From: Crispin Cowan <crispin@novell.com>
To: Greg KH <greg@kroah.com>
Cc: Pavel Machek <pavel@ucw.cz>, Andreas Gruenbacher <agruen@suse.de>,
Stephen Smalley <sds@tycho.nsa.gov>,
jjohansen@suse.de, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Date: Mon, 18 Jun 2007 11:48:57 -0700 [thread overview]
Message-ID: <4676D399.1010603@novell.com> (raw)
In-Reply-To: <20070615234925.GB15056@kroah.com>
Greg KH wrote:
> On Fri, Jun 15, 2007 at 04:30:44PM -0700, Crispin Cowan wrote:
>
>> Then there's all the other problems, such as file systems that don't
>> support extended attributes, particularly NFS3. Yes, NFS3 is vulnerable
>> to network attack, but that is not the threat AA is addressing. AA is
>> preventing an application with access to an NFS mount from accessing the
>> *entire* mount. There is lots of practical security value in this, and
>> label schemes cannot do it. Well, mostly; you could do it with a dynamic
>> labeling scheme that labels files as they are pulled into kernel memory,
>> but that requires an AA-style regexp parser in the kernel to apply the
>> labels.
>>
> You still haven't answered Stephen's response to NFSv3, so until then,
> please don't trot out this horse.
>
Ok then ...
Stephen Smalley wrote:
> - File systems that do not support labels: I'm a bit surprised that you
> would advocate this given your experience in developing EA and ACL
> support for local filesystems and NFS. The pathname-based approach in
> NFS seems even scarier than in the local case - the clients may have
> different views of the namespace than one another or the server and the
> potential for inconsistent views of the tree (particularly as it is
> being modified) during access checks is only greater in the NFS case,
> right? It may be more expedient to implement, but is it the right
> technical approach?
I'm actually unclear on what the question is. Stephen appears to be
thinking of confining the NFS server daemon, and our intended use case
is to use AppArmor to confine applications that access data on NFS clients.
* Each NFS *client* machine has a view of the NFS mount point that
is consistent for that client.
* The AA confinement is of the application accessing the NFS mount
on the client, *not* the NFS server daemon.
* The fact that the views of multiple clients are different from
each other is irrelevant, because we are confining applications on
the client, not the NFS server daemon.
* As noted in Andreas' technical document
http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf
there is no purpose to confining the NFS server daemon; it is a
kernel process, and if it mis-behaves, it can completely subvert
any kernel security policy, including AA and SELinux.
Since this point seems to be subtle, here's a motivating example.
Consider I have a diskless workstation, and my home dir /home/crispin is
NFS mounted from a big NAS server over there. I like to run my FireFox
confined, so that it only has access to /home/crispin/.mozilla/** and
/home/crispin/Downloads/** so that if my browser is compromised, the
attacker doesn't get to my /home/.ssh* stuff.
Yes, the data served over NFS is vulnerable to a local network attack,
but that is not what AA is preventing here. The threat is coming from
attacks that make the web browser misbehave.
Under SELinux, I either give the web browser access to all of
/home/crispin (the entire mount point) or none of it. Under AA, the
pathname specification works fine, we can control which directories on
the mount point the application can access.
The same argument applies to server applications that access data served
NFS mount points. Consider a large application server that hosts all my
enterprise resource management stuff, and a large NAS server that hosts
the data. Perhaps the NAS server is a Network Appliance server, not even
using a Linux file system, just supplying NFS3 mounts.
The application server is hosting both the payroll system and the
customer relationship application. The data for both are on the NetApp,
serviced via NFS to the application server. I want to confine the
payroll application to access only the payroll data, and the CRM
application to access only CRM data.
