Greg KH wrote:We have built a label-based AA prototype. It fails because there is no reasonable way to address the tree renaming problem. You are remembering old behavior. The current AppArmor generates only correct and consistent paths. If a process has an open file descriptor to such a file, they will retain access to it, as we described here: http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf Under the restorecon-alike proposal, you have a HUGE open race. This post http://bugs.centos.org/view.php?id=1981 describes restorecon running for 30 minutes relabeling a file system. That is so far from acceptable that it is silly. Of course, this depends on the system in question, but restorecon will necessarily need to traverse whatever portions of the filesystem that have changed, which can be quite a long time indeed. Any race condition measured in minutes is a very serious issue. Consider this case: We've been developing a new web site for a month, and testing it on the server by putting it in a different virtual domain. We want to go live at some particular instant by doing an mv of the content into our public HTML directory. We simultaneously want to take the old web site down and archive it by moving it somewhere else. Under the restorecon proposal, the web site would be horribly broken until restorecon finishes, as various random pages are or are not accessible to Apache. In a smaller scale example, I want to share some files with a friend. I can't be bothered to set up a proper access control system, so I just mv the files to ~crispin/public_html/lookitme and in IRC say "get it now, going away in 10 minutes" and then move it out again. Yes, you can manually address this by running "restorecon ~crispin/public_html". But AA does this automatically without having to run any commands. You could get restorecon to do this automatically by using inotify. But to make it as general and transparent as AA is now, you would have to run inotify on every directory in the system, with consequences for kernel memory and performance. This problem does not exist for SELinux, because SELinux does not expect access to change based on file names. This problem does not exist in the proposed AA implementation, because the patch makes the access decision based on the current name of the file, so it doesn't have a consistency problem between the file and its label; there is no label. The problem is induced by trying to emulate AA on top of SELinux. They don't fit well together. AA fits much better with LSM, which is the reason LSM exists. Try an hour or two for a large source code repository. Its linear in the number of files, and several hundred thousand files would take a while to relabel. A large GIT tree would be particularly painful because of the very large number of files. It is not foolish. The label idea is so attractive that last September from discussions with Arjan we actually thought it was the preferred implementation. However, what we've been saying over and over again is that we *tried* this, and it *doesn't* work at the implementation level. There is no good answer, restorecon is an ugly kludge, and so this seductive approach turns out to be a dead end. Caveat: I am *not* saying that labels in general are bad, just that they are a bad way to emulate the AppArmor model. And yes, I am working on a model paper that is more abstract than Andreas' paper <http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf>, but that takes time. Then there's all the other problems, such as file systems that don't support extended attributes, particularly NFS3. Yes, NFS3 is vulnerable to network attack, but that is not the threat AA is addressing. AA is preventing an application with access to an NFS mount from accessing the *entire* mount. There is lots of practical security value in this, and label schemes cannot do it. Well, mostly; you could do it with a dynamic labeling scheme that labels files as they are pulled into kernel memory, but that requires an AA-style regexp parser in the kernel to apply the labels. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
| Greg KH | Linux 2.6.25.10 |
| Jeremy Fitzhardinge | [PATCH 23 of 36] x86_64: adjust mapping of physical pagetables to work with Xen |
| Greg KH | [GIT PATCH] driver core patches against 2.6.24 |
| Pavel Roskin | [PATCH 2.6.25] module: allow ndiswrapper to use GPL-only symbols |
git: | |
| H. Peter Anvin | kde.git is now online |
| Dongsheng Song | Does GIT has vc keywords like CVS/Subversion? |
| Martin | remote does not support deleting refs |
| Wink Saville | Resolving conflicts |
| Edd Barrett | Re: Linux Compat Query |
| Juan Miscaro | When will OpenBSD support UTF8? |
| askthelist | Packets Per Second Limit? |
| Marius ROMAN | 1440x900 resolution problem |
| Jim Winstead Jr. | Re: Root Disk/Book Disk Compatibility |
| Eric S. Raymond | PC-Clone UNIX Hardware Buyer's Guide |
| Hongjiu Lu -- Graduate Student | Re: GCC for Linux (fwd) |
| Mike Me | 2 quick general questions, Thanx. |
