lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48041F46.8030004@crispincowan.com>
Date:	Mon, 14 Apr 2008 20:21:42 -0700
From:	Crispin Cowan <crispin@...spincowan.com>
To:	Matthew Wilcox <matthew@....cx>
CC:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
	paul.moore@...com, akpm@...ux-foundation.org,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, takedakn@...data.co.jp,
	linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.

Matthew Wilcox wrote:
> On Sun, Apr 13, 2008 at 06:41:19PM -0700, Crispin Cowan wrote:
>   
>> Rather, it is "can write to /tmp/ntpd/*". You *grant* permissions. You 
>> do *not* throw deny rules.
>>     
> So primarily we're concerned here with things that are running as root,
> daemons and the like.  Normal unix file permissions (or ACLs, if you
> must) are adequate to handle anything not running as uid 0.
>   
That's not true. Both AppArmor and SELinux Targeted Policy address 
confinement of both root and non-root applications. Examples:

    * Confining even non-root applications keeps them from accessing
      world and group accessible files.
    * Many services run as nobody instead of root, and smarter ones
      create themselves a new UID to run as. Even so, confining them is
      useful because the least-privilege posture is much easier to
      specify and verify in a capability model (as SELinux and AppArmor
      are) than an ACL model (as permission bits on files are).
    * You may want to confine a desktop application. E.g. Pidgin is a
      great IM tool because it speaks so many protocols, but with that
      large functionality comes a large attack surface, and it has had
      vulnerabilities from time to time. A confined IM client can be
      configured to only have access to your IM files, and not e.g. your
      SSH private keys.


> I don't see what apparmour and tomoya buy us that namespaces can't.
>   
Controlled overlap. You can use AppArmor to confine every *individual* 
piece of a web site shopping cart, and yet they still can interact with 
each other by sharing files. You cannot do that with namespaces.

Conversely, it is very convenient to use namespaces to set up private 
virtual domains, and that is not at all convenient to do with AppArmor, 
TOMOYO, or SELinux.

The correct answer is to use namespaces for total isolation (virtual 
domain hosting) and LSM confinement tools for security within a virtual 
domain.

> Maybe a nicer interface, but that's something that a nice userspace
> management interface can handle.
>   
Not true. Ease of management of access control is about the security 
model. Cute GUIs help, but not much.

> Create an empty namespace.  Create /tmp/ntpd in it.  Bind the outside
> /tmp/ntpd onto that directory.  Presto, the equivalent to an allow-rule
> of 'can write to /tmp/ntpd/*'.
>   
Now get ntpd to show you that you need to do this, in one pass. If you 
already know all of the files to be accessed, and you are going to write 
the security policy by hand, then the two approaches might be kind of 
comparable. But that's not how AppArmor policies are created. This is 
not a minor distinction.

> The equivalent of 'can read, but not write /home/crispin/.ssh/id_rsa.pub'
> will need r-o bind mounts, which Miklos seems to have become distracted
> from by working on the hooks for TOMOYA.
>
> Do you have a good example of something that apparmour can protect against
> that namespaces can't?
>   
See above. The major classes of things that namespaces can't do are:

    * deliberate overlap
    * learning mode
    * wild cards, e.g. 'can read /var/www/**.html' to grant access to
      all of the HTML files in the tree, but not the .pl source code files

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
The Olympic Games: Symbolizing oppressiiion and corruption for over a
hundred years


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