The only way SELinux could do this would be to have anticipated the
problem and store my data on separate partitions, so you could supply
separate mount points. AppArmor can just use path specifications to
confine each application to its own part of a single NFS mount point. In
a perfect world the admin would use separate mount points, AppArmor is a
tool for an imperfect world.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor
next prev parent reply other threads:[~2007-06-18 18:48 UTC|newest]
Thread overview: 213+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-14 11:06 [AppArmor 00/45] AppArmor security module overview jjohansen
2007-05-14 11:06 ` [AppArmor 01/45] Pass struct vfsmount to the inode_create LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 02/45] Pass struct path down to remove_suid and children jjohansen
2007-05-14 11:06 ` [AppArmor 03/45] Add a vfsmount parameter to notify_change() jjohansen
2007-05-14 11:06 ` [AppArmor 04/45] Pass struct vfsmount to the inode_setattr LSM hook jjohansen
2007-05-14 11:06 ` jjohansen
2007-05-14 11:06 ` [AppArmor 05/45] Add struct vfsmount parameter to vfs_mkdir() jjohansen
2007-05-14 11:06 ` [AppArmor 06/45] Pass struct vfsmount to the inode_mkdir LSM hook jjohansen
2007-05-14 11:06 ` jjohansen
2007-05-14 11:06 ` [AppArmor 07/45] Add a struct vfsmount parameter to vfs_mknod() jjohansen
2007-05-14 11:06 ` jjohansen
2007-05-14 11:06 ` [AppArmor 08/45] Pass struct vfsmount to the inode_mknod LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 09/45] Add a struct vfsmount parameter to vfs_symlink() jjohansen
2007-05-14 11:06 ` [AppArmor 10/45] Pass struct vfsmount to the inode_symlink LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 11/45] Pass struct vfsmount to the inode_readlink " jjohansen
2007-05-14 11:06 ` [AppArmor 12/45] Add struct vfsmount parameters to vfs_link() jjohansen
2007-05-14 11:06 ` [AppArmor 13/45] Pass the struct vfsmounts to the inode_link LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 14/45] Add a struct vfsmount parameter to vfs_rmdir() jjohansen
2007-05-14 11:06 ` [AppArmor 15/45] Pass struct vfsmount to the inode_rmdir LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 16/45] Call lsm hook before unhashing dentry in vfs_rmdir() jjohansen
2007-05-14 11:06 ` [AppArmor 17/45] Add a struct vfsmount parameter to vfs_unlink() jjohansen
2007-05-14 11:06 ` [AppArmor 18/45] Pass struct vfsmount to the inode_unlink LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 19/45] Add struct vfsmount parameters to vfs_rename() jjohansen
2007-05-14 11:06 ` [AppArmor 20/45] Pass struct vfsmount to the inode_rename LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 21/45] Add a struct vfsmount parameter to vfs_setxattr() jjohansen
2007-05-14 11:06 ` [AppArmor 22/45] Pass struct vfsmount to the inode_setxattr LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 23/45] Add a struct vfsmount parameter to vfs_getxattr() jjohansen
2007-05-14 11:06 ` [AppArmor 24/45] Pass struct vfsmount to the inode_getxattr LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 25/45] Add a struct vfsmount parameter to vfs_listxattr() jjohansen
2007-05-14 11:06 ` jjohansen
2007-05-14 11:06 ` [AppArmor 26/45] Pass struct vfsmount to the inode_listxattr LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 27/45] Add a struct vfsmount parameter to vfs_removexattr() jjohansen
2007-05-14 11:06 ` [AppArmor 28/45] Pass struct vfsmount to the inode_removexattr LSM hook jjohansen
