Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook

[david]

On Tue, 29 May 2007, Pavel Machek wrote:

> Hi!
>
> > > If we want "/etc/shadow" to be the only way to access the shadow file
> > > we could label the data with "/etc/shadow". Any attempts to access
> > > this data using a renamed file or link would be denied (attempts to
> > > link or rename could also be denied).
> > Eloquently put.
> >
> > AppArmor actually does something similar to this, by mediating all of
> > the ways that you can make an alias to a file. These are:
> ...
> >     * Hard links: AppArmor explicitly mediates permission to make a hard
>
> Unfortunately, aparmor is by design limited to subset of distro
> (network daemons). Unfortunately, some other programs (passwd, vi)
> routinely make hardlinks. So AA mediating hardlink is not enough, as
> vi will happily hardlink /etc/shadow into /etc/.vi-shadow-1234.

but with the AA design of default deny this isn't a big problem unless you 
specificly allow some network daemon to access /etc/.vi-shadow-1234

in this context passwd and vi are considered trusted processes, they are 
used _after_ you authenticate onto the box.

no, this won't help you much against local users, but there are a _lot_ of 
boxes out there with few, if any, local users who don't also have the root 
password. AA helps the admin be safer when configuring netwrok daemons.

David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/