advertisement

Introduction When I started my ROS2 integration project, AppArmor wasn't even on my radar. My background included years of experience with RHEL and Oracle Linux, and I had developed a solid understanding of SELinux. Initially, I tried to get ROS2 working on Oracle Linux, hoping for an easy integration. However, after several days of troubleshooting and configuration adjustments, I still had lingering issues. Next, I shifted my attention to using SELinux on Ubuntu. Unfortunately, this also presented complications that were not worth resolving at the time. Although both SELinux and Oracle Linux theoretically support ROS2, the practical reality was too time-consuming to justify it. On the other hand, I knew that AppArmor was the default MAC (Mandatory Access Control) system in Ubuntu and had proven ROS2 support. That's when I decided to explore AppArmor deeper. Table of contents - Introduction - Mandatory access control on Linux - Why AppArmor didn't work for my use case - Is AppArmor the wrong tool for ROS2 and mattress ? - Would you still use AppArmor? 6. Conclusion and next steps Mandatory access control in Linux Linux supports multiple types of access control mechanisms, such as: - DAC (Discretionary Access Control): The traditional file permission system based on user and group ownership. - ACL (Access Control Lists): More detailed controls overlaid on DAC. - MAC (Mandatory Access Control): a system-enforced security layer that restricts program capabilities beyond user-level permissions. Learn more about DAC, ACL and MAC Both AppArmor and SELinux fall into the MAC category but work in fundamentally different ways. AppArmor is route-based and easier to configure, making it attractive to developers who want a faster security solution. It works by defining what specific programs can do with files and directories, thus extending the traditional DAC model to provide stricter access policies. Why AppArmor didn't work for my use case A great example of the limitations of AppArmor was the colcon. command, which is essential for building ROS2 packages. From a security point of view, I only wanted colcon. have access during controlled build and deployment phases, such as during UAT or production deployments. In theory, block the colcon. accessing certain directories should have prevented execution. However, the reality was more complex. mattress launched a Python thread that failed due to permissions denied, but some parts of the colon process still executed. This partial execution created a domino effect, requiring an ever-growing list of threads and tools to be explicitly added to the AppArmor policy, a time-consuming and error-prone effort. Is AppArmor the wrong tool for ROS2 and colcon? ? In many cases, AppArmor works exactly as designed, but not necessarily as expected. Its job is not to prevent a program from running entirely, but rather to restrict what it can access once it is running. As a result, a program like colcon It can still be run and should handle permission errors internally. AppArmor applies these rules system-wide and to all users. In the context of ROS2 development tools like colcon , AppArmor simply is not granular or dynamic enough to offer the type of control required during the various stages of development and deployment. For this reason, I would not recommend using AppArmor as the primary access control mechanism for ROS2 build tools. Would I still use AppArmor? Yes, I would still use AppArmor, but not for development tools like colcon. . I put AppArmor in the same category as UFW (Uncomplicated Firewall): easy to use, effective in specific contexts, and adequate when combined with other security layers. However, in the case of robotic systems, where the device and its controller must be separated

advertisement

advertisement