Re: [RFC][PATCH 0/11] security: AppArmor - Overview

From: Serge E. Hallyn
Date: Thu Apr 20 2006 - 07:30:04 EST

Next message: Serge E. Hallyn: "Re: [RFC][PATCH 4/11] security: AppArmor - Core access controls"
Previous message: Laurent Vivier: "Re: [Ext2-devel] Re: [RFC][PATCH 0/2]Extend ext3 filesystem limitfrom 8TB to 16TB"
In reply to: Thomas Bleher: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Christoph Hellwig: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Andi Kleen (ak@xxxxxxx):
> Arjan van de Ven <arjan@xxxxxxxxxxxxx> writes:
> >
> > you must have a good defense against that argument, so I'm curious to
> > hear what it is
>
> [I'm not from the apparmor people but my understanding is]
>
> Usually they claimed name spaces as the reason it couldn't work.
>
> In practice AFAIK basically nobody uses name spaces for
> anything. AppArmor just forbids mounts/CLONE_NEWNS for the confined

Well, I use them all over the place to keep accounts on separate /tmp's,
etc. It may not be the norm yet, but the general availability of
pam_mount etc, and the implementation of shared subtrees may well change
that.

But then if that happens, as Al points out, AA might be able to
embrace rather than fight it.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Serge E. Hallyn: "Re: [RFC][PATCH 4/11] security: AppArmor - Core access controls"
Previous message: Laurent Vivier: "Re: [Ext2-devel] Re: [RFC][PATCH 0/2]Extend ext3 filesystem limitfrom 8TB to 16TB"
In reply to: Thomas Bleher: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Christoph Hellwig: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]