Re: Defense in depth: LSM *modules*, not a static interface

As good an idea POSIX capabilities might be, not all security problems can be solved with a bitmap of on/off permissions.

Peter Dolding wrote:

"AppArmor profile denies all network traffic to a specific
application"  Ok why should AppArmor be required to do this.  Would it
not be better as as part of Capabilities that is always there and is
application controllable.  It would be a security advantage if data
processing threads that don't do network access inside a application
don't have it.  Basically this feature could be done in mirror.  Allow
Network access Capabilities flag.  Not set application cannot access
network at all.  All LSM's would be able to use that to cut of network
access to applications.  As a standard feature of kernel if a new
network stack or some other alteration is done LSM hooks would not
need altering.  Lot of LSM hooks would disappear.  Need for LSM to
monitor and run different code to kernel in a lot of places would also
disappear.

With Capabilities expand it to point that applications cannot do
anything without permissions.  Both models are do able.  Restrictive
can be done in a Permissive model effectively if the starting point of
the Permissive is that you cannot do anything without permissions
being granted.  Big different is that the Permissive Model is the
kernel default.  Some LSM are design in conflict with the main model
of the OS.  You really only want one model from speed point of view

Ok but what happens to the principle of least privilege?

What if we want AppArmor to confine that application to use a particular set of ports?

Do you propose having a capability for each port? how about protocols?

So unless my understanding of capabilities is fundamentally flawed (which it may be - I have not spent time reviewing recent changes) obviously Linux capabilities does not provide a solution to every problem.

Regards,

Cliffe.

--

Z. Cliffe Schreuders
BSc Comp Sci (Hons) & Int Comp
PhD Candidate, Casual Tutor
School of IT
Murdoch University
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: Defense in depth: LSM *modules*, not a static interface
    • From: Casey Schaufler <[email protected]>

• References:
  • Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)
    • From: "Rob Meijer" <[email protected]>
  • Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)
    • From: Crispin Cowan <[email protected]>
  • Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)
    • From: "Peter Dolding" <[email protected]>
  • Defense in depth: LSM *modules*, not a static interface
    • From: Cliffe <[email protected]>
  • Re: Defense in depth: LSM *modules*, not a static interface
    • From: "Simon Arlott" <[email protected]>
  • Re: Defense in depth: LSM *modules*, not a static interface
    • From: Crispin Cowan <[email protected]>
  • Re: Defense in depth: LSM *modules*, not a static interface
    • From: Cliffe <[email protected]>
  • Re: Defense in depth: LSM *modules*, not a static interface
    • From: "Peter Dolding" <[email protected]>

• Prev by Date: Re: [RFC PATCH 2/10] free swap space entries if vm_swap_full()
• Next by Date: Re: [RFC PATCH 0/10] split anon and file LRUs
• Previous by thread: Re: Defense in depth: LSM *modules*, not a static interface
• Next by thread: Re: Defense in depth: LSM *modules*, not a static interface
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]