Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Mon, 25 Jun 2007, Pavel Machek wrote:

Hi!

We've been over the "AA is different" discussion in threads about a
billion times, and at the last kernel summit.  I think Lars and others
have done a pretty good job of describing the problems they are trying
to solve, can we please move on to discussing technical issues around
that?


Actually, I surprised Lars a lot by telling him ln /etc/shadow /tmp/
allows any user to make AA ineffective on large part of systems -- in
internal discussion. (It is not actually a _bug_, but it is certainly
unexpected).

(Does it surprise you, too? I'm pretty sure it would surprise many users).

no, it doesn't surprise me in the least. AA is controlling access to thething called /etc/shadow, if you grant access to it in other ways youbypass the restrictions.

if you follow the ln /etc/shadow /tmp/ with chmod 777 /tmp/shadow thesystem is completely insecure.

this is standard stuff that normal sysadmins expect. it's only people whohave focused on the label approach who would expect it to be anydifferent.

James summarized it nicely:

# The design of the AppArmor is based on _appearing simple_, but at the
# expense of completeness and thus correctness.

If even Lars can be surprised by AAs behaviour, I do not think we can
say "AA is different". I'm afraid that AA is trap for users. It
appears simple, and mostly does what it is told, but does not do _what
user wants_.

I thought it had been made very clear that hard links like this were apotential way around the restrictions, which is why controlled tasks arenot allowed to do arbatrary hard links.


David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Pavel Machek <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Lars Marowsky-Bree <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: James Morris <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Lars Marowsky-Bree <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Stephen Smalley <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Chris Mason <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: James Morris <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Chris Mason <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: James Morris <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Chris Mason <[email protected]>
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Pavel Machek <[email protected]>

Prev by Date: Re: [PATCH 1/2] Always probe the NMI watchdog
Next by Date: [PATCH] serial: Clear proper MPSC interrupt cause bits
Previous by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Next by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]