video!)
ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi

It is easy to configure, adds little overhead, and allows you to build
security profiles on the fly.  Also, it adopts the
deny-all/allow-required approach, rather then allow-all,
deny-this-that-and-the-other-thing.

Also, (and I forgot the details) but I'm pretty sure it allows you to
separate permissions for different perl scripts running under mod-perl.

clint


--
_____________________________________________________________
Stas Bekman mailto:stas@...  http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book       http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-dev-unsubscribe@...
For additional commands, e-mail: docs-dev-help@...