[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1182513228.24664.24.camel@moss-spartans.epoch.ncsc.mil>
Date: Fri, 22 Jun 2007 07:53:47 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: John Johansen <jjohansen@...e.de>
Cc: Lars Marowsky-Bree <lmb@...e.de>, James Morris <jmorris@...ei.org>,
Pavel Machek <pavel@....cz>,
Crispin Cowan <crispin@...ell.com>, Greg KH <greg@...ah.com>,
Andreas Gruenbacher <agruen@...e.de>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,
pathname matching
On Fri, 2007-06-22 at 01:06 -0700, John Johansen wrote:
> On Thu, Jun 21, 2007 at 04:59:54PM -0400, Stephen Smalley wrote:
> > On Thu, 2007-06-21 at 21:54 +0200, Lars Marowsky-Bree wrote:
> > > On 2007-06-21T15:42:28, James Morris <jmorris@...ei.org> wrote:
> > >
> >
> > > And now, yes, I know AA doesn't mediate IPC or networking (yet), but
> > > that's a missing feature, not broken by design.
> >
> > The incomplete mediation flows from the design, since the pathname-based
> > mediation doesn't generalize to cover all objects unlike label- or
> > attribute-based mediation. And the "use the natural abstraction for
> > each object type" approach likewise doesn't yield any general model or
> > anything that you can analyze systematically for data flow.
> >
> No the "incomplete" mediation does not flow from the design. We have
> deliberately focused on doing the necessary modifications for pathname
> based mediation. The IPC and network mediation are a wip.
The fact that you have to go back to the drawing board for them is that
you didn't get the abstraction right in the first place.
> We have never claimed to be using pathname-based mediation IPC or networking.
> The "natural abstraction" approach does generize well enough and will
> be analyzable.
I think we must have different understandings of the words "generalize"
and "analyzable". Look, if I want to be able to state properties about
data flow in the system for confidentiality or integrity goals (my
secret data can never leak to unauthorized entities, my critical data
can never be corrupted/tainted by unauthorized entities - directly or
indirectly), then I need to be able to have a common reference point for
my policy. When my policy is based on different abstractions
(pathnames, IP addresses, window ids, whatever) for different objects,
then I can no longer identify how data can flow throughout the system in
a system-wide way.
> > Um, no. It might not be able to directly open files via that path, but
> > showing that it can never read or write your mail is a rather different
> > matter.
> >
> Actually it can be analyzed and shown. It is ugly to do and we
> currently don't have a tool capable of doing it, but it is possible.
No, it isn't possible when using ambiguous and unstable identifiers for
the subjects and objects, nor when mediation is incomplete.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists