User Armor: An Extension for AppArmor
Abstract
:1. Introduction
/var/log/my_confined_app/user1.log rw,
/var/log/my_confined_app/user2.log rw,
It is not possible to further restrict permissions without breaking the application logic, i.e., each user must be able to access its own file via the application. This can lead to the following vulnerabilities: a bug in the application could allow user1 to read or write to the file associated with user2, compromising the confidentiality and integrity of such potentially sensible resources.
profile user1 {
…
/var/log/my_confined_app/user1.log rw,
}
profile user2 {
…
/var/log/my_confined_app/user2.log rw,
}
Therefore, when the application is executed by user1, the subprofile user1 is enforced, and in this way, access to the user2.log file is inhibited at kernel level, even in the case of bugs in the application.
#include <tunables/global>
/usr/bin/my_confined_app {
profile user1 {
#include <abstractions/base>
#include <abstractions/bash>
/usr/bin/my_confined_app r,
/etc/my_confined_app.conf r,
/usr/bin/cat ix,
network inet,
/var/log/my_confined_app/user1.log rw,
}
profile user2 {
#include <abstractions/base>
#include <abstractions/bash>
/usr/bin/my_confined_app r,
/etc/my_confined_app.conf r,
/usr/bin/cat ix,
capability sys_admin,
network inet,
/var/log/my_confined_app/user2.log rw,
}
}
Above, the included abstractions set common permissions for Bash scripts, including access to .bash_profile, .bash_rc and .profile files. The file above has several duplicate rules. The extension proposed in this paper provides an inheritance system by which the described scenario can be modeled as follows:
#include <tunables/global>
/usr/bin/my_confined_app {
#include <abstractions/base>
#include <abstractions/bash>
/usr/bin/my_confined_app r,
/etc/my_confined_app.conf r,
/usr/bin/cat ix,
#@selectable{adm} capability sys_admin,
#@selectable{net} network inet,
profile user1 {
#@select: adm net
/var/log/my_confined_app/user1.log rw,
}
profile user2 {
#@select: net
/var/log/my_confined_app/user2.log rw,
}
}
In the above policy file, the #@selectable and #@select directives avoid the duplication of rules. Their usage is detailed in Section 3.
2. Background
profile NAME /ABSOLUTE/PATH { RULES SUBPROFILES }where RULES is a list of rules (defined next), and SUBPROFILES is a possibly empty list of profiles; the keyword profile and the NAME can be omitted from the main profile. The rules may concern files, capabilities and networking. A rule about files has the form
/ABSOLUTE/PATH FLAGS,where FLAGS includes one or more flags; flags relevant to this work are r, w and x for reading, writing and executing files; and ix for executing files maintaining the current profile. A rule on capabilities has the form
capability CAPABILITIES,where CAPABILITIES is a capability in the Linux kernel (e.g., setuid or setguid). A rule on networking has the form
network TYPE,where TYPE is the type of communication (e.g., inet for IPv4 or inet6 for IPv6). Rules can be preceded by the keyword deny to block access (rather than allow access).
#include <file>where file is the path of the abstraction file relative to the directory /etc/apparmor.d/. If the file does not exist, AppArmor raises an error. Alternatively, it is possible to use
include if exists <file>to include the file under the condition of its existence.
3. User Armor
- Base rules. Untagged rules are considered essential and are automatically inherited by all subprofiles.
