lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200705261605.29829.agruen@suse.de>
Date:	Sat, 26 May 2007 16:05:29 +0200
From:	Andreas Gruenbacher <agruen@...e.de>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
Cc:	Crispin Cowan <crispin@...ell.com>, casey@...aufler-ca.com,
	Jeremy Maitin-Shepard <jbms@....edu>,
	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

On Saturday 26 May 2007 15:34, Alan Cox wrote:
> > As such, AA can detect whether you did exec("gzip") or exec("gunzip")
> > and apply the policy relevant to the program. It could apply different
>
> That's not actually useful for programs which link the same binary to
> multiple names because if you don't consider argv[0] as well I can run
> /usr/bin/gzip passing argv[0] of "gunzip" and get one set of policies and
> the other set of behaviour.

I partially agree. Taken together with the policy of the calling process, 
things suddenly start to make more sense though (even if gzip/gunzip don't 
make good examples): if only allowed to execute /usr/bin/gzip, the calling 
process can still get the gunzip behavior, but it will be bound by 
the /usr/bin/gzip policy.

Controlling the policy is what we really care about; this limits the allowed 
behavior. We cannot really control the behavior of an application anyway 
(think of bugs alone), but we can set the bounds for that behavior.

> And then we have user added hardlinks of course.

Yes, allowing confined processes to change what they are allowed to execute 
under a more permissive policy is not such a good idea.

Thanks,
Andreas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