https://ethanzyf.com/tags/lsm/Recent content in Lsm on Ethan-ZYFHugoen-usThu, 21 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day4-apparmor/Thu, 21 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day4-apparmor/<p>AppArmor as the path-based complement to seccomp&rsquo;s syscall-based filtering — and a hands-on lesson in why that complement is harder to deploy. This post covers how K8s wraps AppArmor (<code>securityContext.appArmorProfile</code>, symmetric with seccomp&rsquo;s three types), why an AppArmor profile is heavier than a seccomp one (it must be pre-loaded into the node&rsquo;s kernel via <code>apparmor_parser</code>, not just dropped as a file), why <code>deny /data/** w</code> blocks every syscall that writes there (closing the hole where <code>touch</code> bypassed yesterday&rsquo;s mkdir block), and the day&rsquo;s most valuable lesson: <strong>the experiment couldn&rsquo;t run at all</strong> because a Mac/Docker-Desktop kind node has no AppArmor LSM in its kernel — a firsthand encounter with the fail-open trap and the portability problem of AppArmor-based mitigations.</p>https://ethanzyf.com/blog/day5-apparmor/Sat, 16 May 2026 00:00:00 -0700https://ethanzyf.com/blog/day5-apparmor/<p>How AppArmor actually attaches to a process (via the <code>bprm_check_security</code> LSM hook at <code>execve</code> time, keyed on binary path), why <code>bash script.sh</code> silently runs <em>unconfined</em> while <code>./script.sh</code> does not, the six exec modifiers (<code>ix</code>/<code>Px</code>/<code>Cx</code>/<code>Ux</code> and their setuid-preserving uppercase forms), the hardlink and bind-mount tricks that bypass path-based MAC, and why a production sandbox layers <strong>namespace + capability + seccomp + AppArmor + cgroup</strong> — with the argument that, if you can only afford two, <strong>seccomp + AppArmor</strong> is the highest-ROI pair.</p>