From: Crispin Cowan <crispin@crispincowan.com>
To: Matthew Wilcox <matthew@wil.cx>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
paul.moore@hp.com, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, takedakn@nttdata.co.jp,
linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.
Date: Sun, 13 Apr 2008 18:41:19 -0700 [thread overview]
Message-ID: <4802B63F.2010804@crispincowan.com> (raw)
In-Reply-To: <20080411143013.GB11962@parisc-linux.org>
Matthew Wilcox wrote:
> On Fri, Apr 11, 2008 at 11:12:27PM +0900, Tetsuo Handa wrote:
>
>> If write access is denied because of a rule "No modifications to /etc/passwd",
>> a rule "Allow modifications to /tmp/passwd" can no longer be enforced after
>> "mount --bind /etc/ /tmp/" or "mount --bind /etc/passwd /tmp/passwd" or
>> "mv /etc/passwd /tmp/passwd" or "ln /etc/passwd /tmp/passwd" is done.
>>
> That's a fundamental limitation of pathname-based security though.
> If the same file exists in two places, you have to resolve the question
> of which rule overrides the other.
>
> In my role as a sysadmin, I would consider it a flaw if someone could
> edit a file I'd marked uneditable -- simply by creating a hard-link to it.
> If we look at existing systems, such as the immutable bit, those apply to
> inodes, not to paths, so they can't be evaded. If a system such as TOMOYA
> allows evasion this easily, then it doesn't seem like an improvement.
>
You are discussing a straw-man, because AppArmor (and I think TOMOYO) do
not operate that way.
It is not, and never has been, "mark /etc/passwd not writable". Please
delete this broken concept from the discussion.
Rather, it is "can write to /tmp/ntpd/*". You *grant* permissions. You
do *not* throw deny rules.
So if you grant write access to /tmp/mumble/barf you should expect it to
always be accessible, regardless of whether someone creates an alias for it.
Please re-consider the rest of your analysis, because it doesn't work if
there are only "allow" rules and no "deny" rules. You are correct that a
pathname-based deny rule is trivially bypassable, that's why there
aren't any :)
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
Botnets are the only commercially viable utility computing market
next prev parent reply other threads:[~2008-04-14 1:50 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-04 12:22 [TOMOYO #7 00/30] TOMOYO Linux 1.6.0 released Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 01/30] TOMOYO Linux documentation Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 02/30] Internal functions prototypes for SAKURA and TOMOYO Tetsuo Handa
2008-04-04 15:29 ` Daniel Walker
2008-04-07 13:56 ` [TOMOYO #7 02/30] Internal functions prototypes for SAKURA andTOMOYO Tetsuo Handa
2008-04-07 15:24 ` Daniel Walker
2008-04-04 12:22 ` [TOMOYO #7 03/30] Constants for /proc/ccs/ interface Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 04/30] Prototypes of realpath Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 05/30] External functions prototypes for SAKURA Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 06/30] External functions prototypes for TOMOYO Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 07/30] Some wrapper functions for socket operation Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 08/30] Some of permission checks from VFS helper functions Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 09/30] Access control part of tamper-proof device filesystem Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 10/30] Common functions for SAKURA and TOMOYO Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 11/30] /proc/ccs/ interface for policy management Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 12/30] Memory and pathname management functions Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 13/30] mount restriction part Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 14/30] Shadow mount prevention part Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 15/30] Automatic bind port selection control part Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 16/30] Unmount restriction part Tetsuo Handa
2008-04-04 12:22 ` [TOMOYO #7 17/30] chroot " Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 18/30] pivot_root " Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 19/30] Auditing functions for TOMOYO Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 20/30] Socket operation restriction part Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 21/30] Capability " Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 22/30] Conditional ACL support functions Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 23/30] argvrestriction part Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 24/30] File operation restriction part Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 25/30] Signal " Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 26/30] Domain transition handler Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 27/30] Environment variable restriction part Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 28/30] Filesystem part of tamper-proof device filesystem Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 29/30] Kconfig and Makefile Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO Tetsuo Handa
2008-04-04 16:29 ` Daniel Walker
2008-04-07 13:56 ` Tetsuo Handa
2008-04-07 15:39 ` Daniel Walker
2008-04-07 15:40 ` Paul Moore
2008-04-07 22:57 ` Casey Schaufler
2008-04-09 8:37 ` Toshiharu Harada
2008-04-09 12:49 ` Stephen Smalley
2008-04-10 5:57 ` Toshiharu Harada
2008-04-10 12:51 ` Stephen Smalley
2008-04-11 11:48 ` Toshiharu Harada
2008-04-09 13:11 ` Matthew Wilcox
2008-04-09 13:26 ` Stephen Smalley
2008-04-11 14:12 ` Tetsuo Handa
2008-04-11 14:30 ` Matthew Wilcox
2008-04-12 11:33 ` Tetsuo Handa
2008-04-13 16:36 ` Serge E. Hallyn
2008-04-14 2:05 ` Crispin Cowan
2008-04-14 14:17 ` Stephen Smalley
2008-04-14 17:05 ` Casey Schaufler
2008-04-15 11:14 ` Tetsuo Handa
2008-04-15 16:32 ` Casey Schaufler
2008-04-17 7:24 ` Crispin Cowan
2008-04-16 19:13 ` Pavel Machek
2008-04-17 11:58 ` Tetsuo Handa
2008-04-17 17:46 ` Pavel Machek
2008-04-18 13:21 ` Serge E. Hallyn
2008-04-15 4:59 ` Crispin Cowan
2008-04-16 16:31 ` Stephen Smalley
2008-04-17 7:49 ` Crispin Cowan
2008-04-17 8:45 ` Jamie Lokier
2008-04-17 12:42 ` Stephen Smalley
2008-04-15 13:00 ` Toshiharu Harada
2008-04-14 1:41 ` Crispin Cowan [this message]
2008-04-14 13:48 ` Matthew Wilcox
2008-04-15 3:21 ` Crispin Cowan
2008-04-15 4:57 ` Al Viro
2008-04-09 13:22 ` Serge E. Hallyn
2008-04-11 3:57 ` Toshiharu Harada
2008-04-24 5:28 ` [TOMOYO #7 00/30] TOMOYO Linux 1.6.0 released Toshiharu Harada
2008-04-24 14:48 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4802B63F.2010804@crispincowan.com \
--to=crispin@crispincowan.com \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew@wil.cx \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=takedakn@nttdata.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox