On Tue, Apr 25, 2006 at 06:52:40PM +0200, Arjan van de Ven wrote: > a scary angle is that a compromised "confined" process can still > reconfigure all your networking to the point that it can forward and NAT If you have decided to allow the process to use CAP_NET_ADMIN by adding the text "capability net_admin," to the profile in question, I fail to see how this is "scary" -- in fact, this is exactly what you have chosen to allow this process to do. One of our developers has a profile set of 827 profiles that we use for testing system functionality and our tools; twenty of those profiles have "capability net_admin" granted. The other 807 profiles do not have the ability to reconfigure the network at will. I hope this clears up your concern. Thanks Arjan
Attachment:
pgph9SKdr9ZYV.pgp
Description: PGP signature
- References:
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Chris Wright <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Stephen Smalley <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Chris Wright <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Stephen Smalley <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Neil Brown <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: "Theodore Ts'o" <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Stephen Smalley <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: "Theodore Ts'o" <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Stephen Smalley <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- From: Arjan van de Ven <[email protected]>
- Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- Prev by Date: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- Next by Date: Re: Compiling C++ modules
- Previous by thread: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- Next by thread: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
- Index(es):