From: "Dr. David Alan Gilbert" <linux@treblig.org>
To: Crispin Cowan <crispin@crispincowan.com>
Cc: Arjan van de Ven <arjan@infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
LSM ML <linux-security-module@vger.kernel.org>,
apparmor-dev <apparmor-dev@forge.novell.com>
Subject: Re: AppArmor Security Goal
Date: Sat, 10 Nov 2007 22:24:14 +0000 [thread overview]
Message-ID: <20071110222414.GC24195@gallifrey> (raw)
In-Reply-To: <47362C7C.2050202@crispincowan.com>
* Crispin Cowan (crispin@crispincowan.com) wrote:
> Dr. David Alan Gilbert wrote:
> > * Crispin Cowan (crispin@crispincowan.com) wrote:
> > <snip
> >> * Manipulating AppArmor policy requires being both root privileged
> >> and not being confined by AppArmor, thus there is explicitly no
> >> capability for non-privileged users to change AppArmor policy.
> >>
> > It's a pity that there is no way to do this; it would be nice to restrict
> > web browsers, document editors etc but allow them
> > to access the places you commonly store documents etc.
> >
> I don't get the problem: if you want your web browser to be able to
> access where you commonly store your documents, then give it that
> permission. The above rule says that your web browser doesn't get to go
> change AppArmor policy on its own.
But can I as a non-privileged user say which directories I want it to
be able to access?
> I have serious doubts about the utility of restricting a text editor.
> You nominally want to be able to edit any file on the system, so
> confining it would be fairly meaningless.
Text editor probably true; but I'm thinking here more of OpenOffice
and the like; there have been plenty of document carried malware in the
past.
> > Similarly I'd like to be able to split applications so that
> > the 'preferences' editing facilities are done by separate
> > envrionments so that there is no way that a fault in parsing
> > external data could edit the config (e.g. change home page or
> > proxy in a browser or default document in an editor).
> >
> AppArmor will let you do that; most of the work is in splitting the
> application. If you can get e.g. Firefox to use a separate process that
> it exec's for editing your preferences, then AppArmor can confine that
> helper app with a different policy than Firefox itself, including
> granting the helper write permission to the config directory.
Yes, and designing the app so that it's filenames are predictable;
firefox has a fun habit of using randomly named profile directories.
Dave
--
-----Open up your eyes, open up your mind, open up your code -------
/ Dr. David Alan Gilbert | Running GNU/Linux on Alpha,68K| Happy \
\ gro.gilbert @ treblig.org | MIPS,x86,ARM,SPARC,PPC & HPPA | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/
next prev parent reply other threads:[~2007-11-10 22:24 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-08 21:33 AppArmor Security Goal Crispin Cowan
2007-11-10 21:04 ` Andi Kleen
2007-11-10 21:24 ` Crispin Cowan
2007-11-11 3:23 ` John Johansen
2007-11-10 21:28 ` david
2007-11-11 3:36 ` John Johansen
2007-11-10 22:04 ` Dr. David Alan Gilbert
2007-11-10 22:11 ` Crispin Cowan
2007-11-10 22:24 ` Dr. David Alan Gilbert [this message]
2007-11-10 22:41 ` Crispin Cowan
2007-11-10 22:57 ` Alan Cox
2007-11-10 23:14 ` Crispin Cowan
2007-11-10 23:54 ` Alan Cox
2007-11-10 23:25 ` Dr. David Alan Gilbert
2007-11-10 23:52 ` david
2007-11-10 23:47 ` Dr. David Alan Gilbert
2007-11-10 23:56 ` Alan Cox
2007-11-11 1:27 ` david
2007-11-11 3:59 ` John Johansen
2007-11-12 23:58 ` Crispin Cowan
2007-11-11 4:17 ` John Johansen
2007-11-11 4:50 ` david
2007-11-13 0:13 ` Crispin Cowan
2007-11-11 7:02 ` Rogelio M. Serrano Jr.
2007-11-12 23:50 ` Crispin Cowan
2007-11-13 1:20 ` John Johansen
2007-11-11 2:17 ` Casey Schaufler
2007-11-11 3:55 ` John Johansen
2007-11-13 0:10 ` Joshua Brindle
2007-11-13 4:58 ` Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2007-11-11 8:16 Rob Meijer
[not found] <9nngC-6iQ-25@gated-at.bofh.it>
[not found] ` <9o6Qq-2Hk-17@gated-at.bofh.it>
[not found] ` <9o6Qq-2Hk-15@gated-at.bofh.it>
[not found] ` <9o706-2Xe-17@gated-at.bofh.it>
[not found] ` <9o7jp-3lE-5@gated-at.bofh.it>
[not found] ` <9o7Wg-4sT-15@gated-at.bofh.it>
[not found] ` <9of7j-7ej-7@gated-at.bofh.it>
2007-11-12 18:43 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071110222414.GC24195@gallifrey \
--to=linux@treblig.org \
--cc=apparmor-dev@forge.novell.com \
--cc=arjan@infradead.org \
--cc=crispin@crispincowan.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox