Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

Casey Schaufler wrote:
> --- Andreas Gruenbacher <[email protected]> wrote:
>   
>> AppArmor cannot assume anything about argv[0],
>>
>> and it would be a really bad idea to change the well-established semantics of
>>
>> argv[0].
>>
>> There is no actual need for looking at argv[0], though: AppArmor decides
>> based 
>> on the actual pathname of the executable...
>>     
> Right. My point was that if you wanted to use the gzip/gunzip
> example of a file with two names being treated differently based
> on the name accessed as an argument for AppArmor you could.
AppArmor detects the pathname of the file exec'd at the time the parent
exec's it, and not anything inside the child involving argv[0].

As such, AA can detect whether you did exec("gzip") or exec("gunzip")
and apply the policy relevant to the program. It could apply different
policies to each of them, so whether it has access to /tmp/mumble/barf
depends on whether you called it 'gzip' or 'gunzip'. Caveat: it makes no
sense to profile either gzip or gunzip in the AppArmor model, so I won't
defend what kind of policy you would put on them.

Finally, AA doesn't care what the contents of the executable are. We
assume that it is a copy of metasploit or something, and confine it to
access only the resources that the policy says.

>  If
> you don't want to, that's ok too. Jeremy raised a reasonable objection,
> and AppArmor could address it if y'all chose to do so. I seriously
> doubt that enforcing the argv[0] convention would break much, and I
> also expect that if it did there's a Consultant's Retirement to be
> made fixing the security hole it points out.
>   
AppArmor does address it, and I hope this explains how we detect which
of multiple hard links to a file you used to access the file without
mucking about with argv[0].

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
		   Security: It's not linear

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
    • From: James Morris <[email protected]>
  • Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
    • From: Alan Cox <[email protected]>

• References:
  • Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
    • From: Casey Schaufler <[email protected]>

• Prev by Date: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
• Next by Date: reg: modules make in Ubuntu
• Previous by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
• Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]