As a continuing post to the last one, let us look into AppArmor mechanism to secure your embedded applications. Many embedded applications use IPCs to communicate between processes. IPCs can be prone to attacks like Man-in-the-middle(MiM), spoofing, etc. In Linux, there are several mechanism to make your applications secure. Some of the prominent ones are SELinux, AppArmor, Tomayo, etc.
Let us look into AppArmor mechanism to make your applications secure. AppArmor uses the concept of file paths to provide access to resources that an application needs to run. Consider your application needs access to some file on the device, or it needs access to a device file itself for IO operations, this can be controlled using AppArmor.
For explaining AppArmor, let us take an example of the previous article, where we have a client and server communicating each other with DBus IPC. This IPC can be protected using AppArmor profiles. Consider the following pseudo codes :
Important things to note here :
- DBus interface name, node name, path name.
- DBus method name.
Let us first write a AppArmor profile file for the Server application. Consider that the client and server applications are compiled and available at the location /usr/bin in your Linux subsystem.
Note that, you need a profile file for both client and server applications. This configuration at both sides provides strict restrictions that can be applied as compared to defining a profile file only at the server application.
As you can see, the profile files for both client and server are the same here. Usually you will not arrive at a such a situation, because your client and server applications will need access to different resources based on their design.
Place these AppArmor profile files in the location : /etc/apparmor.d/aa-profiles/
To simplify, you can also write an abstraction file that contains all the common resource access between client and server application, and include in the profile file for your client and server applications.
In the next series of the article, I will explain how to test that our profiles are working. This can be achieved using a DBus utility dbus-send which is present in the Linux subsystem.
