lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070609193853.GA6663@elf.ucw.cz>
Date:	Sat, 9 Jun 2007 21:38:53 +0200
From:	Pavel Machek <pavel@....cz>
To:	David Wagner <daw-usenet@...erner.cs.berkeley.edu>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: AppArmor FAQ

Hi!

> >> Maybe you'd like to confine the PHP interpreter to limit what it can do.
> >> That might be a good application for something like AppArmor.  You don't
> >> need comprehensive information flow control for that kind of use, and
> >> it would likely just get in the way.
> >
> >SELinux can do this, it's policy-flexible.  You can even simulate a 
> >pathame-based policy language with a consequential loss of control:
> 
> I have no doubt that SELinux can do that, but that has about as much
> relevance to my point as the price of tea in China does.  I can use a
> screwdriver to drive in a nail into my wall, too, if I really wanted to,
> but that doesn't mean toolmakers should stop manufacturing hammers.

Well, we are talking about kernel here, and if screwdrivers work well
enough to drive nails into walls, we'll not allow hammers in.

> My point is that there are some tasks where it's plausible that AppArmor
> might well be a better (easier-to-use) tool for the job.  I'm

If SELinux can do the task, AA people are welcome to port their
userland apps to SELinux to make it user friendly. We do _not_ provide
user friendly services in kernel.

Someone wanted shell inside kernel because it is convenient to
him. Too bad, not going to be merged.
								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