[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f03mli$8g8$1@taverner.cs.berkeley.edu>
Date: Tue, 17 Apr 2007 23:53:22 +0000 (UTC)
From: daw@...berkeley.edu (David Wagner)
To: linux-kernel@...r.kernel.org
Subject: Re: AppArmor FAQ
Karl MacMillan wrote:
>My private ssh keys need to be protected regardless
>of the file name - it is the "bag of bits" that make it important not
>the name.
I think you picked a bad example. That's a confidentiality policy.
AppArmor can't make any guarantees about confidentiality. Neither can
SELinux. If you give a malicious app the power to read your private ssh
key, it's game over, dude. (Covert channels, wall banging, and all that.)
So don't do that.
>Similarly, you protect the integrity of the applications that
>need name resolution by ensuring that the data that they read is high
>integrity. You do that by controlling data not the file name used to
>access the data. That is James point - a comprehensive mechanism like
>SELinux allows you to comprehensively protect the integrity of data.
I think this argument just misses the point. What you want isn't what
AppArmor does. Fine. Nobody is forcing you to use AppArmor. But that
doesn't mean AppArmor is useless. There may be people who want what
AppArmor has to provide.
It sounds like you want a comprehensive information flow control system.
That's not what AppArmor provides. If I understand correctly, one
thing AppArmor does provide is a way to confine untrusted legacy
apps in a restricted jail. That can be useful in some scenarios.
Consider, for instance, a web server where untrusted users can upload PHP
scripts, and you're concerned that those PHP scripts might be malicious.
Maybe you'd like to confine the PHP interpreter to limit what it can do.
That might be a good application for something like AppArmor. You don't
need comprehensive information flow control for that kind of use, and
it would likely just get in the way.
Those who want a information flow control system, will probably use
SELinux or something like it. Those who want what AppArmor has to offer,
might well use AppArmor. They solve different problems and have different
tradeoffs. There is room for more than one security tool in the world.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists