From: Joshua Brindle <method@gentoo.org>
To: Neil Brown <neilb@suse.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Chris Wright <chrisw@sous-sol.org>,
James Morris <jmorris@namei.org>,
Arjan van de Ven <arjan@infradead.org>, Andi Kleen <ak@suse.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
Date: Mon, 24 Apr 2006 09:11:31 -0400 [thread overview]
Message-ID: <444CCE83.90704@gentoo.org> (raw)
In-Reply-To: <17484.20906.122444.964025@cse.unsw.edu.au>
Neil Brown wrote:
> On Friday April 21, sds@tycho.nsa.gov wrote:
>>
>> Access control of any form requires unambiguous identification of
>> subjects and objects in the system. Paths don't achieve such
>> identification. Is that broken enough? If not, what is? What
>> qualifies as broken?
>>
>
> I have to disagree with this. Paths *do* achieve unambiguous
> identification of something. That something is ..... the path.
>
>
On the contrary. Due to namespaces a single path can describe many
different files, depending on the namespace you are in. Same with
chroots, if an app that is chrooted can read /etc/shadow it can also
read it outside the chroot. Even if this weren't the case the path isn't
the object. Objects are 'things' being acted upon by a subject. A path
is merely an address to an object. A burglar might use your address to
get to your house but in the end it's your house he's robbing, not the
address.
> Think about the name of this system for a minute. "AppArmor".
> i.e. it is Armour for an Application. It protects the application.
> It doesn't (as far as I can tell: I'm not an expert and don't work on
> this thing) claim to protect files. It protects applications.
>
A large part of protecting applications is protecting which apps can
interact with those applications, directly or indirectly. Without the
ability to look at the policy and know if its actually doing what you
think it is (which you can't with path based access control) you have no
way of telling whether an application is actually protected. This leads
to false sense of security.
Another large part of protecting applications is protecting the system
which supports them. The apparmor crowd will claim that these apps are
trusted but there are many ways a confined application can indirectly
influence an unconfined application and most privilege escalation
attacks are multi-step already thus buying little.
> It protects them from doing the wrong thing - from doing something
> they weren't designed to do. i.e. it protects them from being
> subverted by exploiting a bug.
>
> A large part of the behaviour of an application is the path names that
> it uses and what it does with them. If an application started doing
> unexpected things with unexpected paths (e.g. exec("/bin/sh") or
> open("/etc/shadow",O_RDONLY)) then this is a sure sign that it has
> been subverted and that AppArmor need to protect it, from itself.
>
>
Sure but if, instead, it's able to open /var/chroot/etc/shadow which is
a hardlink to /etc/shadow you've bought nothing. You may filter out
worms and script kiddies this way but in the end you are using obscurity
(of filesystem layout, what the policy allows, how the apps are
configured, etc) for security, which again, leads to a false sense of
security.
> Obviously the protection will not be complete. The profiles describe
> what the application is expected to do, and to some extent, this
> description will be in general terms. It might identify files that
> can be written to, but not what will be written to them. etc.
>
> While the protection against subversion cannot be complete, it can be
> sufficient to dramatically reduce the chances of privilege
> escalation. There are lots of wrong things you can get an
> application to do once you find an exploitable bug. Many of these
> will lead to a crash. AppArmor will not try to protect against these
> (I suspect). There are substantially fewer that lead to privilege
> escalation. AppArmor focusses its effort in terms of profile design
> on exactly these sorts of unplanned behaviours.
>
>
It only reduces the chance to inexperienced and/or lazy hackers ;) . It
wouldn't take someone experienced to figure out that you have apparmor
running on the system and thus know how to break/bypass it. Once again,
false sense of security.
> So I think you still haven't given convincing evidence that AppArmor
> is broken by design.
>
I haven't heard any responses to any of the ~11ish points brought up at
http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
. Its very long but I can paste it into an email if necessary.
In particular I'd love to hear about how Apparmor is so easy to use,
considering the apparmor crowd advocates things like making hardlinks to
/bin/bash and setting that new path to a 'restricted' users login shell.
This is not obvious, secure, scalable or intuitive. I'd hope most
administrators recognize the severe limitations of this 'solution' and
opt for something stronger.
