AppArmor is some seriously neat stuff. It takes SELinux, and makes it user-friendly. Like SELinux, it takes a profile of an application under normal usage and builds walls around that. So if the application steps out of normal usage, the kernel will prevent that activity. For things like PHP-BBS systems, this should be mandatory considering all the problems those systems have had of late.
There are some caviats, though. While AppArmor will keep the process being protected from accessing files its not supposed to, it won't prevent it from accessing the files it already has access to. Though what it does with those files may or may not be affected.
Reportedly, the overhead for running Apache in an AppArmor profile is less than 2%. Not too shabby.
Plus, AppArmor has been ported to Slackware!
Tags: novell, brainshare, slackware, apparmor
There are some caviats, though. While AppArmor will keep the process being protected from accessing files its not supposed to, it won't prevent it from accessing the files it already has access to. Though what it does with those files may or may not be affected.
Reportedly, the overhead for running Apache in an AppArmor profile is less than 2%. Not too shabby.
Plus, AppArmor has been ported to Slackware!
Tags: novell, brainshare, slackware, apparmor