Lsm

AppArmor (Application Armor) is a Linux Security Module (LSM) that provides a practical, easy-to-use Mandatory Access Control (MAC) framework for restricting the capabilities of applications. Unlike SELinux, which relies on complex policies, AppArmor simplifies security by using profile-based access control.

Key Features

• Profile-Based Access Control: AppArmor restricts application behavior based on predefined profiles.
• Path-Based Security Policies: Unlike SELinux, which uses labels, AppArmor policies are based on file paths.
• Learning Mode: Allows administrators to create security profiles by observing application behavior.
• Fine-Grained Access Control: Provides detailed permission controls over file access, network connections, and capabilities.
• User-Friendly Management: Easier to configure and deploy compared to SELinux.

How AppArmor Works

AppArmor uses security profiles that define which files, capabilities, and network accesses an application is allowed. These profiles are enforced at the kernel level, restricting an application’s ability to perform unauthorized actions.

Landlock is a Linux Security Module (LSM) that provides a flexible, unprivileged sandboxing mechanism for applications. Unlike traditional LSMs such as SELinux and AppArmor, which enforce mandatory access control policies set by system administrators, Landlock allows applications to define their own security restrictions. This makes it a powerful tool for developers seeking to add additional security layers without requiring elevated privileges.

Key Features

• Unprivileged Sandboxing: Landlock enables applications to apply security restrictions without requiring root access or administrative intervention.
• Filesystem Access Control: Developers can define which files and directories an application can access.
• Incremental Restrictions: A process can only tighten its access permissions over time, preventing privilege escalation.
• Composability: Can be used in combination with other LSMs such as SELinux and AppArmor for enhanced security.
• User-Space Control: Allows developers to enforce security policies dynamically within their applications.

How Landlock Works

Landlock uses a set of security rules that define what resources an application can access. These rules are enforced at the kernel level and prevent applications from performing unauthorized actions. Unlike traditional access control mechanisms, Landlock works on a per-process basis, meaning individual applications can define and enforce their own security policies without affecting the rest of the system.

Linux Security Modules (LSM)

Linux Security Modules (LSM) is a framework that allows different security models to be implemented as kernel modules. It provides the necessary hooks within the Linux kernel for implementing access control mechanisms beyond the traditional Unix permissions model. Several LSMs are available, each with different use cases and security policies.

SELinux

Security-Enhanced Linux (SELinux) is one of the most well-known Linux Security Modules. Developed by the NSA, SELinux enforces Mandatory Access Control (MAC) policies, restricting processes and users based on predefined security policies.