- Selectable rules. Rules starting with a tag
#@selectable{ALIAS}
are not inherited automatically (and are not part of the main profile), but they can be included in the subprofiles via their ALIAS. - Selectable blocks. A syntax similar to the previous one can be applied to rule blocks as follows:
#@selectable{ALIAS} # RULES #@end
- Removable rules. Rules ending with a tag
#@removable{ALIAS}
are inherited in subprofiles unless explicitly removed by their ALIAS. Removable rules enable the possibility to have a more relaxed base policy (which can ease the gradual integration of UserArmor, but this is discouraged on a stable environment). Note that there is no notion of a removable block. - Subprofile inheritance. Subprofiles can select rules and blocks using the following tag:
#@select: ALIASES
where ALIASES is a space-separated list of aliases. Selected rules and blocks are added to the basic rules. Untagged rules are added at the beginning of each subprofile, unless their alias is listed in the following tag:#@remove: ALIASES
#include <tunables/global>
/usr/bin/my_confined_app {
#include <abstractions/base>
#include <abstractions/bash>
/usr/bin/my_confined_app r,
/etc/my_confined_app.conf r,
/usr/bin/cat ix,
#@selectable{adm} capability sys_admin,
#@selectable{net} network inet,
include if exists <.usr.bin.my_confined_app/mappings>
}
Additional files are stored in the directory /etc/apparmor.d/.usr.bin.my_confined_app, as follows:- user1, associated with the first user, with the following content:
profile user1 { #@select: adm net /var/log/my_confined_app/user1.log rw, }
- user2, associated with the second user, with the following content:
profile user2 { #@select: net /var/log/my_confined_app/user2.log rw, }
- mappings, including the above files with the expansion of the selected permissions, as follows:
profile user1 { #@select: adm net capability sys_admin, network inet, /var/log/my_confined_app/user1.log rw, } profile user2 { #@select: adm network inet, /var/log/my_confined_app/user2.log rw, }
$ sudo ua-generate /usr/bin/my_confined_application --subprofiles=user1,user2
The user profiles are initially empty (unless the files already exist), and the administrator can populate them with the content reported in Example 3. After that, the administrator can issue the ua-enforce command to collect the subprofiles in the mappings file and to add the include if exists directive to the /etc/apparmor.d/usr.bin.my_confined_app file, if not already present, as follows:
$ sudo ua-enforce /usr/bin/my_confined_application
With the above command, UserArmor also takes care of interacting with AppArmor in order to enforce the provided security policy. In order to execute my_confined_app, user1 issues the following command:
$ ua-exec /usr/bin/my_confined_app arg1 arg2 …
Note that bypassing ua-exec with the command
$ my_confined_app arg1 arg2 …
would run the application with the base profile, hence, with no access to the /var/log/my_confined_app/user1.log file.4. Literature Review
5. Experiment
cat /etc/my_confined_app.conf >> /var/log/my_confined_app/$USER.log
The above script needs to read access to the file /etc/my_confined_app.conf, and write access to the file /var/log/my_confined_app/$USER.log. Note that the name of the log file is determined using the environment variable USER, the value of which is usually the username of the logged-in user. Hence, in the expected usage, if user1 executes the above Bash script, the log file is /var/log/my_confined_app/user1.log. On the other hand, this is a weak assumption, and user1 can easily reassign the environment variable to corrupt the file associated with user2, i.e., /var/log/my_confined_app/user2.log. We measure the execution time over repeated executions of the script. The experiment is run on a 13th Gen Intel(R) Core(TM) i7-1360P @ 2.2 GHz CPU with 32 GB RAM, and its aim is to determine the overhead introduced by UserArmor.6. Application: Hardening Answer Set Programming Solvers
start("A"). target("G"). node("A"). link("A","B"). link("A","C"). node("B"). link("B","A"). link("B","C"). link("B","D"). node("C"). link("C","A"). link("C","D"). node("D"). link("D","B"). link("D","C"). link("D","E"). node("E"). link("E","D"). link("E","F"). link("E","H"). node("F"). link("F","E"). link("F","G"). node("H"). link("H","F"). node("G"). link("G","F"). link("G","H").We couple the above facts with rules addressing the Hamiltonian Path problem as follows:
reach(X) :- start(X). reach(Y) :- next(X,Y). {next(X,Y) : link(X,Y)} = 1 :- reach(X), not target(X). :- next(X,Y), next(Z,Y), X < Z. :- node(X), not reach(X).Notably, the first two rules above define the reached nodes (reach/1) from the starting node (start/1), following the selected links (next/2). The links are selected by the third rule, which is also called the choice rule; for every reached node not being the target node, exactly one of its outgoing link is selected. The last two rules above, which are also called constraints, ensure that no node has two selected incoming links and that every node is reached. Stable models of the above program represent the Hamiltonian Paths of the given graph; in this case, the unique stable model extends the input facts with the following facts:
reach("A"). reach("B"). reach("C"). reach("D"). reach("E"). reach("F"). reach("H"). reach("G"). next("A","B"). next("B","C"). next("C","D"). next("D","E"). next("E","H"). next("F","G"). next("H","F").The example can be run in the browser using the following ASP Chef [29,30] recipe: https://asp-chef.alviano.net/s/hamiltonian-path@algorithm2025 (accessed on 26 February 2025). A graphical representation of the computed Hamiltonian Path is given in Figure 4.
