Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 50344 invoked from network); 10 Apr 2006 12:31:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Apr 2006 12:31:55 -0000 Received: (qmail 73849 invoked by uid 500); 10 Apr 2006 12:31:47 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 73820 invoked by uid 500); 10 Apr 2006 12:31:46 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 73779 invoked by uid 99); 10 Apr 2006 12:31:46 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Apr 2006 05:31:46 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of clint@traveljury.com designates 81.171.250.180 as permitted sender) Received: from [81.171.250.180] (HELO mail.traveljury.com) (81.171.250.180) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Apr 2006 05:31:45 -0700 Received: from localhost (localhost [127.0.0.1]) by mail.traveljury.com (Postfix) with ESMTP id 597141C11A; Mon, 10 Apr 2006 13:31:20 +0100 (BST) Received: from mail.traveljury.com ([127.0.0.1]) by localhost (rambaldi.traveljury.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29715-01; Mon, 10 Apr 2006 13:31:16 +0100 (BST) Received: from [192.168.1.2] (194.Red-81-36-154.dynamicIP.rima-tde.net [81.36.154.194]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail.traveljury.com (Postfix) with ESMTP id 42A3E1C111; Mon, 10 Apr 2006 13:31:15 +0100 (BST) Subject: Re: AppArmor - makes mod_perl/mod_php safer on linux From: Clinton Gormley To: Jonathan Vanasco Cc: mod_perl Mailing List In-Reply-To: <3D6FCB29-B601-4E29-8BBD-DF6BE046539F@2xlp.com> References: <4436FF30.2060906@stason.org> <012601c65bb4$658a2130$960b0a0a@thoughtworthy.internal> <3D6FCB29-B601-4E29-8BBD-DF6BE046539F@2xlp.com> Content-Type: text/plain Date: Mon, 10 Apr 2006 14:31:13 +0200 Message-Id: <1144672274.3771.19.camel@obelix.traveljury.com> Mime-Version: 1.0 X-Mailer: Evolution 2.4.0 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at traveljury.com X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On Sun, 2006-04-09 at 13:45 -0400, Jonathan Vanasco wrote: > On Apr 9, 2006, at 5:02 AM, Kevin A. McGrail wrote: > > > I'm under the impression that this is the same as SELinux > > (http://www.nsa.gov/selinux/info/faq.cfm) > > SELinux is at the kernel level + a few libraries, and from what i > read appArmor is just a library No, appArmor plugs into the kernel via LSM (Linux Security Modules), which SELinux uses as well. It is really impressive. Have a look at this demo (272 meg of video!) ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi It is easy to configure, adds little overhead, and allows you to build security profiles on the fly. Also, it adopts the deny-all/allow-required approach, rather then allow-all, deny-this-that-and-the-other-thing. Also, (and I forgot the details) but I'm pretty sure it allows you to separate permissions for different perl scripts running under mod-perl. clint