So how do they work? My (very basic, and possibly incorrect) analysis is that AppArmor (and other related Mandatory Access Control programs, like SELinux and grsecurity's RBAC) prevent infected programs, whether malicious in nature or exploited through a vulnerability, from accessing any files they aren't supposed to, or writing to/executing any applications they can read, but don't need write/execute privileges for. So, if I've got, say, a banking trojan that attempts to sniff the keystrokes going to another application (such as my web browser), AppArmor would prevent the program from accessing that data (unless the trojan tricked me into giving it access willingly), and if I got some other kind of virus that attempts to inject itself into another app's process, AppArmor would prevent said virus from writing to those sources. Is this correct, or am I misunderstanding something?
My understanding of grsecurity is similarly limited, but from what I can gather, the RBAC system basically works like AppArmor/SELinux (i.e., it's a MAC system), whereas the rest of the patches, including PaX, harden the kernel to prevent vulnerability exploitation. I'm not entirely sure how said exploitation process would occur (if anyone can explain/provide examples, I'd be greatly appreciative), but the main exploitation grsecurity seems to be protecting against seems to be privilege escalation (i.e. a virus giving itself root access without my consent). What else, if anything, do these patches prevent?
In addition, what exactly would a virus with just basic user privileges be able to do? It seems like the majority of the malware protection features I've seen serve to prevent a piece of malware from getting root privileges, but even assuming the virus is stuck at the user level, is there anything particularly fatal it could do (both assuming it is contained in a single app by AppArmor/SELinux/RBAC, and assuming it has bypassed said defenses, but still has just user privileges).
Furthermore, most of what I've read regarding kernel hardening patches like grsecurity indicate that such patches are important to protect MAC systems themselves -- i.e., without grsecurity, malware could bypass MAC systems, but these patches prevent that from happening. How does that work?
Finally (this is the last question, promise!
), let's say this scenario occurred: I'm running Debian with grsecurity/PaX installed and using the RBAC system for MAC purposes. I somehow get a virus on my system (say, through downloading a bad file). Exactly how would the virus attempt to "own" my system? How do things like MAC escape, privilege escalation, etc work, how would the virus try to do those things, and how would grsecurity/Pax/RBAC try to prevent the virus from being successful?Thanks for the help!