From: John Johansen <jjohansen@suse.de>
To: david@lang.hm
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
"Dr. David Alan Gilbert" <linux@treblig.org>,
Crispin Cowan <crispin@crispincowan.com>,
Arjan van de Ven <arjan@infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
LSM ML <linux-security-module@vger.kernel.org>,
apparmor-dev <apparmor-dev@forge.novell.com>
Subject: Re: AppArmor Security Goal
Date: Sat, 10 Nov 2007 19:59:45 -0800 [thread overview]
Message-ID: <20071111035945.GD19216@suse.de> (raw)
In-Reply-To: <Pine.LNX.4.64.0711101720100.4780@asgard.lang.hm>
[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]
On Sat, Nov 10, 2007 at 05:27:51PM -0800, david@lang.hm wrote:
> On Sat, 10 Nov 2007, Alan Cox wrote:
>
>>> but how can the system know if the directory the user wants to add is
>>> reasonable or not? what if the user says they want to store their
>>> documents in /etc?
>>
>> A more clear example is wanting to wrap a specific tool with temporary
>> rules. Those rules would depend on the exact file being edited at this
>> moment - something root cannot know in advance
>> (although with apparmor I guess mv $my_file apparmour_magic.name ; foo;
>> mv it back might work 8))
>
> the mechanism being desired was that the system administrator would setup a
> restrictive policy and a user who wanted a more permissive policy would
> have the ability to make it more permissive.
>
> this sort of thing is a disaster waiting to happen.
>
yep
> however, if App Armor sets things up so that there can be a system policy
> that users cannot touch, but users can have a secondary policy that layers
> over the system one to restrict things further it could be safe.
>
> if a sysadmin wants to have 'soft' and 'hard' limits of what a user can do,
> they could put the 'hard' limits in the system policy (and the users
> _cannot_ violate these limits), and then set the 'soft' limits in the users
> default setup (similar to how .profile is set by default). if a user wants
> to make things less restrictive they could edit or remove the per-user
> policy, but would still not be able to violate the system policy.
>
> however, while this seems attractive, I'm not sure that madness isn't down
> the road a little bit. since the users policy would only apply to
> themselves, you have the situation that (DAC permissions permitting) the
> files are available to other confined processes becouse they are running as
> other users. this sort of thing will surprise people if the explinations
> aren't done very carefully.
>
yes, the devil is in the details.
[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]
next prev parent reply other threads:[~2007-11-11 3:59 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-08 21:33 AppArmor Security Goal Crispin Cowan
2007-11-10 21:04 ` Andi Kleen
2007-11-10 21:24 ` Crispin Cowan
2007-11-11 3:23 ` John Johansen
2007-11-10 21:28 ` david
2007-11-11 3:36 ` John Johansen
2007-11-10 22:04 ` Dr. David Alan Gilbert
2007-11-10 22:11 ` Crispin Cowan
2007-11-10 22:24 ` Dr. David Alan Gilbert
2007-11-10 22:41 ` Crispin Cowan
2007-11-10 22:57 ` Alan Cox
2007-11-10 23:14 ` Crispin Cowan
2007-11-10 23:54 ` Alan Cox
2007-11-10 23:25 ` Dr. David Alan Gilbert
2007-11-10 23:52 ` david
2007-11-10 23:47 ` Dr. David Alan Gilbert
2007-11-10 23:56 ` Alan Cox
2007-11-11 1:27 ` david
2007-11-11 3:59 ` John Johansen [this message]
2007-11-12 23:58 ` Crispin Cowan
2007-11-11 4:17 ` John Johansen
2007-11-11 4:50 ` david
2007-11-13 0:13 ` Crispin Cowan
2007-11-11 7:02 ` Rogelio M. Serrano Jr.
2007-11-12 23:50 ` Crispin Cowan
2007-11-13 1:20 ` John Johansen
2007-11-11 2:17 ` Casey Schaufler
2007-11-11 3:55 ` John Johansen
2007-11-13 0:10 ` Joshua Brindle
2007-11-13 4:58 ` Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2007-11-11 8:16 Rob Meijer
[not found] <9nngC-6iQ-25@gated-at.bofh.it>
[not found] ` <9o6Qq-2Hk-17@gated-at.bofh.it>
[not found] ` <9o6Qq-2Hk-15@gated-at.bofh.it>
[not found] ` <9o706-2Xe-17@gated-at.bofh.it>
[not found] ` <9o7jp-3lE-5@gated-at.bofh.it>
[not found] ` <9o7Wg-4sT-15@gated-at.bofh.it>
[not found] ` <9of7j-7ej-7@gated-at.bofh.it>
2007-11-12 18:43 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071111035945.GD19216@suse.de \
--to=jjohansen@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=apparmor-dev@forge.novell.com \
--cc=arjan@infradead.org \
--cc=crispin@crispincowan.com \
--cc=david@lang.hm \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@treblig.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.