On 4/26/06, Neil Brown <[email protected]> wrote:
>
> I feel we have reached the stage where the questions/comments being
> made are actually directly relevant to AppArmor. I'm afraid I cannot
> proceed any further now because I am not a security expert.
>
> I would like to summarise what I think are the key points that you
> have raised, and hope that someone who has a deeper understanding of
> these things might answer them, or point to answers.
>
> 1/ Does AppArmor's primary mechanism of confining an application to a
> superset of it's expected behaviour actually achieve its secondary
> gaol of protecting data?
>
> Possibly it would be better to ask "When does ..." as I think it is
> easy to imagine application/profile pairs that clearly cannot allow
> harm, and application/profile pairs that clearly could allow harm.
Depends on the data. A properly constrained Apache webserver would be
prevented from accessing data it shouldn't.
> 2/ What advantages does AppArmor provide over techniques involving
> virtualisation or gaol mechanisms? Are these advantages worth
> while?
If you just wish to run every application in a chrooted jail. Would
you still need a MAC solution?
> 3/ Is AppArmour's approach of using d_path to get a filename from a
> dentry valid and acceptable? If not, how can it get a path? Can
> suitable hooks be provided so that AppArmor can get a path in an
> acceptable way at the times when that is meaningful?
I'll leave this for the others...
> I believe that these are all good questions. The last one is the only
> one that it really relevant to linux-kernel I believe, however answers
> to the first two might tell us how important it is to answer that last
> one.
>
> Thanks for your input.
>
> NeilBrown
>
[snipped]
-Ken
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]