From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lars Marowsky-Bree <lmb@suse.de>
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Date: Fri, 22 Jun 2007 14:42:04 +0200
Message-ID: <20070622124204.GR20105@marowsky-bree.de>
References: <46732124.80509@novell.com> <20070616000251.GG2616@elf.ucw.cz> <20070621160840.GA20105@marowsky-bree.de> <20070621183311.GC18990@elf.ucw.cz> <20070621192407.GF20105@marowsky-bree.de> <Line.LNX.4.64.0706211530290.483@localhost.localdomain> <20070621195400.GK20105@marowsky-bree.de> <1182459594.20464.16.camel@moss-spartans.epoch.ncsc.mil> <20070622080640.GB14593@suse.de> <1182513228.24664.24.camel@moss-spartans.epoch.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: James Morris <jmorris@namei.org>, Pavel Machek <pavel@ucw.cz>,
	Crispin Cowan <crispin@novell.com>, Greg KH <greg@kroah.com>,
	Andreas Gruenbacher <agruen@suse.de>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org
To: Stephen Smalley <sds@tycho.nsa.gov>,
	John Johansen <jjohansen@suse.de>
Return-path: <linux-security-module-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <1182513228.24664.24.camel@moss-spartans.epoch.ncsc.mil>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On 2007-06-22T07:53:47, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> > No the "incomplete" mediation does not flow from the design.  We ha=
ve
> > deliberately focused on doing the necessary modifications for pathn=
ame
> > based mediation.  The IPC and network mediation are a wip.
> The fact that you have to go back to the drawing board for them is th=
at
> you didn't get the abstraction right in the first place.

That's an interesting claim, however I don't think it holds. AA was
designed to mediate file access in a form which is intuitive to admins.

It's to be expected that it doesn't directly apply to mediating other
forms of access.

> I think we must have different understandings of the words "generaliz=
e"
> and "analyzable".  Look, if I want to be able to state properties abo=
ut
> data flow in the system for confidentiality or integrity goals (my
> secret data can never leak to unauthorized entities, my critical data
> can never be corrupted/tainted by unauthorized entities - directly or
> indirectly),

I seem to think that this is not what AA is trying to do, so evaluating
it in that context doesn't seem useful. It's like saying a screw driver
isn't a hammer, so it is useless because you have a nail.


Regards,
    Lars

--=20
Teamlead Kernel, SuSE Labs, Research and Development
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N=FCrnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wil=
de

-
To unsubscribe from this list: send the line "unsubscribe linux-securit=
y-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html