| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Jun 2007 20:35:35 +0000 (UTC) From: daw@...berkeley.edu (David Wagner) To: linux-kernel@...r.kernel.org Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching Stephen Smalley wrote: >On Thu, 2007-06-21 at 21:54 +0200, Lars Marowsky-Bree wrote: >> And now, yes, I know AA doesn't mediate IPC or networking (yet), but >> that's a missing feature, not broken by design. > >The incomplete mediation flows from the design, since the pathname-based >mediation doesn't generalize to cover all objects unlike label- or >attribute-based mediation. I don't see anything in the AA design that would prevent an extending it to mediate network and IPC while remaining consistent with its design so far. Do you? It seems to me the AA design is to mediate filesystem access using pathname-based access control, and that says nothing about how they mediate network access. I have built sandboxing tools before, and my experience is that the filesystem mediation is the hardest, gronkiest part. In comparison, mediating networking and IPC is considerably easier. The policy language for mediating access to the network can be pretty simple. The same for IPC. Obviously you shouldn't expect the policy language for networking to use filenames, any more than you should expect the policy languages for filesystems to use TCP/IP port numbers; that wouldn't make any sense. >And the "use the natural abstraction for >each object type" approach likewise doesn't yield any general model or >anything that you can analyze systematically for data flow. I don't see this as relevant to whether AA should be merged. Fight that one in the marketplace for users, not L-K. >> If I restrict my Mozilla to not access my on-disk mail folder, it can't >> get there. (Barring bugs in programs which Mozilla is allowed to run >> unconfined, sure.) > >Um, no. It might not be able to directly open files via that path, but >showing that it can never read or write your mail is a rather different >matter. "Showing that it can never read or write your mail" is not part of AA's goals. People whose goals differ from AA's can use a different tool. No one is forcing you to use AA if it isn't useful to you. I don't see this criticism as relevant to a merger decision. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists