Re: AppArmor Security Goal

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: Dr. David Alan Gilbert <linux@...>
Cc: Arjan van de Ven <arjan@...>, Linux Kernel Mailing List <linux-kernel@...>, LSM ML <linux-security-module@...>, apparmor-dev <apparmor-dev@...>
Date: Saturday, November 10, 2007 - 6:11 pm

Dr. David Alan Gilbert wrote:
I don't get the problem: if you want your web browser to be able to
access where you commonly store your documents, then give it that
permission. The above rule says that your web browser doesn't get to go
change AppArmor policy on its own.

I have serious doubts about the utility of restricting a text editor.
You nominally want to be able to edit any file on the system, so
confining it would be fairly meaningless.

AppArmor will let you do that; most of the work is in splitting the
application. If you can get e.g. Firefox to use a separate process that
it exec's for editing your preferences, then AppArmor can confine that
helper app with a different policy than Firefox itself, including
granting the helper write permission to the config directory.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

-
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
AppArmor Security Goal, Crispin Cowan, (Thu Nov 8, 5:33 pm)
Re: AppArmor Security Goal, Andi Kleen, (Sat Nov 10, 5:04 pm)
Re: AppArmor Security Goal, , (Sat Nov 10, 5:28 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:36 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 5:24 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:23 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:04 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:11 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:24 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:41 pm)
Re: AppArmor Security Goal, Casey Schaufler, (Sat Nov 10, 10:17 pm)
Re: AppArmor Security Goal, Joshua Brindle, (Mon Nov 12, 8:10 pm)
Re: AppArmor Security Goal, Casey Schaufler, (Tue Nov 13, 12:58 am)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:55 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:25 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:50 pm)
Re: AppArmor Security Goal, John Johansen, (Mon Nov 12, 9:20 pm)
Re: AppArmor Security Goal, Rogelio M. Serrano Jr., (Sun Nov 11, 3:02 am)
Re: AppArmor Security Goal, , (Sat Nov 10, 7:52 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 8:13 pm)
Re: AppArmor Security Goal, John Johansen, (Sun Nov 11, 12:17 am)
Re: AppArmor Security Goal, , (Sun Nov 11, 12:50 am)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:56 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:58 pm)
Re: AppArmor Security Goal, , (Sat Nov 10, 9:27 pm)
Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:59 pm)
Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:47 pm)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 6:57 pm)
Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 7:14 pm)
Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:54 pm)