This may be comparing chalk with cheese, but I'm wondering how these tools compare: pros and cons, similarities and differences, and situations where you would use one vs the other.
Asked
Active
Viewed 40 times
1
-
You **are** comparing chalk with cheese. Maybe you actually meant SeLinux, not AppArmor. – Artem S. Tashkinov Jul 22 '22 at 08:35
1 Answers
1
Systemd has a few limited features to control filesystem access. Most of these boil down to using namespaces. AppArmor, on the other hand, is a type of Mandatory Access Control. It is extremely fine-grained and allows path-based access restrictions with wildcard support. It can also restrict loading shared libraries, mapping files to memory, locking files, sending signals, etc. It can even restrict communication through the dbus API.
The former is easier to use and can work out-of-the-box, but it provides much less security due to its coarse-grained nature. The latter is harder to use (unless someone has already written a policy for you, which is common for many popular programs), but can be much more secure.
The former requires systemd is the one managing it. The latter will work with any executable, even one which is called manually. You can use them both at once. In fact, you probably should.
For more information, read the AppArmor documentation and the manpage for systemd.exec.
forest
- 64,616
- 20
- 206
- 257