Joshua Brindle
next prev parent reply other threads:[~2006-04-24 13:11 UTC|newest]
Thread overview: 174+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-19 17:49 [RFC][PATCH 0/11] security: AppArmor - Overview Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 1/11] security: AppArmor - Integrate into kbuild Tony Jones
2006-04-19 17:57 ` Arjan van de Ven
2006-04-19 18:10 ` Tony Jones
2006-04-19 18:35 ` Valdis.Kletnieks
2006-04-19 19:55 ` Adrian Bunk
2006-04-19 20:52 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 2/11] security: AppArmor - Core headers Tony Jones
2006-04-19 18:01 ` Arjan van de Ven
2006-04-20 17:43 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 3/11] security: AppArmor - LSM interface Tony Jones
2006-04-19 18:05 ` Arjan van de Ven
2006-04-19 17:49 ` [RFC][PATCH 4/11] security: AppArmor - Core access controls Tony Jones
2006-04-19 18:10 ` Arjan van de Ven
2006-04-19 18:57 ` Crispin Cowan
2006-04-19 23:05 ` Rik van Riel
2006-04-19 23:18 ` Seth Arnold
2006-04-19 23:21 ` Rik van Riel
2006-04-19 23:50 ` Crispin Cowan
2006-04-20 12:33 ` Stephen Smalley
2006-04-20 16:27 ` Lars Marowsky-Bree
2006-04-20 17:39 ` Tony Jones
2006-04-19 19:32 ` Jan Engelhardt
2006-04-19 19:50 ` Stephen Smalley
2006-04-20 9:40 ` Al Viro
2006-04-20 11:40 ` Serge E. Hallyn
2006-04-20 21:39 ` Tony Jones
2006-04-19 17:49 ` [RFC][PATCH 5/11] security: AppArmor - Filesystem Tony Jones
2006-04-21 21:13 ` Amy Griffis
2006-04-19 17:49 ` [RFC][PATCH 6/11] security: AppArmor - Userspace interface Tony Jones
2006-04-20 21:39 ` Pavel Machek
2006-04-21 18:01 ` Tony Jones
2006-04-21 18:41 ` Pavel Machek
2006-04-19 17:50 ` [RFC][PATCH 7/11] security: AppArmor - Misc (capabilities, data structures) Tony Jones
2006-04-19 18:16 ` Stephen Hemminger
2006-04-19 17:50 ` [RFC][PATCH 8/11] security: AppArmor - Pathname matching submodule Tony Jones
2006-04-19 17:50 ` [RFC][PATCH 9/11] security: AppArmor - Audit changes Tony Jones
2006-04-21 21:21 ` Amy Griffis
2006-04-22 0:13 ` Steve Grubb
2006-04-22 0:13 ` Steve Grubb
2006-04-22 0:19 ` Tony Jones
2006-04-19 17:50 ` [RFC][PATCH 10/11] security: AppArmor - Add flags to d_path Tony Jones
2006-04-19 22:12 ` Christoph Hellwig
2006-04-20 5:36 ` Tony Jones
2006-04-20 8:26 ` Arjan van de Ven
2006-04-20 16:43 ` Tony Jones
2006-04-20 17:04 ` Christoph Hellwig
2006-04-20 17:50 ` Tony Jones
2006-04-21 12:16 ` Stephen Smalley
2006-04-24 13:05 ` Alan Cox
2006-04-19 17:50 ` [RFC][PATCH 11/11] security: AppArmor - Export namespace semaphore Tony Jones
2006-04-19 22:10 ` Christoph Hellwig
2006-04-20 12:39 ` Stephen Smalley
2006-04-20 12:46 ` Serge E. Hallyn
2006-04-20 12:05 ` Stephen Smalley
2006-04-20 13:21 ` Serge E. Hallyn
2006-04-20 12:48 ` Stephen Smalley
2006-04-20 12:58 ` Stephen Smalley
2006-04-20 22:11 ` Linda A. Walsh
2006-04-20 23:05 ` Christoph Hellwig
2006-04-21 1:29 ` Linda A. Walsh
2006-04-21 2:09 ` Chris Wright
2006-04-21 5:10 ` Linda Walsh
2006-04-23 12:11 ` Arjan van de Ven
2006-04-21 14:02 ` Stephen Smalley
2006-04-20 19:45 ` Tony Jones
2006-04-20 20:16 ` Serge E. Hallyn
2006-04-20 20:22 ` James Morris
2006-04-20 21:50 ` Linda Walsh
2006-04-20 21:56 ` Al Viro
2006-04-20 23:54 ` James Morris
2006-04-21 13:59 ` Stephen Smalley
2006-04-19 18:14 ` [RFC][PATCH 0/11] security: AppArmor - Overview Arjan van de Ven
2006-04-19 22:32 ` Andi Kleen
2006-04-19 23:00 ` grundig
2006-04-19 23:38 ` Andi Kleen
2006-04-20 1:32 ` Crispin Cowan
2006-04-20 13:00 ` grundig
2006-04-20 13:09 ` Serge E. Hallyn
2006-04-20 13:15 ` Al Viro
2006-04-21 0:11 ` Tony Jones
2006-04-24 13:01 ` Alan Cox
2006-04-20 8:42 ` Arjan van de Ven
2006-04-20 19:26 ` Crispin Cowan
2006-04-20 19:27 ` Chris Wright
2006-04-21 12:18 ` Stephen Smalley
2006-04-21 17:30 ` Chris Wright
2006-04-21 18:07 ` Stephen Smalley
2006-04-21 20:06 ` Valdis.Kletnieks
2006-04-21 20:35 ` Stephen Smalley
2006-04-21 20:44 ` Stephen Smalley
2006-04-21 21:38 ` Dave Neuer
2006-04-22 10:01 ` Thomas Bleher
2006-04-24 4:18 ` Neil Brown
2006-04-24 7:03 ` Theodore Ts'o
2006-04-24 13:04 ` Pavel Machek
2006-04-24 13:43 ` Joshua Brindle
2006-04-24 21:07 ` Stephen Smalley
2006-04-24 23:52 ` Theodore Ts'o
2006-04-25 6:22 ` Arjan van de Ven
2006-04-25 16:45 ` Stephen Smalley
2006-04-25 16:52 ` Arjan van de Ven
2006-04-25 17:43 ` Seth Arnold
2006-04-25 18:34 ` Valdis.Kletnieks
2006-04-25 18:48 ` Stephen Smalley
2006-04-25 18:56 ` Valdis.Kletnieks
2006-04-25 4:25 ` Casey Schaufler
2006-04-25 7:50 ` James Morris
2006-04-25 12:46 ` Theodore Ts'o
2006-04-25 15:06 ` Stephen Smalley
2006-04-25 16:00 ` Casey Schaufler
2006-04-25 16:21 ` Randy.Dunlap
2006-04-26 3:42 ` Casey Schaufler
2006-04-26 12:15 ` Stephen Smalley
2006-04-27 0:21 ` Casey Schaufler
2006-04-27 14:47 ` Karl MacMillan
2006-04-25 17:29 ` Stephen Smalley
2006-04-26 3:56 ` Casey Schaufler
2006-04-26 11:32 ` Stephen Smalley
2006-04-25 16:47 ` Stephen Smalley
2006-04-24 7:14 ` Arjan van de Ven
2006-04-24 8:11 ` Lars Marowsky-Bree
2006-04-25 19:27 ` Seth Arnold
2006-04-24 13:11 ` Joshua Brindle [this message]
2006-04-24 13:26 ` Andi Kleen
2006-04-24 13:39 ` Joshua Brindle
2006-04-24 15:16 ` Joshua Brindle
2006-04-24 15:50 ` Tony Jones
2006-04-24 17:03 ` Joshua Brindle
2006-04-25 17:12 ` Valdis.Kletnieks
2006-04-25 17:34 ` Tony Jones
2006-04-24 13:52 ` Alan Cox
2006-04-24 14:09 ` Andi Kleen
2006-04-24 20:45 ` Stephen Smalley
2006-04-25 8:10 ` Neil Brown
2006-04-25 8:28 ` Al Viro
2006-04-25 12:42 ` James Carter
2006-04-25 12:43 ` Andi Kleen
2006-04-25 14:50 ` James Carter
2006-04-25 15:01 ` Stephen Smalley
2006-04-25 18:11 ` Tony Jones
2006-04-25 21:25 ` Stephen Smalley
2006-04-25 17:07 ` Stephen Smalley
2006-04-26 22:15 ` Some Concrete AppArmor Questions - was " Neil Brown
2006-04-26 23:06 ` Ken Brush
2006-04-27 4:15 ` Andi Kleen
2006-04-27 6:52 ` Arjan van de Ven
2006-04-27 7:40 ` Chris Wright
2006-04-27 10:17 ` Chris Wright
2006-04-27 14:42 ` Karl MacMillan
2006-04-27 23:44 ` Chris Wright
2006-04-28 13:02 ` Stephen Smalley
2006-04-28 15:49 ` Casey Schaufler
2006-04-28 16:04 ` Stephen Hemminger
2006-04-28 21:49 ` James Morris
2006-04-28 16:56 ` Karl MacMillan
2006-04-27 16:03 ` Stephen Smalley
2006-04-27 22:38 ` Chris Wright
2006-04-28 13:00 ` Stephen Smalley
2006-04-27 17:43 ` Stephen Smalley
2006-04-27 17:58 ` Ken Brush
2006-04-28 11:28 ` Stephen Smalley
2006-04-28 11:47 ` Andi Kleen
2006-04-28 12:28 ` Stephen Smalley
2006-04-27 11:02 ` Christoph Hellwig
2006-04-27 11:05 ` Andi Kleen
2006-04-20 11:29 ` Serge E. Hallyn
2006-04-20 13:24 ` Christoph Hellwig
2006-04-20 22:32 ` Linda A. Walsh
2006-04-20 12:17 ` Stephen Smalley
2006-04-20 15:38 ` Joshua Brindle
2006-04-20 19:57 ` Crispin Cowan
2006-04-21 13:34 ` Stephen Smalley
2006-04-22 12:27 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=444CCE83.90704@gentoo.org \
--to=method@gentoo.org \
--cc=ak@suse.de \
--cc=arjan@infradead.org \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=neilb@suse.de \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.