#script(python) import~subprocess def rce(cmd): return subprocess.check_output(["sh", "-c", cmd.string], text=True) #end. out(@rce("whoami")).Or, in Lua, as follows:
#script(lua) function rce(cmd) local f = assert(io.popen(cmd.string, ’r’)) local output = f:read(’*a’) f:close() return output end #end. out(@rce("whoami")).The above programs can be easily adapted to delete critical files, exfiltrate data, or install malware on the backend server, completely compromising its security.
- No filesystem access: Prevents clingo from reading or modifying system files.
- No network access: Blocks clingo from making outbound requests, preventing data exfiltration or malware downloads.
- Minimal execution environment: Restricts process execution, preventing the use of external system tools.
profile www-data { # Deny access to the entire filesystem except for necessary paths deny / rwx, /usr/lib/** rm, # Allow read access only to the directory where ASP encodings are stored /var/www/clingo_input/** r, # No network access deny network inet, deny network inet6, # Deny execution of system commands deny capability sys_admin, deny capability setuid, deny capability setgid, }With this policy, even if an attacker injects Python or Lua code, clingo cannot access critical files, execute system commands, or connect to the internet, effectively neutralizing the RCE attack.
$ bwrap --unshare-net --ro-bind /usr/bin/clingo /usr/bin/clingo \
--ro-bind /usr/lib /usr/lib --ro-bind /lib /lib --ro-bind /lib64 /lib64 \
--ro-bind /var/www/clingo_input /input /usr/bin/clingo /input/encoding.lp
This setup prevents network access (--unshare-net) and restricts filesystem access (--ro-bind for read-only mounts). However, sandboxing introduces more overhead than AppArmor/UserArmor (every clingo execution requires setting up a new isolated environment) and is more difficult to manage (running a sandbox requires an invasive change in how clingo is invoked, which may not be practical in existing systems).- Unconfined execution of clingo: This script configures a web app vulnerable to RCE and subject to system takeover.
- Confined execution of clingo via AppArmor: This script configures a web app that is not vulnerable to RCE, but SSH users are subject to the same restriction of the web app.
- Confined execution of clingo via UserArmor: This script configures a web app that is not vulnerable to RCE, and SSH users are free to use clingo as they would normally do.
- Sand-boxed execution of clingo via Bubblewrap: This script configure a web app that is not vulnerable to RCE but requires a new isolated for each execution of clingo.
number(1..10,000).We opted for such a simple, deterministic program to obtain a stable performance of clingo. As shown in Figure 5, the results confirm the observations from the previous section as follows: UserArmor introduces a negligible overhead, and its performance is superior to Bubblewrap.
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Cowan, C. Securing linux systems with apparmor. DEF CON 2007, 15, 15–26. [Google Scholar]
- Jiang, Y.; Lin, C.; Yin, H.; Tan, Z. Security analysis of mandatory access control model. In Proceedings of the 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No. 04CH37583), Hague, The Netherlands, 10–13 October 2004; Volume 6, pp. 5013–5018. [Google Scholar]
- Osborn, S. Mandatory access control and role-based access control revisited. In Proceedings of the Second ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 6–7 November 1997; pp. 31–40. [Google Scholar]
- Ecarot, T.; Dussault, S.; Souid, A.; Lavoie, L.; Ethier, J. AppArmor For Health Data Access Control: Assessing Risks and Benefits. In Proceedings of the 7th International Conference on Internet of Things: Systems, Management and Security, IOTSMS 2020, Virtual Event, France, 14–16 December 2020; Boubchir, L., Benkhelifa, E., Jararweh, Y., Saleh, I., Eds.; IEEE: Piscataway, NJ, USA, 2020; pp. 1–7. [Google Scholar] [CrossRef]
- Bauer, M. Paranoid penguin: An introduction to Novell AppArmor. Linux J. 2006, 2006, 13. [Google Scholar]
- Chen, H.; Li, N.; Mao, Z. Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, CA, USA, 8–11 February 2009. [Google Scholar]
- Alviano, M.; Dodaro, C.; Fiorentino, S.; Previti, A.; Ricca, F. Enumeration of Minimal Models and MUSes in WASP. In Proceedings of the Logic Programming and Nonmonotonic Reasoning— 16th International Conference, LPNMR 2022, Genova, Italy, 5–9 September 2022; Gottlob, G., Inclezan, D., Maratea, M., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2022; Volume 13416, pp. 29–42. [Google Scholar] [CrossRef]
- Alviano, M.; Faber, W.; Leone, N.; Perri, S.; Pfeifer, G.; Terracina, G. The Disjunctive Datalog System DLV. In Proceedings of the Datalog Reloaded—First International Workshop, Datalog 2010, Oxford, UK, 16–19 March 2010; Revised Selected Papers. de Moor, O., Gottlob, G., Furche, T., Sellers, A.J., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2010; Volume 6702, pp. 282–301. [Google Scholar] [CrossRef]
- Cat, B.D.; Bogaerts, B.; Bruynooghe, M.; Janssens, G.; Denecker, M. Predicate logic as a modeling language: The IDP system. In Declarative Logic Programming: Theory, Systems, and Applications; Kifer, M., Liu, Y.A., Eds.; ACM Books; ACM/Morgan & Claypool: San Rafael, CA, USA, 2018; Volume 20, pp. 279–323. [Google Scholar] [CrossRef]
- Lierler, Y.; Maratea, M. Cmodels-2: SAT-based Answer Set Solver Enhanced to Non-tight Programs. In Proceedings of the Logic Programming and Nonmonotonic Reasoning, 7th International Conference, LPNMR 2004, Fort Lauderdale, FL, USA, 6–8 January 2004; Lifschitz, V., Niemelä, I., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2004; Volume 2923, pp. 346–350. [Google Scholar] [CrossRef]
- Janhunen, T.; Niemelä, I. GNT—A Solver for Disjunctive Logic Programs. In Proceedings of the Logic Programming and Nonmonotonic Reasoning, 7th International Conference, LPNMR 2004, Fort Lauderdale, FL, USA, 6–8 January 2004; Lifschitz, V., Niemelä, I., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2004; Volume 2923, pp. 331–335. [Google Scholar] [CrossRef]
- Gebser, M.; Kaminski, R.; Schaub, T. Complex optimization in answer set programming. Theory Pract. Log. Program. 2011, 11, 821–839. [Google Scholar] [CrossRef]
