Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

From: Valdis . Kletnieks
Date: Thu Apr 20 2006 - 11:29:06 EST

Next message: linux-os (Dick Johnson): "Re: Which process is associated with process ID 0 (swapper)"
Previous message: Randy.Dunlap: "Re: [libata] atapi_enabled problem"
In reply to: Crispin Cowan: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementationof LSM hooks)"
Next in thread: Ken Brush: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 19 Apr 2006 17:19:04 PDT, Crispin Cowan said:
> Valdis.Kletnieks@xxxxxx wrote:
> > In other words, it's quite possible to accidentally introduce a vulnerability
> > that wasn't exploitable before, by artificially restricting the privs in a way
> > the designer didn't expect. So this is really just handing the sysadmin
> > a loaded gun and waiting.
> >
> While that is true of the voluntary model of acquiring and dropping
> privs, it is not true of AppArmor containment, which will just not give
> you the priv if it is not in your policy.

The threat model is that you can take a buggy application, and constrain its
access to priv A in a way that causes a code failure that allows you to abuse
an unconstrained priv B.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: linux-os (Dick Johnson): "Re: Which process is associated with process ID 0 (swapper)"
Previous message: Randy.Dunlap: "Re: [libata] atapi_enabled problem"
In reply to: Crispin Cowan: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementationof LSM hooks)"
Next in thread: Ken Brush: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]