Re: [RFC][PATCH 0/11] security: AppArmor - Overview

From: Andi Kleen
Date: Mon Apr 24 2006 - 09:26:11 EST

Next message: Pavel Machek: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Previous message: Steven Whitehouse: "Re: [PATCH 13/16] GFS2: Makefiles and Kconfig"
In reply to: Joshua Brindle: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Joshua Brindle: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 24 April 2006 15:11, Joshua Brindle wrote:

> Sure but if, instead, it's able to open /var/chroot/etc/shadow which is
> a hardlink to /etc/shadow you've bought nothing. You may filter out
> worms and script kiddies this way but in the end you are using obscurity
> (of filesystem layout, what the policy allows, how the apps are
> configured, etc) for security, which again, leads to a false sense of
> security.

AppArmor disallows both chroot and name space changes for the constrained
application so the scenario you're describing cannot happen. What happens
with unconstrained applications it doesn't care about by design.

This has been covered several times in this thread already - please pay
more attention.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Previous message: Steven Whitehouse: "Re: [PATCH 13/16] GFS2: Makefiles and Kconfig"
In reply to: Joshua Brindle: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Joshua Brindle: "Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]