Secure Execution Environments

Enforcement policies

No profile for an executing binary. No control.

There is a profile for an executing binary. The profile's access controls are enforced.

Processes: default allow

Processes are not by default bound to profiles.

Bounding is required before executing a file.

  • Enabled by writing “exec profile_name” at /proc/self/attr/apparmor

Binding a profile to an application with a specific profile can be done with aa-exec.

Profiles: default deny (whitelisting)

When a profile is used, everything is denied by default.

Exceptions must be explicitly allowed by the profile.

However, there are exceptions (e.g. rlimits).

PreviousAttack preventionNextEnforcement modes

Last updated