From: "Theodore Ts'o" <tytso@mit.edu>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Neil Brown <neilb@suse.de>, Chris Wright <chrisw@sous-sol.org>,
James Morris <jmorris@namei.org>,
Arjan van de Ven <arjan@infradead.org>, Andi Kleen <ak@suse.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
Date: Mon, 24 Apr 2006 23:52:17 +0000 [thread overview]
Message-ID: <20060424235215.GA5893@thunk.org> (raw)
In-Reply-To: <1145912876.14804.91.camel@moss-spartans.epoch.ncsc.mil>
On Mon, Apr 24, 2006 at 05:07:56PM -0400, Stephen Smalley wrote:
> > The goal of protecting against broken, buggy applications is a worthy
> > one. If people can show that for a large set of stack overruns, or
> > other types of buggy applications, it is possible to evade AppArmor by
> > doing something clever, then AppArmor would need to be fixed or it's
> > not worth doing. But if it can prevent a large class of buggy
> > applications from allowing an atttacker to escalate that bugginess
> > into a system penetration, then it has added value.
>
> Does it have any hope of stopping an attacker who has designed his
> attack with full knowledge of AppArmor's design and implementation (no
> security through obscurity)?
Well, it also depends on your threat model, right? What capabilities
are you assuming the attacker will have? Does the attacker have an
account on the system? Or has the attacker just exploited a stack
overrun in a network daemon, or a failure to check some input field
coming from the network, and the goal is to stop the attacker from
escalating that to gaining full root privs on the system.
There is a big difference between assuming the attacker has full
knowledge of AppArmor's design and implementation, which granted, is a
fair assumpion (no security through obsecurity) and assuming the
attacker has full root privs, and still wanting to stop them (i.e.,
mandatory access controls). You seem to be judging AppArmor with the
goals of SELinux, and that's not necessarily a fair comparison.
A Hummer can go through 36 inches of standing water, where as a Prius
can not. Does that mean that a Prius is a failure? Only if you judge
it by the standards of the Hummer. But from point of view of gas
mileage, the Prius will run circles around the Hummer....
> The problems with path-based mechanisms are technical in nature, not
> just philosophical.
If you restrict namespaces and chroot, then it solves that particular
problem. It will be useless for software packages that use
namespaces, such as for example if a hypothetical future version of a
propietary source code management tool decided to use shared subtree
support. There are however a huge number of software packages,
including most commercial/propietary packages that have to work across
a broad range of heterogenous systems, including AIX, Solaris, and
Linux, that won't be using namespaces and shared subtrees anytime
soon.
- Ted
next prev parent reply other threads:[~2006-04-24 23:55 UTC|newest]
Thread overview: 174+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-19 17:49 [RFC][PATCH 0/11] security: AppArmor - Overview Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 1/11] security: AppArmor - Integrate into kbuild Tony Jones
2006-04-19 17:57 ` Arjan van de Ven
2006-04-19 18:10 ` Tony Jones