2007-05-14 11:06 ` [AppArmor 29/45] Fix __d_path() for lazy unmounts and make it unambiguous jjohansen
2007-05-14 11:06 ` [AppArmor 30/45] Make d_path() consistent across mount operations jjohansen
2007-05-14 11:06 ` [AppArmor 31/45] Add d_namespace_path() to compute namespace relative pathnames jjohansen
2007-05-14 11:06 ` [AppArmor 32/45] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames jjohansen
2007-05-14 11:06 ` [AppArmor 33/45] Pass struct file down the inode_*xattr security LSM hooks jjohansen
2007-05-14 11:06 ` [AppArmor 34/45] Factor out sysctl pathname code jjohansen
2007-05-14 11:06 ` [AppArmor 35/45] Allow permission functions to tell between parent and leaf checks jjohansen
2007-05-15 9:08 ` Pavel Machek
2007-05-14 11:06 ` [AppArmor 36/45] Export audit subsystem for use by modules jjohansen
2007-05-14 11:06 ` [AppArmor 37/45] AppArmor: Main Part jjohansen
2007-05-15 9:12 ` Pavel Machek
2007-05-14 11:06 ` [AppArmor 38/45] AppArmor: Module and LSM hooks jjohansen
2007-05-15 9:14 ` Pavel Machek
2007-05-23 16:16 ` Andreas Gruenbacher
2007-06-04 10:55 ` Pavel Machek
2007-06-04 11:25 ` Andreas Gruenbacher
2007-06-04 11:35 ` Pavel Machek
2007-06-04 11:42 ` Andreas Gruenbacher
2007-06-04 13:12 ` Pavel Machek
2007-06-04 14:30 ` Andreas Gruenbacher
2007-06-06 13:09 ` Stephen Smalley
2007-06-10 23:10 ` Andreas Gruenbacher
2007-06-11 14:33 ` Stephen Smalley
2007-06-11 15:55 ` Andreas Gruenbacher
2007-06-11 19:02 ` Serge E. Hallyn
2007-06-12 13:00 ` Stephen Smalley
2007-06-12 15:34 ` Serge E. Hallyn
2007-06-12 5:17 ` Karl MacMillan
2007-06-12 19:00 ` Serge E. Hallyn
2007-06-12 13:13 ` Stephen Smalley
2007-06-12 23:50 ` Andreas Gruenbacher
2007-06-09 12:58 ` Pavel Machek
2007-06-09 13:44 ` Andreas Gruenbacher
2007-06-12 13:06 ` Pavel Machek
2007-05-14 11:06 ` [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching jjohansen
2007-05-15 9:20 ` Pavel Machek
2007-06-04 21:03 ` Andreas Gruenbacher
2007-06-06 13:26 ` Stephen Smalley
2007-06-06 17:32 ` Greg KH
2007-06-09 23:47 ` Pavel Machek
2007-06-08 22:03 ` Andreas Gruenbacher
2007-06-09 0:17 ` Greg KH
2007-06-09 1:06 ` david
2007-06-10 8:34 ` Pavel Machek
2007-06-10 9:04 ` david
2007-06-10 20:04 ` Casey Schaufler
2007-06-10 20:51 ` Crispin Cowan
2007-06-11 6:45 ` david
2007-06-11 8:29 ` Sean
2007-06-11 9:33 ` david
2007-06-11 11:34 ` Sean
2007-06-11 11:00 ` Pavel Machek
2007-06-10 21:05 ` Pavel Machek
2007-06-11 6:27 ` david
2007-06-14 19:16 ` Jack Stone
2007-06-15 0:18 ` david
2007-06-15 17:01 ` Greg KH
2007-06-12 17:03 ` Lars Marowsky-Bree
2007-06-09 5:18 ` david
2007-06-09 5:46 ` Sean
2007-06-09 7:13 ` david
2007-06-09 7:36 ` Sean
2007-06-09 8:06 ` david
2007-06-09 8:10 ` Sean
2007-06-09 15:17 ` Andreas Gruenbacher
2007-06-09 16:36 ` Sean
2007-06-09 15:33 ` Joshua Brindle
2007-06-09 16:18 ` Kyle Moffett
2007-06-09 16:46 ` david
2007-06-09 17:06 ` Kyle Moffett
2007-06-09 17:32 ` david
2007-06-09 19:50 ` Kyle Moffett
2007-06-09 20:43 ` david
2007-06-10 20:54 ` Crispin Cowan
2007-06-10 21:17 ` Joshua Brindle
2007-06-09 15:05 ` Andreas Gruenbacher
2007-06-10 17:09 ` Crispin Cowan
2007-06-15 16:50 ` Greg KH
2007-06-15 18:01 ` Casey Schaufler
2007-06-15 18:15 ` Stephen Smalley
2007-06-15 20:43 ` Casey Schaufler
2007-06-15 21:14 ` Greg KH
2007-06-15 21:28 ` Karl MacMillan
2007-06-15 21:44 ` Greg KH
2007-06-15 22:24 ` Karl MacMillan
2007-06-18 13:33 ` Stephen Smalley
2007-06-21 15:54 ` Andreas Gruenbacher
2007-06-15 22:37 ` Casey Schaufler
2007-06-18 12:47 ` Stephen Smalley
2007-06-15 20:06 ` Pavel Machek
2007-06-15 21:11 ` Greg KH
2007-06-15 21:42 ` James Morris
2007-06-15 23:50 ` Greg KH
2007-06-16 1:21 ` James Morris
2007-06-16 2:57 ` Casey Schaufler
2007-06-16 3:39 ` James Morris
2007-06-18 1:51 ` Casey Schaufler
2007-06-18 11:29 ` Joshua Brindle
2007-06-16 4:23 ` Greg KH
2007-06-15 23:30 ` Crispin Cowan
2007-06-15 23:49 ` Greg KH
2007-06-16 0:01 ` david
2007-06-16 0:20 ` Pavel Machek
2007-06-22 9:59 ` Andreas Gruenbacher
2007-06-16 0:31 ` Greg KH
2007-06-16 8:09 ` david
2007-06-16 16:24 ` Greg KH
2007-06-16 1:41 ` James Morris
2007-06-16 0:18 ` Seth Arnold
2007-06-16 0:29 ` Greg KH
2007-06-16 1:46 ` James Morris
2007-06-16 2:19 ` James Morris
2007-06-18 18:48 ` Crispin Cowan [this message]
2007-06-21 16:01 ` Andreas Gruenbacher
2007-06-21 17:59 ` Pavel Machek
2007-06-16 0:02 ` Pavel Machek
2007-06-21 16:08 ` Lars Marowsky-Bree
2007-06-21 18:33 ` Pavel Machek
2007-06-21 19:24 ` Lars Marowsky-Bree
2007-06-21 19:42 ` James Morris
2007-06-21 19:54 ` Lars Marowsky-Bree
2007-06-21 20:59 ` Stephen Smalley
2007-06-21 21:17 ` Lars Marowsky-Bree
2007-06-22 0:16 ` Joshua Brindle
2007-06-22 0:19 ` Lars Marowsky-Bree
2007-06-22 0:28 ` david
2007-06-22 3:45 ` Joshua Brindle
2007-06-22 5:07 ` david
2007-06-22 10:49 ` Lars Marowsky-Bree
2007-06-22 11:19 ` Stephen Smalley
2007-06-22 11:34 ` Neil Brown
2007-06-22 11:48 ` Stephen Smalley
2007-06-22 11:37 ` Lars Marowsky-Bree
2007-06-22 12:41 ` Stephen Smalley
2007-06-22 12:54 ` Lars Marowsky-Bree
2007-06-22 13:22 ` Stephen Smalley
2007-06-22 14:49 ` Stephen Smalley
2007-06-22 16:06 ` Casey Schaufler
2007-06-22 0:34 ` Chris Mason
2007-06-22 1:06 ` James Morris
2007-06-22 4:17 ` Crispin Cowan
2007-06-22 12:20 ` Stephen Smalley
2007-06-22 7:40 ` John Johansen
2007-06-22 12:17 ` Chris Mason
2007-06-22 13:48 ` James Morris
2007-06-22 14:02 ` Chris Mason
2007-06-22 14:23 ` James Morris
2007-06-22 17:30 ` Chris Mason
2007-06-23 0:11 ` Chris Wright
2007-06-24 0:10 ` Toshiharu Harada
2007-06-24 0:40 ` Toshiharu Harada
2007-06-26 21:01 ` Crispin Cowan
2007-06-24 20:43 ` Pavel Machek
2007-06-22 18:12 ` david
2007-06-25 15:14 ` Pavel Machek
2007-06-25 21:02 ` david
2007-06-26 8:50 ` Lars Marowsky-Bree
2007-06-22 8:06 ` John Johansen
2007-06-22 11:53 ` Stephen Smalley
2007-06-22 12:42 ` Lars Marowsky-Bree
2007-06-22 12:46 ` Stephen Smalley
2007-06-22 18:35 ` david
2007-06-21 20:07 ` Pavel Machek
2007-06-21 20:21 ` Lars Marowsky-Bree
2007-06-21 23:25 ` John Johansen
2007-06-21 19:30 ` david
2007-06-21 19:35 ` Lars Marowsky-Bree
2007-06-21 19:52 ` Pavel Machek
2007-06-15 23:33 ` Seth Arnold
2007-06-15 23:39 ` Pavel Machek
2007-06-16 0:07 ` Seth Arnold
2007-06-11 15:16 ` Stephen Smalley
2007-05-14 11:06 ` [AppArmor 40/45] AppArmor: all the rest jjohansen
2007-05-14 11:06 ` [AppArmor 41/45] Add AppArmor LSM to security/Makefile jjohansen
2007-05-14 11:06 ` [AppArmor 42/45] AppArmor: add lock subtyping so lockdep does not report false dependencies jjohansen
2007-05-14 11:06 ` [AppArmor 43/45] Switch to vfs_permission() in do_path_lookup() jjohansen
2007-05-14 11:06 ` [AppArmor 44/45] Switch to vfs_permission() in sys_fchdir() jjohansen
2007-05-14 11:06 ` jjohansen
2007-05-14 11:06 ` [AppArmor 45/45] Fix file_permission() jjohansen
2007-05-14 13:50 ` [AppArmor 00/45] AppArmor security module overview John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4676D399.1010603@novell.com \
--to=crispin@novell.com \
--cc=agruen@suse.de \
--cc=greg@kroah.com \
--cc=jjohansen@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).