Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

Crispin Cowan wrote:

[email protected] wrote:

On Fri, 8 Jun 2007, Greg KH wrote:

I still want to see a definition of the AA "model" that we can then use
to try to implement using whatever solution works best.  As that seems
to be missing the current argument of if AA can or can not be
implemented using SELinux or something totally different should be
stopped.

the way I would describe the difference betwen AA and SELinux is:

SELinux is like a default allow IPS system, you have to describe
EVERYTHING to the system so that it knows what to allow and what to stop.

AA is like a default deny firewall, you describe what you want to
happen, and it blocks everything else without you even having to
realize that it's there.

That's not quite right:

    * SELinux Strict Policy is a default-deny system: it specifies
      everything that is permitted system wide, and all else is denied.
    * AA and the SELinux Targeted Policy are hybrid systems:
          o default-deny within a policy or profile: confined processes
            are only permitted to do what the policy says, and all else
            is denied.
          o default-allow system wide: unconfined processes are allowed
            to do anything that classic DAC permissions allow.

Still not completely correct, though the targeted policy has anunconfined domain (unconfined_t) the policy still has allow rules foreverything unconfined can do, 2 examples of things unconfined stillcan't do (because they aren't allowed by the targeted policy) is execmemand a while back when there was a /proc exploit that required setattr on/proc/self/environ; unconfined_t wasn't able to do that either (andtherefore the exploit didn't work on a targeted system).

That said, the differentiation between strict and targeted is going awaysoon so that one can have some users be unconfined (but still with a fewrestrictions) and others can be fully restricted.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- [AppArmor 00/45] AppArmor security module overview
  - From: [email protected]
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Andreas Gruenbacher <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Stephen Smalley <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Andreas Gruenbacher <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Greg KH <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: [email protected]
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Crispin Cowan <[email protected]>

Prev by Date: Re: kconfig .po files in kernel tree? [Was: Documentation/HOWTO translated into Japanese]
Next by Date: Re: [KJ] [PATCH] drivers/acpi: sizeof/sizeof array size calculations replaced with ARRAY_SIZE
Previous by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Next by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]