lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 8 Jun 2007 23:25:31 -0400
From:	Sean <seanlkml@...patico.ca>
To:	Tetsuo Handa <from-lsm@...ove.SAKURA.ne.jp>
Cc:	david@...g.hm, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and
 manipulation,pathname matching

On Sat, 9 Jun 2007 11:01:41 +0900
Tetsuo Handa <from-lsm@...ove.SAKURA.ne.jp> wrote:


>From the discussion so far, it seems that the different "model" that AA
is trying to implement, is to do in one step what SELinux does in two
steps; that is trying to combine labelling and enforcement into a
single step.  If this is so, then why can't it just feed its automatic
labelling into SELinux enforcement code?

> I tried to give each file it's own label, but I couldn't do it.
> http://sourceforge.jp/projects/tomoyo/document/nsf2003-en.pdf

That paper seems entirely focused on the automatic generation of policy,
and doesn't seem to help the discussion along.   For instance, there may
be a way to implement AA on top of SELinux _without_ giving each and
every file its own label.

> There are many elements that forms too strong barrier between pathname and labels,
> such as bind-mounts, hard links, newly created files, renamed files, temporary files and so on.
> So I gave up giving each file a label that can be used as an identifier,
> and took an approach to forbid unneeded mount operations, unneeded link operations,
> unneeded renaming operations to keep the pathname represent it's own identifier as much as possible.

AA must have a function that decides the security rights for any given
path in order to make its enforcement decisions.  It must surely be able
to deal with all those things you listed above (bind-mounts,hard links etc).
So why can't those decisions be turned into labels that are fed into SELinux
enforcement code?

Sean.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