| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Mar 2010 11:32:16 -0800 (PST) From: Linus Torvalds <torvalds@...ux-foundation.org> To: Alan Cox <alan@...rguk.ukuu.org.uk> cc: Al Viro <viro@...IV.linux.org.uk>, Ingo Molnar <mingo@...e.hu>, James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, Kyle McMartin <kyle@...artin.ca>, Alexander Viro <viro@....linux.org.uk> Subject: Re: Upstream first policy On Mon, 8 Mar 2010, Alan Cox wrote: > > Its path based in the sense that public_html has a path based meaning by > convention understood by httpd. Copy a jpeg into your public_html and it > will be labelled up for http access under the Fedora shipped rule sets. Umm. That was my point all along: you can basically "emulate" pathname based decisions by labeling things. But it's not always the most direct approach, and some people clearly do find AppArmor (or Tomoyo, which I think is also largely based on pathnames) to be more "intuitive". So I don't understand it when people then complain about a mechanism that base their decisions fundamentally on the pathname. It's not like AppArmor got rid of the traditional unix inode-based protections and replaced them (like your silly DEC10 example). But whatever. The fact is, Ubuntu uses it. We'll merge it. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists