Re: [Apparmor-dev] Re: AppArmor Security Goal

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Crispin Cowan <crispin@crispincowan.com>
To: rmeijer@xs4all.nl, apparmor-dev@forge.novell.com
Cc: Crispin Cowan <crispin@crispincowan.com>,
	LSM ML <linux-security-module@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Arjan van de Ven <arjan@infradead.org>
Subject: Re: [Apparmor-dev] Re: AppArmor Security Goal
Date: Tue, 13 Nov 2007 00:23:28 -0800	[thread overview]
Message-ID: <47395F00.6080507@crispincowan.com> (raw)
In-Reply-To: <10657.80.126.27.205.1194933072.squirrel@webmail.xs4all.nl>

Re-sent with proper addressing ...

Rob Meijer wrote:
>> The
>> system is "defended" in that the worst the attacker can do to corrupt
>> the system is limited to the transitive closure of what the confined
>> processes are allowed to access.
>>     
> The damage the atacker can do would be defined by the authority not the
> permissions the process has.
>   
As far as I can tall, the transitive closure of permissions is precisely
authority.

>>     * AppArmor confines processes if they are children of a confined
>>       process, or if the name of the exec'd child matches the name of an
>>       AppArmor profile.
>>     
> What is left unspecified here is 'how' a child 'with its own profile' is
> confined here. Are it is confined to just its own profile, it may that
> the "complicit process" communication may need to be wider specified to
> include this.
>   
It is deliberately unspecified in this document, because it is a matter
of policy. And this item that you've excerpted is just one of a list of
specific disclaimers that were put here in response to criticisms and
misunderstandings of AppArmor in the past.

Remember, the purpose of *this* document is to define the security goals
that AppArmor has to live up to. It is fine to use it as a jumping off
point for design ideas that some system might employ some day, or even
proposed enhancements to AppArmor itself, but don't over-burden the
"security goal" document, it needs to be short & comprehensible.

>>     * A confined process can operate on a file descriptor passed to it
>>       by an unconfined process, even if it manipulates a file not in the
>>       confined process's profile. To block this attack, confine the
>>       process that passed the file descriptor.
>>     
> This should not count as an 'attack' given that the unconfined process
> would either be trusted, or be mallicious and fall inside the "influence"
> of the confined process anyway.
>   
It counts as a surprising result, and so is specifically disclaimed. I
can tell it is surprising, because it surprised Andi Kleen :)

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

next      parent reply	other threads:[~2007-11-13  8:23 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <10657.80.126.27.205.1194933072.squirrel@webmail.xs4all.nl>
2007-11-13  8:23 ` Crispin Cowan [this message]
2007-11-15 22:58   ` [Apparmor-dev] Re: AppArmor Security Goal Peter Dolding
2007-11-17  1:08     ` More LSM vs. Containers (having nothing at all to do with the AppArmor Security Goal) Crispin Cowan
2007-11-17  7:57       ` Peter Dolding
2007-11-17 19:22         ` Casey Schaufler
2007-11-18 11:35           ` Peter Dolding
2007-11-18 19:25             ` Crispin Cowan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47395F00.6080507@crispincowan.com \
    --to=crispin@crispincowan.com \
    --cc=apparmor-dev@forge.novell.com \
    --cc=arjan@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rmeijer@xs4all.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.