Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Arjan van de Ven]

On Tue, 2006-04-18 at 12:31 -0700, Crispin Cowan wrote:
> Karl MacMillan wrote:
> > Which is one reason why SELinux has types (equivalence classes) - it
> > makes it possible to group large numbers of applications or resources
> > into the same security category. The targeted policy that ships with
> > RHEL / Fedora shows how this works in practice.
> >   
> AppArmor (then called "SubDomain") showed how this worked in practice
> years before the Targeted Policy came along. The Targeted Policy
> implements an approximation to the AppArmor security model, but does it
> with domains and types instead of path names, imposing a substantial
> cost in ease-of-use on the user.

I would suspect that the "filename" thing will be the biggest achilles
heel...
after all what does filename mean in a linux world with
* hardlinks
* chroot
* namespaces
* bind mounts
* unlink of open files
* fd passing over unix sockets
* relative pathnames
* multiple threads (where one can unlink+replace file while the other is
in the validation code)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/