Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

Crispin Cowan wrote:

[email protected] wrote:

On Fri, 8 Jun 2007, Greg KH wrote:

I still want to see a definition of the AA "model" that we can then use
to try to implement using whatever solution works best.  As that seems
to be missing the current argument of if AA can or can not be
implemented using SELinux or something totally different should be
stopped.

the way I would describe the difference betwen AA and SELinux is:

SELinux is like a default allow IPS system, you have to describe
EVERYTHING to the system so that it knows what to allow and what to stop.

AA is like a default deny firewall, you describe what you want to
happen, and it blocks everything else without you even having to
realize that it's there.

That's not quite right:

    * SELinux Strict Policy is a default-deny system: it specifies
      everything that is permitted system wide, and all else is denied.
    * AA and the SELinux Targeted Policy are hybrid systems:
          o default-deny within a policy or profile: confined processes
            are only permitted to do what the policy says, and all else
            is denied.
          o default-allow system wide: unconfined processes are allowed
            to do anything that classic DAC permissions allow.

Still not completely correct, though the targeted policy has an unconfined domain (unconfined_t) the policy still has allow rules for everything unconfined can do, 2 examples of things unconfined still can't do (because they aren't allowed by the targeted policy) is execmem and a while back when there was a /proc exploit that required setattr on /proc/self/environ; unconfined_t wasn't able to do that either (and therefore the exploit didn't work on a targeted system).

That said, the differentiation between strict and targeted is going away soon so that one can have some users be unconfined (but still with a few restrictions) and others can be fully restricted.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [AppArmor 00/45] AppArmor security module overview
    • From: [email protected]
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: Andreas Gruenbacher <[email protected]>
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: Stephen Smalley <[email protected]>
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: Andreas Gruenbacher <[email protected]>
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: Greg KH <[email protected]>
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: [email protected]
  • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
    • From: Crispin Cowan <[email protected]>

• Prev by Date: Re: kconfig .po files in kernel tree? [Was: Documentation/HOWTO translated into Japanese]
• Next by Date: Re: [KJ] [PATCH] drivers/acpi: sizeof/sizeof array size calculations replaced with ARRAY_SIZE
• Previous by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
• Next by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]