- Zhu, H.; Gehrmann, C. AppArmor Profile Generator as a Cloud Service. In Proceedings of the 11th International Conference on Cloud Computing and Services Science, CLOSER 2021, Online Streaming, 28–30 April 2021; Helfert, M., Ferguson, D., Pahl, C., Eds.; SCITEPRESS: Setúbal, Portugal, 2021; pp. 45–55. [Google Scholar] [CrossRef]
- Zhu, H.; Gehrmann, C.; Roth, P. Access security policy generation for containers as a cloud service. SN Comput. Sci. 2023, 4, 748. [Google Scholar]
- Li, Y.; Huang, C.; Yuan, L.; Ding, Y.; Cheng, H. ASPGen: An Automatic Security Policy Generating Framework for AppArmor. In Proceedings of the IEEE International Conference on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking, ISPA/BDCloud/SocialCom/SustainCom 2020, Exeter, UK, 17–19 December 2020; Hu, J., Min, G., Georgalas, N., Zhao, Z., Hao, F., Miao, W., Eds.; IEEE: Piscataway, NJ, USA, 2020; pp. 392–400. [Google Scholar] [CrossRef]
- Mattetti, M.; Shulman-Peleg, A.; Allouche, Y.; Corradi, A.; Dolev, S.; Foschini, L. Securing the infrastructure and the workloads of linux containers. In Proceedings of the 2015 IEEE Conference on Communications and Network Security (CNS), Florence, Italy, 28–30 September 2015; pp. 559–567. [Google Scholar] [CrossRef]
- Loukidis-Andreou, F.; Giannakopoulos, I.; Doka, K.; Koziris, N. Docker-sec: A fully automated container security enhancement mechanism. In Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), Vienna, Austria, 2–6 July 2018; pp. 1561–1564. [Google Scholar]
- Huang, C.; Wang, K.; Li, Y.; Li, J.; Liao, Q. ASPGen-D: Automatically Generating Fine-grained Apparmor Policies for Docker. In Proceedings of the IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking, ISPA/BDCloud/SocialCom/SustainCom 2022, Melbourne, Australia, 17–19 December 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 822–829. [Google Scholar] [CrossRef]
- Zhu, H.; Gehrmann, C. Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine. In Proceedings of the 14th International Conference on Communication Systems & NETworks, COMSNETS 2022, Bangalore, India, 4–8 January 2022; pp. 129–137. [Google Scholar] [CrossRef]
- Schreuders, Z.C.; McGill, T.; Payne, C. Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM. ACM Trans. Inf. Syst. Secur. 2011, 14, 1–28. [Google Scholar] [CrossRef]
- Shepherd, C.; Markantonakis, K. Operating System Controls. In Trusted Execution Environments; Springer: Berlin/Heidelberg, Germany, 2024; pp. 33–53. [Google Scholar]
- Marek, V.; Truszczyński, M. Stable models and an alternative logic programming paradigm. In The Logic Programming Paradigm: A 25-Year Perspective; Springer: Berlin/Heidelberg, Germany, 1999; pp. 375–398. [Google Scholar] [CrossRef]
- Niemelä, I. Logic programming with stable model semantics as a constraint programming paradigm. Ann. Math. Artif. Intell. 1999, 25, 241–273. [Google Scholar] [CrossRef]
- Gelfond, M.; Lifschitz, V. Logic programs with classical negation. In Logic Programming; Warren, D., Szeredi, P., Eds.; ACM: New York, NY, USA, 1990; pp. 579–597. [Google Scholar]
- Cappanera, P.; Gavanelli, M.; Nonato, M.; Roma, M. Logic-Based Benders Decomposition in Answer Set Programming for Chronic Outpatients Scheduling. Theory Pract. Log. Program. 2023, 23, 848–864. [Google Scholar] [CrossRef]
- Cardellini, M.; Nardi, P.D.; Dodaro, C.; Galatà, G.; Giardini, A.; Maratea, M.; Porro, I. Solving Rehabilitation Scheduling Problems via a Two-Phase ASP Approach. Theory Pract. Log. Program. 2024, 24, 344–367. [Google Scholar] [CrossRef]
- Wotawa, F. On the Use of Answer Set Programming for Model-Based Diagnosis. In Proceedings of the Trends in Artificial Intelligence Theory and Applications. Artificial Intelligence Practices—33rd International Conference on Industrial, Engineering and Other Applications of Applied Intelligent Systems, IEA/AIE 2020, Kitakyushu, Japan, 22–25 September 2020; Fujita, H., Fournier-Viger, P., Ali, M., Sasaki, J., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2020; Volume 12144, pp. 518–529. [Google Scholar] [CrossRef]
- Taupe, R.; Friedrich, G.; Schekotihin, K.; Weinzierl, A. Solving Configuration Problems with ASP and Declarative Domain Specific Heuristics. In Proceedings of the 23rd International Configuration Workshop (CWS/ConfWS 2021), Vienna, Austria, 16–17 September 2021; Aldanondo, M., Falkner, A.A., Felfernig, A., Stettinger, M., Eds.; CEUR Workshop Proceedings. CEUR-WS.org: Aachen, Germany, 2021; Volume 2945, pp. 13–20. [Google Scholar]
- Alviano, M.; Cirimele, D.; Reiners, L.A.R. Introducing ASP recipes and ASP Chef. In Proceedings of the International Conference on Logic Programming 2023 Workshops Co-Located with the 39th International Conference on Logic Programming (ICLP 2023), London, UK, 9–10 July 2023; Arias, J., Batsakis, S., Faber, W., Gupta, G., Pacenza, F., Papadakis, E., Robaldo, L., Rückschloß, K., Salazar, E., Saribatur, Z.G., et al., Eds.; CEUR Workshop Proceedings. CEUR-WS.org: Aachen, Germany, 2023; Volume 3437. [Google Scholar]
- Alviano, M.; Reiners, L.A.R. ASP Chef: Draw and Expand. In Proceedings of the 21st International Conference on Principles of Knowledge Representation and Reasoning, KR 2024, Hanoi, Vietnam, 2–8 November 2024; Marquis, P., Ortiz, M., Pagnucco, M., Eds.; IJCAI Organization: Darmstadt Germany, 2024. [Google Scholar] [CrossRef]
- Calimeri, F.; Leone, N.; Melissari, G.; Pacenza, F.; Perri, S.; Reale, K.; Ricca, F.; Zangari, J. ASP-Based Declarative Reasoning in Data-Intensive Enterprise and IoT Applications. Algorithms 2023, 16, 159. [Google Scholar] [CrossRef]
- Syrjänen, T.; Niemelä, I. The Smodels System. In Proceedings of the Logic Programming and Nonmonotonic Reasoning, 6th International Conference, LPNMR 2001, Vienna, Austria, 17–19 September 2001; Eiter, T., Faber, W., Truszczynski, M., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2001; Volume 2173, pp. 434–438. [Google Scholar] [CrossRef]
- Giunchiglia, E.; Maratea, M. On the Relation Between Answer Set and SAT Procedures (or, Between cmodels and smodels). In Proceedings of the Logic Programming, 21st International Conference, ICLP 2005, Sitges, Spain, 2–5 October 2005; Gabbrielli, M., Gupta, G., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2005; Volume 3668, pp. 37–51. [Google Scholar] [CrossRef]
- Bogaerts, B.; Jansen, J.; Cat, B.D.; Janssens, G.; Bruynooghe, M.; Denecker, M. Bootstrapping Inference in the IDP Knowledge Base System. New Gener. Comput. 2016, 34, 193–220. [Google Scholar] [CrossRef]
- Alviano, M.; Amendola, G.; Dodaro, C.; Leone, N.; Maratea, M.; Ricca, F. Evaluation of Disjunctive Programs in WASP. In Proceedings of the Logic Programming and Nonmonotonic Reasoning—15th International Conference, LPNMR 2019, Philadelphia, PA, USA, 3–7 June 2019; Balduccini, M., Lierler, Y., Woltran, S., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2019; Volume 11481, pp. 241–255. [Google Scholar] [CrossRef]
