On Wed, Nov 15, 2017 at 10:21 AM, Patrick Ohly <patrick.ohly@xxxxxxxxx> wrote: > I have some experience with SMACK, but not with Apparmor. At least with > SMACK the problem is that the LSM depends on integrity protection of > the xattrs, but the integrity protection itself depends on the LSM, so > there's a cycle. An attacker can much too easily make offline changes > which then defeat whatever IMA policy the system might be using. We load the core policy from the initramfs, which is part of our signed payload that's enforced by the firmware. >> Execution that attempts to transition intoa more privileged Apparmor >> context will be subject to appraisal,execution that transitions into >> an unprivileged context won't be. > > Is that something that already works with the upstream kernel plus your > portable signatures, or do you have additional kernel patches? It doesn't quite work as is - see https://www.mail-archive.com/selinux@xxxxxxxxxxxxx/msg05830.html and the 2/2 patch in the series. Then it's just a matter of something like: appraise func=CREDS_CHECK subj_user=privileged_t and anything that's being executed as privileged_t will be appraised before execution.
