Re: AppArmor Security Goal

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: Andi Kleen <andi@...>
Cc: Arjan van de Ven <arjan@...>, Linux Kernel Mailing List <linux-kernel@...>, LSM ML <linux-security-module@...>, apparmor-dev <apparmor-dev@...>
Date: Saturday, November 10, 2007 - 5:24 pm

Andi Kleen wrote:
The reason is a disgusting implementation problem, so instead of going
into lots of detail, I just disclaimed it.

The excuse :) is that UNIX/Linux already has an object-capability
orientation with respect to passing file descriptors around; you can
pass an FD to a process that doesn't have access to the file, and DAC
(user ownership & such) won't check it either.

This aspect of the semantics is not my favorite, but it is at least
consistent with the AppArmor view that unconfined processes can do
absolutely anything and AppArmor won't try to stop them.

The actual reason: FDs that are passed from some other *confined*
process actually are checked, because the FD has data structures on it
that we can use to hook for checking. The problem is that an FD from a
completely unconfined process has no such data structures. To fix this,
we would have to check access on every single read and write, and that
would make performance suck.

If there is a clean way to close this issue, I would be interested.

On the other hand, there is a fairly passionate community of Object
Capability fans who really want access rights to be delegable, and the
other way to go is to remove all checking on passed FDs.

There are advantages to going both ways, and I don't believe that
AppArmor is locked in stone, so either one could be chosen in the
future. See this interesting thread on LSM
http://marc.info/?t=119464929300003&r=1&w=2

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

-
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
AppArmor Security Goal, Crispin Cowan, (Thu Nov 8, 5:33 pm)
Re: AppArmor Security Goal, Andi Kleen, (Sat Nov 10, 5:04 pm)
Re: AppArmor Security Goal, , (Sat Nov 10, 5:28 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:36 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 5:24 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:23 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:04 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:11 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:24 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:41 pm)
Re: AppArmor Security Goal, Casey Schaufler, (Sat Nov 10, 10:17 pm)
Re: AppArmor Security Goal, Joshua Brindle, (Mon Nov 12, 8:10 pm)
Re: AppArmor Security Goal, Casey Schaufler, (Tue Nov 13, 12:58 am)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:55 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:25 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:50 pm)
Re: AppArmor Security Goal, John Johansen, (Mon Nov 12, 9:20 pm)
Re: AppArmor Security Goal, Rogelio M. Serrano Jr., (Sun Nov 11, 3:02 am)
Re: AppArmor Security Goal, , (Sat Nov 10, 7:52 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 8:13 pm)
Re: AppArmor Security Goal, John Johansen, (Sun Nov 11, 12:17 am)
Re: AppArmor Security Goal, , (Sun Nov 11, 12:50 am)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:56 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:58 pm)
Re: AppArmor Security Goal, , (Sat Nov 10, 9:27 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:59 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:47 pm)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 6:57 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 7:14 pm)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:54 pm)