Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Andi Kleen ([email protected]):
> Arjan van de Ven <[email protected]> writes:
> > 
> > you must have a good defense against that argument, so I'm curious to
> > hear what it is
> 
> [I'm not from the apparmor people but my understanding is]
> 
> Usually they claimed name spaces as the reason it couldn't work.
> 
> In practice AFAIK basically nobody uses name spaces for
> anything.  AppArmor just forbids mounts/CLONE_NEWNS for the confined

Well, I use them all over the place to keep accounts on separate /tmp's,
etc.  It may not be the norm yet, but the general availability of
pam_mount etc, and the implementation of shared subtrees may well change
that.

But then if that happens, as Al points out, AA might be able to
embrace rather than fight it.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux