Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Sun, 24 Jun 2007, David Wagner wrote:

Argument 3. AA isn't complete until it mediates network and IPC.

Let me comment on these one-by-one.

3. This one I agree with.  If you want to sandbox network daemons that
you're concerned might get hacked, then you really want your sandbox to
mediate everything.  Right now the security provided by AA (if that's
what you are using it for) will be limited by its incomplete mediation,
since a knowledgeable motivated attacker who hacks your daemon may be
able to use network or IPC to break out of the sandbox, depending upon
the network and host configuration.  Filesystem mediation alone might be
better than nothing, I suppose, if you're worried about script kiddies,
but it's certainly not a basis for strong security claims.  The state of
the art in sandboxing obviously requires complete mediation, and we've
known that for a decade.

the issue I see is that AA may not have to implement any new in-kernelinfrastructure to do this.

as recently as yesterday there have been discussions on the netfilter listabout how to implement filter rules based on the application name (see thethread titled 'filter by application name') if this gets implementedindependantly of AA then AA could provide a policy implementation layerover netfilter if desired (or sysadmins could just use their currentfavorite tool to control the network and AA to control the filesystem)

so holding up AA becouse this isn't implemented yet seems to be counterproductive. people are working on this, and it is going to go in at somepoint independantly of AA, so why tie AA to it?

IPC is a very imprecise term. it includes lots of different ways forprocesses to communicate with each other. some forms of IPC are covered byAA today (unix sockets), others aren't. but each of the different methodsis going to involve some difference in how it's controlled. if you want totalk IPC be specific about what IPC methods you are talking bout limiting.


David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Crispin Cowan <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: James Morris <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Chris Mason <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: James Morris <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: [email protected] (David Wagner)

Prev by Date: Re: pivot_root alternative
Next by Date: Re: [PATCH] Avoid potential NULL deref in scripts/genksyms/lex.l
Previous by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Next by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]