Re: AppArmor FAQ

[Stephen Smalley]

On Wed, 2007-04-18 at 13:15 -0700, David Lang wrote:
> On Wed, 18 Apr 2007, James Morris wrote:
> 
> > On Tue, 17 Apr 2007, Alan Cox wrote:
> >
> >> I'm not sure if AppArmor can be made good security for the general case,
> >> but it is a model that works in the limited http environment
> >> (eg .htaccess) and is something people can play with and hack on and may
> >> be possible to configure to be very secure.
> >
> > Perhaps -- until your httpd is compromised via a buffer overflow or
> > simply misbehaves due to a software or configuration flaw, then the
> > assumptions being made about its use of pathnames and their security
> > properties are out the window.
> 
> since AA defines a whitelist of files that httpd is allowed to access, a 
> comprimised one may be able to mess up it's files, but it's still not going to 
> be able to touch other files on the system.
> 
> > Without security labeling of the objects being accessed, you can't protect
> > against software flaws, which has been a pretty fundamental and widely
> > understood requirement in general computing for at least a decade.
> 
> this is not true. you don't need to label all object and chunks of memory, you 
> just need to have a way to list (and enforce) the objects and memory that the 
> program is allowed to use. labeling them is one way of doing this, but not the 
> only way.

You need a way of providing global and persistent security guarantees
for the data, and per-program profiles based on pathname don't get you
there.  There is no system view in AA, just a bunch of disconnected
profiles.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/