2006-04-19 18:35 ` Valdis.Kletnieks
2006-04-19 19:55 ` Adrian Bunk
2006-04-19 20:52 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 2/11] security: AppArmor - Core headers Tony Jones
2006-04-19 18:01 ` Arjan van de Ven
2006-04-20 17:43 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 3/11] security: AppArmor - LSM interface Tony Jones
2006-04-19 18:05 ` Arjan van de Ven
2006-04-19 17:49 ` [RFC][PATCH 4/11] security: AppArmor - Core access controls Tony Jones
2006-04-19 18:10 ` Arjan van de Ven
2006-04-19 18:57 ` Crispin Cowan
2006-04-19 23:05 ` Rik van Riel
2006-04-19 23:18 ` Seth Arnold
2006-04-19 23:21 ` Rik van Riel
2006-04-19 23:50 ` Crispin Cowan
2006-04-20 12:33 ` Stephen Smalley
2006-04-20 16:27 ` Lars Marowsky-Bree
2006-04-20 17:39 ` Tony Jones
2006-04-19 19:32 ` Jan Engelhardt
2006-04-19 19:50 ` Stephen Smalley
2006-04-20 9:40 ` Al Viro
2006-04-20 11:40 ` Serge E. Hallyn
2006-04-20 21:39 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 5/11] security: AppArmor - Filesystem Tony Jones
2006-04-21 21:13 ` Amy Griffis
2006-04-19 17:49 ` [RFC][PATCH 6/11] security: AppArmor - Userspace interface Tony Jones
2006-04-20 21:39 ` Pavel Machek
2006-04-21 18:01 ` Tony Jones
2006-04-21 18:41 ` Pavel Machek
2006-04-19 17:50 ` [RFC][PATCH 7/11] security: AppArmor - Misc (capabilities, data structures) Tony Jones
2006-04-19 18:16 ` Stephen Hemminger
2006-04-19 17:50 ` [RFC][PATCH 8/11] security: AppArmor - Pathname matching submodule Tony Jones
2006-04-19 17:50 ` [RFC][PATCH 9/11] security: AppArmor - Audit changes Tony Jones
2006-04-21 21:21 ` Amy Griffis
2006-04-22 0:13 ` Steve Grubb
2006-04-22 0:13 ` Steve Grubb
2006-04-22 0:19 ` Tony Jones
2006-04-19 17:50 ` [RFC][PATCH 10/11] security: AppArmor - Add flags to d_path Tony Jones
2006-04-19 22:12 ` Christoph Hellwig
2006-04-20 5:36 ` Tony Jones
2006-04-20 8:26 ` Arjan van de Ven
2006-04-20 16:43 ` Tony Jones
2006-04-20 17:04 ` Christoph Hellwig
2006-04-20 17:50 ` Tony Jones
2006-04-21 12:16 ` Stephen Smalley
2006-04-24 13:05 ` Alan Cox
2006-04-19 17:50 ` [RFC][PATCH 11/11] security: AppArmor - Export namespace semaphore Tony Jones
2006-04-19 22:10 ` Christoph Hellwig
2006-04-20 12:39 ` Stephen Smalley
2006-04-20 12:46 ` Serge E. Hallyn
2006-04-20 12:05 ` Stephen Smalley
2006-04-20 13:21 ` Serge E. Hallyn
2006-04-20 12:48 ` Stephen Smalley
2006-04-20 12:58 ` Stephen Smalley
2006-04-20 22:11 ` Linda A. Walsh
2006-04-20 23:05 ` Christoph Hellwig
2006-04-21 1:29 ` Linda A. Walsh
2006-04-21 2:09 ` Chris Wright
2006-04-21 5:10 ` Linda Walsh
2006-04-23 12:11 ` Arjan van de Ven
2006-04-21 14:02 ` Stephen Smalley
2006-04-20 19:45 ` Tony Jones
2006-04-20 20:16 ` Serge E. Hallyn
2006-04-20 20:22 ` James Morris
2006-04-20 21:50 ` Linda Walsh
2006-04-20 21:56 ` Al Viro
2006-04-20 23:54 ` James Morris
2006-04-21 13:59 ` Stephen Smalley
2006-04-19 18:14 ` [RFC][PATCH 0/11] security: AppArmor - Overview Arjan van de Ven
2006-04-19 22:32 ` Andi Kleen
2006-04-19 23:00 ` grundig
2006-04-19 23:38 ` Andi Kleen
2006-04-20 1:32 ` Crispin Cowan
2006-04-20 13:00 ` grundig
2006-04-20 13:09 ` Serge E. Hallyn
2006-04-20 13:15 ` Al Viro
2006-04-21 0:11 ` Tony Jones
2006-04-24 13:01 ` Alan Cox
2006-04-20 8:42 ` Arjan van de Ven
2006-04-20 19:26 ` Crispin Cowan
2006-04-20 19:27 ` Chris Wright
