public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Cliffe <cliffe@ii.net>
To: Peter Dolding <oiaohm@gmail.com>
Cc: Crispin Cowan <crispin@crispincowan.com>,
	Simon Arlott <simon@fire.lp0.eu>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: Defense in depth: LSM *modules*, not a static interface
Date: Wed, 07 Nov 2007 11:50:53 +0800	[thread overview]
Message-ID: <4731361D.9030504@ii.net> (raw)
In-Reply-To: <e7d8f83e0711061559l26ff4d27gc97f809af6d8b979@mail.gmail.com>

As good an idea POSIX capabilities might be, not all security problems 
can be solved with a bitmap of on/off permissions.

Peter Dolding wrote:
> "AppArmor profile denies all network traffic to a specific
> application"  Ok why should AppArmor be required to do this.  Would it
> not be better as as part of Capabilities that is always there and is
> application controllable.  It would be a security advantage if data
> processing threads that don't do network access inside a application
> don't have it.  Basically this feature could be done in mirror.  Allow
> Network access Capabilities flag.  Not set application cannot access
> network at all.  All LSM's would be able to use that to cut of network
> access to applications.  As a standard feature of kernel if a new
> network stack or some other alteration is done LSM hooks would not
> need altering.  Lot of LSM hooks would disappear.  Need for LSM to
> monitor and run different code to kernel in a lot of places would also
> disappear.
>
> With Capabilities expand it to point that applications cannot do
> anything without permissions.  Both models are do able.  Restrictive
> can be done in a Permissive model effectively if the starting point of
> the Permissive is that you cannot do anything without permissions
> being granted.  Big different is that the Permissive Model is the
> kernel default.  Some LSM are design in conflict with the main model
> of the OS.  You really only want one model from speed point of view

Ok but what happens to the principle of least privilege?

What if we want AppArmor to confine that application to use a particular 
set of ports?

Do you propose having a capability for each port? how about protocols?

So unless my understanding of capabilities is fundamentally flawed 
(which it may be - I have not spent time reviewing recent changes) 
obviously Linux capabilities does not provide a solution to every problem.

Regards,

Cliffe.

--

Z. Cliffe Schreuders
BSc Comp Sci (Hons) & Int Comp
PhD Candidate, Casual Tutor
School of IT
Murdoch University

  reply	other threads:[~2007-11-07  2:50 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-29 19:04 Linux Security *Module* Framework (Was: LSM conversion to static interface) Rob Meijer
2007-10-29 19:41 ` Crispin Cowan
2007-10-30  5:13   ` Peter Dolding
2007-10-30  7:14     ` Defense in depth: LSM *modules*, not a static interface Cliffe
2007-10-30  6:55       ` Al Viro
2007-10-30  7:55         ` Crispin Cowan
2007-10-30 15:01           ` Casey Schaufler
2007-10-30  8:00         ` Cliffe
2007-10-30 12:30       ` Simon Arlott
2007-11-06  3:46         ` Crispin Cowan
2007-11-06  7:26           ` Cliffe
2007-11-06 23:59             ` Peter Dolding
2007-11-07  3:50               ` Cliffe [this message]
2007-11-07  3:35                 ` Casey Schaufler
2007-11-07  4:11                   ` Tetsuo Handa
2007-11-07  4:34                     ` Peter Dolding
2007-11-07  4:34                     ` Casey Schaufler
2007-10-30 18:42     ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Jan Engelhardt
2007-10-30 19:14       ` Casey Schaufler
2007-10-30 19:50         ` Jan Engelhardt
2007-10-30 23:38       ` Peter Dolding
2007-10-31  0:16         ` david
2007-10-31  2:21           ` Peter Dolding
2007-10-31  3:43             ` Casey Schaufler
2007-10-31  5:08             ` david
2007-10-31  6:43             ` Crispin Cowan
2007-10-31  9:03               ` Peter Dolding
2007-10-31 10:10               ` Toshiharu Harada
2007-11-01  2:04                 ` Peter Dolding
2007-11-01  2:20                   ` Casey Schaufler
2007-11-01  2:51                     ` Peter Dolding
2007-11-01  7:17                       ` Jan Engelhardt
2007-11-01 11:49                         ` David Newall
2007-11-04  1:28                           ` Peter Dolding
2007-11-05  6:56                       ` Andrew Morgan
2007-11-05 13:29                         ` Serge E. Hallyn
2007-10-29 20:27 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4731361D.9030504@ii.net \
    --to=cliffe@ii.net \
    --cc=crispin@crispincowan.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oiaohm@gmail.com \
    --cc=simon@fire.lp0.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox