Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 10 Jun 2007, Pavel Machek wrote:

Hi!

So, AA developers, do you have such a document anywhere?  I know there
are some old research papers, do they properly describe the current
model you are trying to implement here?

Greg,
  to implement the AA approach useing SELinux you need to have a way that
files that are renamed or created get tagged with the right label
automaticaly with no possible race condition.

If this can be done then it _may_ be possible to do the job that AA is
aimed at with SELinux, but the work nessasary to figure out what lables
are needed on what file would still make it a non-trivial task.

as I understand it SELinux puts one label on each file, so if you have
three files accessed by two programs such that
program A accesses files X Y
program B accesses files Y Z

then files X Y and Z all need seperate labels with the policy stateing
that program A need to access labels X, Y and program B needs to access
files Y Z

extended out this can come close to giving each file it's own label. AA
essentially does this and calls the label the path and computes it at
runtime instead of storing it somewhere.

Yes, and in the process, AA stores compiled regular expressions in
kernel. Ouch. I'll take "each file it's own label" over _that_ any time.

and if each file has it's own label you are going to need regex or similar to deal with them as well.

David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux