lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f03mli$8g8$1@taverner.cs.berkeley.edu>
Date:	Tue, 17 Apr 2007 23:53:22 +0000 (UTC)
From:	daw@...berkeley.edu (David Wagner)
To:	linux-kernel@...r.kernel.org
Subject: Re: AppArmor FAQ

Karl MacMillan  wrote:
>My private ssh keys need to be protected regardless
>of the file name - it is the "bag of bits" that make it important not
>the name.

I think you picked a bad example.  That's a confidentiality policy.
AppArmor can't make any guarantees about confidentiality.  Neither can
SELinux.  If you give a malicious app the power to read your private ssh
key, it's game over, dude.  (Covert channels, wall banging, and all that.)
So don't do that.

>Similarly, you protect the integrity of the applications that
>need name resolution by ensuring that the data that they read is high
>integrity. You do that by controlling data not the file name used to
>access the data. That is James point - a comprehensive mechanism like
>SELinux allows you to comprehensively protect the integrity of data.

I think this argument just misses the point.  What you want isn't what
AppArmor does.  Fine.  Nobody is forcing you to use AppArmor.  But that
doesn't mean AppArmor is useless.  There may be people who want what
AppArmor has to provide.

It sounds like you want a comprehensive information flow control system.
That's not what AppArmor provides.  If I understand correctly, one
thing AppArmor does provide is a way to confine untrusted legacy
apps in a restricted jail.  That can be useful in some scenarios.
Consider, for instance, a web server where untrusted users can upload PHP
scripts, and you're concerned that those PHP scripts might be malicious.
Maybe you'd like to confine the PHP interpreter to limit what it can do.
That might be a good application for something like AppArmor.  You don't
need comprehensive information flow control for that kind of use, and
it would likely just get in the way.

Those who want a information flow control system, will probably use
SELinux or something like it.  Those who want what AppArmor has to offer,
might well use AppArmor.  They solve different problems and have different
tradeoffs.  There is room for more than one security tool in the world.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