Privilege restriction¶
Ubuntu provides a set of security features that allow you to restrict the privileges available to processes. AppArmor provides Mandatory Access Control (MAC) by default. Other MAC solutions, implemented through Linux Security Module (LSM) hooks, are available but not supported.
AppArmor¶
Cgroups (control groups)¶
Filesystem capabilities¶
You can reduce the need for setuid applications via the application of
filesystem
capabilities
using the xattrs available to most modern filesystems. This reduces the possible
misuse of vulnerable setuid applications. The kernel provides support, and the
user-space tools are in the Ubuntu Main component (libcap2-bin).
Regression tests: test-kernel-security.py.
PR_SET_SECCOMP¶
Setting SECCOMP for a process confines it to a small subsystem of system
calls, used for specialized processing-only programs.
See test-kernel-security.py for regression tests.
Seccomp filtering¶
Programs can filter out the availability of kernel syscalls by using the
seccomp_filter interface, which allows for fine-grained control. Containers
or sandboxes use this to further limit exposure to kernel interfaces when
potentially running untrusted software.
See test-kernel-security.py for regression tests.
SELinux¶
SELinux (Security-Enhanced Linux) is a Linux Security Module (LSM) that implements Mandatory Access Control (MAC) through a flexible, policy-driven framework maintained as an open-source project. SELinux provides fine-grained access controls by assigning security contexts (labels) to all system objects including files, processes, network ports and devices. These labels are used by a centralized policy engine to make access control decisions based on predefined security policies.
SELinux operates through three main components: security contexts (labels
in the format user:role:type:level), a fine-grained policy language
for defining rules and enforcement modes (enforcing, permissive, or disabled).
This architecture enables sophisticated security models including Multi-Level
Security (MLS) and Multi-Category Security (MCS).
Ubuntu uses AppArmor as its default MAC system instead of SELinux. While both provide mandatory access controls, AppArmor uses a path-based approach that is generally simpler to configure and maintain, whereas SELinux uses an inode-based labeling system that offers fine-grained coverage but with significantly greater complexity. AppArmor’s focus on application confinement through pathname-based rules makes it well-suited for Ubuntu’s desktop and server use cases, while SELinux’s label-based model provides comprehensive system-wide policy enforcement.
Kernel support¶
SELinux support is compiled into Ubuntu’s default kernels as a loadable security module, meaning the underlying kernel infrastructure is present and functional. However, SELinux is not the active LSM by default, AppArmor takes precedence as the enabled security module at boot time.
Userspace packages¶
SELinux userspace tools and policies are available through Ubuntu’s
universe repository, including packages such as selinux-basics,
policycoreutils and the selinux metapackage. These packages provide
the essential tools for policy management, system labeling and SELinux
administration, but they require manual configuration and are not pre-tuned
for Ubuntu’s specific package ecosystem.
Support level¶
SELinux on Ubuntu is community-supported rather than officially supported by Canonical. The SELinux packages in universe are maintained by community contributors and lack the extensive integration testing, policy tuning and commercial support that Ubuntu provides for AppArmor. Users choosing SELinux on Ubuntu should expect to handle policy development, troubleshooting and maintenance themselves, as most Ubuntu documentation, tools and support resources assume AppArmor is in use. For production Ubuntu deployments, AppArmor remains the recommended and fully supported MAC solution.
SMACK¶
SMACK (Simplified Mandatory Access Control Kernel) is a Linux Security Module (LSM) that implements a label-based Mandatory Access Control (MAC) framework designed for simplicity and minimal administrative overhead. Unlike complex policy-driven systems, SMACK uses straightforward text labels assigned to subjects (processes) and objects (files, sockets, etc.) with access decisions made through simple rule comparisons. This architecture prioritizes ease of understanding and maintenance, making security policies accessible without requiring extensive expertise in complex policy languages.
Access rules are expressed as:
<subject-label> <object-label> <access>
where access describes the access permitted using the traditional Linux read (R or r) access, write (W or w) access, execute (X or x) access, or append (A or a) access. A dash (-) can be used as a place holder or to express that no access be permitted if used by itself.
SMACK uses several special system labels:
_pronounced “floor”*pronounced “star”^pronounced “hat”
There are a limited number of pre-defined rules:
Subject Label |
Object Label |
Access |
|---|---|---|
* |
any |
(None) |
any |
* |
rwxa |
ordinary |
ordinary |
rwxa |
any |
_ |
rx |
^ |
any |
rx |
The third rule uses “ordinary” to refer to any label except * and
describes the case where the subject label and the object label are the
same. For example, if a process labeled foo accesses a file also
labeled foo, the access is allowed with rwxa permissions. If the
same process accesses a file labeled _ (floor), the access is restricted
to rx, regardless of the subject label.
Compared to AppArmor, Ubuntu’s default MAC system, SMACK serves a different architectural philosophy. AppArmor uses path-based mandatory access controls focused on confining specific applications through profiles that restrict file access, network usage and capabilities. SMACK provides system-wide label-based access control that is more suitable for creating isolated security domains and enforcing consistent policies across all system components. AppArmor excels at application-specific confinement and is easier to deploy incrementally, while SMACK is better suited for environments requiring comprehensive labeling schemes, such as multi-tenant systems or devices where all processes and data need clear security classifications.
SMACK support is available in Ubuntu kernels (2.6.25 or newer) starting with
Ubuntu 8.10 (Intrepid Ibex) but is not enabled by default, as AppArmor serves as
Ubuntu’s primary LSM. To enable SMACK, you need to add the kernel parameter
security=smack to the GRUB configuration. The recommended approach is to use
a drop-in file:
echo 'GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} security=smack"' | sudo tee /etc/default/grub.d/smack.cfg
sudo update-grub
For older releases that do not support drop-in files in /etc/default/grub.d/,
you will need to manually edit /etc/default/grub and add security=smack
to the GRUB_CMDLINE_LINUX variable, then run sudo update-grub.
Create the directories /smack and /etc/smack. Add this line to the
/etc/fstab file:
smackfs /smack smackfs defaults 0 0
to get the SMACK control interface mounted at boot.
SMACK will create the init process with the floor label and will use the floor label as the default for all filesystems unless instructed otherwise using mount options. Because processes inherit the label of their parent all processes will run with the floor label unless explicitly set otherwise. Because all processes will have the floor label and all files will have the floor label, SMACK will never fail an access check in this configuration.
Snap Confinement