On Sat, 02 Jun 2007 07:27:13 PDT, [email protected] said: > > The type of hardening that AppArmor can provide network-facing daemons is only > > protecting the system against attacks that aren't even a large part of the > > threat model. Exploiting a broken PHP script? Happens all the time, and > > AppArmor can't do much for it. > > actually, this is _exactly_ where AppArmor is the most useful. if the PHP > script is restricted by AppArmor it won't be able to go out and touch > things that it's not supposed to. OK. I'll bite. AppArmor basically only mediates filename objects. What filename do you specify to stop it when the exploited PHP script is used bu a spammer to send mail to millions, when it was intended to send mail only to a specific set of people? Wait, that's a tcp connection to localhost:25. What filename do you specifu to stop blog comment spam and other abuses of a content management system (remember that the PHP code *does* need write access to the files in question)? It might be able to stop J Random SkriptKiddy from scribbling "Y0uz Ben Pwned" all over your home page, but it doesn't do much to control lots of other abuses of web apps. To be fair, SELinux can't help a lot more, because the problem often ends up being abuse of an access privilege that the program *should* have - for example, if it's supposed to query the database, it's hard to stop it from making an inappropriate query at the level that AppArmor and SELinux work at. I'm not convinced that it's solving enough *actual* problems, given that we've rejected a lot of other "helps a little in some cases" code for kernel inclusion. > if you are targeting one specific company or one specific server then you > are correct, There's a lot of that going around. And they're the attacks that you need to worry about, because you're likely to end up as a headline. > however most attacks are not that targeted, There's a big difference between "most attacks" and "most attacks you should worry about". > they do things > like useing google to find random servers that are running vunerable > software and attack that Rmember that at a minimum, that also means that you're Goggleable as vulnerable to attacks that AppArmor can't stop. And yes, Googling for vulnerable software *is* one of the primary ways that blog spammers find the vulerable blogs. If your site is run in such a way that you you have to worry about random attackers who use google, your site has *bigger* security issues, and thinking that AppArmor is going to improve things is exactly the sort of smoke screen magic bullet that we don't want putting in the kernel.
Attachment:
pgpRUY5objIhS.pgp
Description: PGP signature
- Follow-Ups:
- References:
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: Casey Schaufler <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: [email protected] (David Wagner)
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: Pavel Machek <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: [email protected]
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: [email protected] (David Wagner)
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: [email protected]
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- From: [email protected]
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- Prev by Date: 2.6.22-rc3-mm1 reiser4 bug
- Next by Date: Re: Section mismatches in drivers/video/console/promcon
- Previous by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
- Index(es):
 |