2006-04-21 12:18 ` Stephen Smalley
2006-04-21 17:30 ` Chris Wright
2006-04-21 18:07 ` Stephen Smalley
2006-04-21 20:06 ` Valdis.Kletnieks
2006-04-21 20:35 ` Stephen Smalley
2006-04-21 20:44 ` Stephen Smalley
2006-04-21 21:38 ` Dave Neuer
2006-04-22 10:01 ` Thomas Bleher
2006-04-24 4:18 ` Neil Brown
2006-04-24 7:03 ` Theodore Ts'o
2006-04-24 13:04 ` Pavel Machek
2006-04-24 13:43 ` Joshua Brindle
2006-04-24 21:07 ` Stephen Smalley
2006-04-24 23:52 ` Theodore Ts'o [this message]
2006-04-25 6:22 ` Arjan van de Ven
2006-04-25 16:45 ` Stephen Smalley
2006-04-25 16:52 ` Arjan van de Ven
2006-04-25 17:43 ` Seth Arnold
2006-04-25 18:34 ` Valdis.Kletnieks
2006-04-25 18:48 ` Stephen Smalley
2006-04-25 18:56 ` Valdis.Kletnieks
2006-04-25 4:25 ` Casey Schaufler
2006-04-25 7:50 ` James Morris
2006-04-25 12:46 ` Theodore Ts'o
2006-04-25 15:06 ` Stephen Smalley
2006-04-25 16:00 ` Casey Schaufler
2006-04-25 16:21 ` Randy.Dunlap
2006-04-26 3:42 ` Casey Schaufler
2006-04-26 12:15 ` Stephen Smalley
2006-04-27 0:21 ` Casey Schaufler
2006-04-27 14:47 ` Karl MacMillan
2006-04-25 17:29 ` Stephen Smalley
2006-04-26 3:56 ` Casey Schaufler
2006-04-26 11:32 ` Stephen Smalley
2006-04-25 16:47 ` Stephen Smalley
2006-04-24 7:14 ` Arjan van de Ven
2006-04-24 8:11 ` Lars Marowsky-Bree
2006-04-25 19:27 ` Seth Arnold
2006-04-24 13:11 ` Joshua Brindle
2006-04-24 13:26 ` Andi Kleen
2006-04-24 13:39 ` Joshua Brindle
2006-04-24 15:16 ` Joshua Brindle
2006-04-24 15:50 ` Tony Jones
2006-04-24 17:03 ` Joshua Brindle
2006-04-25 17:12 ` Valdis.Kletnieks
2006-04-25 17:34 ` Tony Jones
2006-04-24 13:52 ` Alan Cox
2006-04-24 14:09 ` Andi Kleen
2006-04-24 20:45 ` Stephen Smalley
2006-04-25 8:10 ` Neil Brown
2006-04-25 8:28 ` Al Viro
2006-04-25 12:42 ` James Carter
2006-04-25 12:43 ` Andi Kleen
2006-04-25 14:50 ` James Carter
2006-04-25 15:01 ` Stephen Smalley
2006-04-25 18:11 ` Tony Jones
2006-04-25 21:25 ` Stephen Smalley
2006-04-25 17:07 ` Stephen Smalley
2006-04-26 22:15 ` Some Concrete AppArmor Questions - was " Neil Brown
2006-04-26 23:06 ` Ken Brush
2006-04-27 4:15 ` Andi Kleen
2006-04-27 6:52 ` Arjan van de Ven
2006-04-27 7:40 ` Chris Wright
2006-04-27 10:17 ` Chris Wright
2006-04-27 14:42 ` Karl MacMillan
2006-04-27 23:44 ` Chris Wright
2006-04-28 13:02 ` Stephen Smalley
2006-04-28 15:49 ` Casey Schaufler
2006-04-28 16:04 ` Stephen Hemminger
2006-04-28 21:49 ` James Morris
2006-04-28 16:56 ` Karl MacMillan
2006-04-27 16:03 ` Stephen Smalley
2006-04-27 22:38 ` Chris Wright
2006-04-28 13:00 ` Stephen Smalley
2006-04-27 17:43 ` Stephen Smalley
2006-04-27 17:58 ` Ken Brush
2006-04-28 11:28 ` Stephen Smalley
2006-04-28 11:47 ` Andi Kleen
2006-04-28 12:28 ` Stephen Smalley
2006-04-27 11:02 ` Christoph Hellwig
2006-04-27 11:05 ` Andi Kleen
2006-04-20 11:29 ` Serge E. Hallyn
2006-04-20 13:24 ` Christoph Hellwig
2006-04-20 22:32 ` Linda A. Walsh
2006-04-20 12:17 ` Stephen Smalley
2006-04-20 15:38 ` Joshua Brindle
2006-04-20 19:57 ` Crispin Cowan
2006-04-21 13:34 ` Stephen Smalley
2006-04-22 12:27 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060424235215.GA5893@thunk.org \
--to=tytso@mit.edu \
--cc=ak@suse.de \
--cc=arjan@infradead.org \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=neilb@suse.de \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.