On Thu, 14 Jun 2007, Jack Stone wrote:
[email protected] wrote:
On Sun, 10 Jun 2007, Pavel Machek wrote:
But you have that regex in _user_ space, in a place where policy
is loaded into kernel.
then the kernel is going to have to call out to userspace every time a
file is created or renamed and the policy is going to be enforced
incorrectly until userspace finished labeling/relabeling whatever is
moved. building this sort of race condigion for security into the kernel
is highly questionable at best.
AA has regex parser in _kernel_ space, which is very wrong.
see Linus' rants about why it's not automaticaly the best thing to move
functionality into userspace.
remember that the files covered by an AA policy can change as files are
renamed. this isn't the case with SELinux so it doesn't have this sort
of problem.
How about using the inotify interface on / to watch for file changes and
updating the SELinux policies on the fly. This could be done from a
userspace daemon and should require minimal SELinux changes.
The only possible problems I can see are the (hopefully) small gap
between the file change and updating the policy and the performance
problems of watching the whole system for changes.
as was mentioned by someone else, if you rename a directory this can
result in millions of files that need to be relabeled (or otherwise have
the policy changed for them)
that can take a significant amount of time to do.
David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- References:
- [AppArmor 00/45] AppArmor security module overview
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]