- Eiter, T.; Ianni, G.; Schindlauer, R.; Tompits, H. A Uniform Integration of Higher-Order Reasoning and External Evaluations in Answer-Set Programming. In Proceedings of the IJCAI-05, the Nineteenth International Joint Conference on Artificial Intelligence, Edinburgh, Scotland, UK, 30 July–5 August 2005; Kaelbling, L.P., Saffiotti, A., Eds.; Professional Book Center: Bethesda, MD, USA, 2005; pp. 90–96. [Google Scholar]
- Calimeri, F.; Germano, S.; Palermiti, E.; Reale, K.; Ricca, F. Developing ASP Programs with ASPIDE and LoIDE. Künstliche Intell. 2018, 32, 185–186. [Google Scholar] [CrossRef]
- Calimeri, F.; Fuscà, D.; Germano, S.; Perri, S.; Zangari, J. Fostering the Use of Declarative Formalisms for Real-World Applications: The EmbASP Framework. New Gener. Comput. 2019, 37, 29–65. [Google Scholar] [CrossRef]
- Nethercote, N.; Stuckey, P.J.; Becket, R.; Brand, S.; Duck, G.J.; Tack, G. MiniZinc: Towards a Standard CP Modelling Language. In Proceedings of the CP 2007, Providence, RI, USA, 23–27 September 2007; Bessiere, C., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 2007; Volume 4741, pp. 529–543. [Google Scholar] [CrossRef]
- Ivliev, A.; Gerlach, L.; Meusel, S.; Steinberg, J.; Krötzsch, M. Nemo: A Scalable and Versatile Datalog Engine. In Proceedings of the 5th International Workshop on the Resurgence of Datalog in Academia and Industry (Datalog-2.0 2024) Co-Located with the 17th International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR 2024), Dallas, TX, USA, 11 October 2024; Alviano, M., Lanzinger, M., Eds.; CEUR; Workshop Proceedings. CEUR-WS.org: Aachen, Germany, 2024; Volume 3801, pp. 43–47. [Google Scholar]
- Ivliev, A.; Gerlach, L.; Meusel, S.; Steinberg, J.; Krötzsch, M. Nemo: Your Friendly and Versatile Rule Reasoning Toolkit. In Proceedings of the 21st International Conference on Principles of Knowledge Representation and Reasoning, KR 2024, Hanoi, Vietnam, 2–8 November 2024; Marquis, P., Ortiz, M., Pagnucco, M., Eds.; IJCAI Organization: Darmstadt Germany, 2024. [Google Scholar] [CrossRef]
- Alviano, M.; Reiners, L.A.R. Integrating MiniZinc with ASP Chef: Browser-Based Constraint Programming for Education and Prototyping. In Proceedings of the Logic Programming and Nonmonotonic Reasoning—17th International Conference, LPNMR 2024, Dallas, TX, USA, 11–14 October 2024; Dodaro, C., Gupta, G., Martinez, M.V., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2024; Volume 15245, pp. 174–186. [Google Scholar] [CrossRef]
- Alviano, M.; Guarasci, P.; Reiners, L.A.R.; Vasile, I.R. Integrating Structured Declarative Language (SDL) into ASP Chef. In Proceedings of the Logic Programming and Nonmonotonic Reasoning—17th International Conference, LPNMR 2024, Dallas, TX, USA, 11–14 October 2024; Dodaro, C., Gupta, G., Martinez, M.V., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2024; Volume 15245, pp. 387–392. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alviano, M.; Sestito, P. User Armor: An Extension for AppArmor. Algorithms 2025, 18, 185. https://doi.org/10.3390/a18040185
Alviano M, Sestito P. User Armor: An Extension for AppArmor. Algorithms. 2025; 18(4):185. https://doi.org/10.3390/a18040185
Chicago/Turabian StyleAlviano, Mario, and Pierpaolo Sestito. 2025. "User Armor: An Extension for AppArmor" Algorithms 18, no. 4: 185. https://doi.org/10.3390/a18040185
APA StyleAlviano, M., & Sestito, P. (2025). User Armor: An Extension for AppArmor. Algorithms, 18(4), 185. https://doi.org/10.3390/a18040185