[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44334EAB.2000809@novell.com>
Date: Thu Apr 6 03:45:57 2006
From: crispin at novell.com (Crispin Cowan)
Subject: Re: [SC-L] Re: [Owasp-dotnet] RE: 4 Questions:
Latest IE vulnerability,
Firefox vs IE security, User vs Admin risk profile, and browsers coded in
100% Managed Verifiable code
Pascal Meunier wrote:
> AppArmor sounds like an excellent alternative to creating a VMWare image for
> every application you want to run but distrust, although I can think of
> cases where a VMWare image would be safer. For example, the
> installer/uninstaller may have vulnerabilities, may be "dirty" (it causes
> problems by modifying things that affect other applications, or doesn't
> cleanup correctly), or phones home, etc... I guess you could make a profile
> for the installer as well (I'm not very enthusiastic about that idea
> though). Also, I suspect that what you need to allow in some profiles is
> possibly sufficient to enable "some level" of malicious activity. It's
> regrettable that it is only available for Suse Linux.
>
That is correct. AppArmor is not a virtualization layer, and cannot be
used to create virtual copies of files for maybe-good/maybe-bad software
to mess with. More over, the LSM interface in the kernel (which both
AppArmor and SELinux depend on) is also not capable of virtualization.
There were requests for virtualization features during the LSM design
phase, but we decided that we wanted to keep LSM as unintrusive as
possible so as to maximize the chance of LSM being accepted by the
upstream kernel.
> Perhaps one of the AppArmor mailing lists would be more appropriate to ask
> this,
apparmor-dev cc'd
> but as you posted an example profile with "capability setuid", I must
> admit I am curious as to why an email client needs that.
Well now that is a very good question, but it has nothing to do with
AppArmor. The AppArmor learning mode just records the actions that the
application performs. With or without AppArmor, the Thunderbird mail
client is using cap_setuid. AppArmor gives you the opportunity to *deny*
that capability, so you can try blocking it and find out. But for
documentation on why Thunderbird needs it, you would have to look at
mozilla.org not the AppArmor pages.
> I tried looking up
> relevant documentation on the Novell site, but it seems I was unlucky and
> tried during a maintenance period because pages were loading erratically. I
> finally got to the "3.0 Building Novell AppArmor Profiles" page but it was
> empty. I would appreciate receiving more information about it. I am also
> interested in the "Linux Security Modules Interface".
>
For an overview, look here:
"Linux Security Modules: General Security Support for the Linux
Kernel". Chris Wright, Crispin Cowan, Stephen Smalley, James Morris,
and Greg Kroah-Hartman. Presented at the 11^th USENIX Security
Symposium <http://www.usenix.org/events/sec02/>, San Francisco, CA,
August 2002. PDF <http://crispincowan.com/%7Ecrispin/lsm-usenix02.pdf>.
However, this paper is only a general overview, and is now far out of
date. For an accurate view, look at the kernel source code.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Powered by blists - more mailing lists