Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching

From: Stephen Smalley
Date: Fri Jun 22 2007 - 08:20:51 EST


On Thu, 2007-06-21 at 22:17 -0600, Crispin Cowan wrote:
> James Morris wrote:
> > On Thu, 21 Jun 2007, Chris Mason wrote:
> >>> The incomplete mediation flows from the design, since the pathname-based
> >>> mediation doesn't generalize to cover all objects unlike label- or
> >>> attribute-based mediation. And the "use the natural abstraction for
> >>> each object type" approach likewise doesn't yield any general model or
> >>> anything that you can analyze systematically for data flow.
> >>>
> >> This feels quite a lot like a repeat of the discussion at the kernel
> >> summit. There are valid uses for path based security, and if they don't
> >> fit your needs, please don't use them. But, path based semantics alone
> >> are not a valid reason to shut out AA.
> >>
> > The validity or otherwise of pathname access control is not being
> > discussed here.
> >
> > The point is that the pathname model does not generalize, and that
> > AppArmor's inability to provide adequate coverage of the system is a
> > design issue arising from this.
> >
> The above two paragraphs appear to contradict each other.
>
> > Recall that the question asked by Lars was whether there were any
> > outstanding technical issues relating to AppArmor.
> >
> > AppArmor does not and can not provide the level of confinement claimed by
> > the documentation, and its policy does not reflect its actual confinement
> > properties. That's kind of a technical issue, right?
> >
> So if the document said "confinement with respect to direct file access
> and POSIX.1e capabilities" and that list got extended as AA got new
> confinement features, would that address your issue?

That would certainly help, although one might quibble with the use of
the word "confinement" at all wrt AppArmor (it has a long-established
technical meaning that implies information flow control, and that goes
beyond even complete mediation - it requires global and persistent
protection of the data based on its properties, which requires stable
and unambiguous identifiers).

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/