Re: [RFC][PATCH 0/11] security: AppArmor - Overview

From: Tony Jones
Date: Mon Apr 24 2006 - 11:54:39 EST


On Mon, Apr 24, 2006 at 11:16:25AM -0400, Joshua Brindle wrote:
> To make this much more real, the /usr/sbin/named policy that ships with
> apparmor has the following line:

Ships with AppArmor where? On SuSE?

> /** r,
> Thats right, named can read any file on the system, I suppose this is
> because the policy relies on named being chrooted. So if for any reason
> named doesn't chroot its been granted read access on the entire
> filesystem. If I'm misunderstanding this policy please correct me but I
> believe this shows the problem very loudly and clearly.

The d_path changes for absolute path mediation for chroot are not yet in any
SuSE release. Nor are they reflected in any developed profiles (yet).

Another direction is a new security_chroot hook together with appropriate
CLONE_FS tracking (inside AppArmor) to force chrooting confined tasks into a
subprofile (similar to change hat). We are evaluating the options based on
feedback here and from other places. Hence the RFC.

I hope this helps.

Tony
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/