Re: AppArmor Security Goal

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <david@...>

Cc: Andi Kleen <andi@...>, Crispin Cowan <crispin@...>, Arjan van de Ven <arjan@...>, Linux Kernel Mailing List <linux-kernel@...>, LSM ML <linux-security-module@...>, apparmor-dev <apparmor-dev@...>

Subject: Re: AppArmor Security Goal

Date: Saturday, November 10, 2007 - 11:36 pm

On Sat, Nov 10, 2007 at 01:28:25PM -0800, david@lang.hm wrote:
quoted text> On Sat, 10 Nov 2007, Andi Kleen wrote:
>
>> Crispin Cowan <crispin@crispincowan.com> writes:
>>
>> The document should be a good base for a merge.
>>
>>>     * A confined process can operate on a file descriptor passed to it
>>>       by an unconfined process, even if it manipulates a file not in the
>>>       confined process's profile. To block this attack, confine the
>>>       process that passed the file descriptor.
>>
>> That is the only thing that tripped me up a bit while reading the=20
>> document.
>> Can you expand a bit on the reasons why the fd is not rechecked in
>> the context of the target process? Best do it in a new version of the
>> document.
>
> from prior discussions I understand that the problem is that it's not eas=
y=20
quoted text> (or nessasarily possible) to figure out the path to the fd, so what do yo=
u=20
quoted text> check?
>
> if the file has been removed there _is_ no path to the fd.
>
> with hard links there could be many paths to the fd, the only way to find=
=20
quoted text> them would be to search the entire filesystem.
>
> as a result App Armor has decided not to try and address this, but is=20
> documenting it as a limitation.
>
Actually no.  The unconfined fd being passed in is explicitly different
than and fd being passed between two confined processes.  In the
unconfined parent passing an fd into a confined child the fd isn't
reevaluated.  In the case of confined parent to confined child the
the struct file is reevaluated.

As to the implementation issue of revalidation.  The path name to file can
be found as struct file stores both the vfsmnt and dentry.  With that said
there are a couple cases where the pathname can't be found.
- the file has been deleted
- the path has become disconnected.

In short under file revalidation deleted file are given a pass and
disconnected files fail.

For a more in depth explanation look at
http://forgeftp.novell.com//apparmor/LKML_Submission-Oct-07/techdoc.pdf

regards
john

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

AppArmor Security Goal, Crispin Cowan, (Thu Nov 8, 5:33 pm)

Re: AppArmor Security Goal, Andi Kleen, (Sat Nov 10, 5:04 pm)

Re: AppArmor Security Goal, , (Sat Nov 10, 5:28 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:36 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 5:24 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:23 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:04 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:11 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:24 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:41 pm)

Re: AppArmor Security Goal, Casey Schaufler, (Sat Nov 10, 10:17 pm)

Re: AppArmor Security Goal, Joshua Brindle, (Mon Nov 12, 8:10 pm)

Re: AppArmor Security Goal, Casey Schaufler, (Tue Nov 13, 12:58 am)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:55 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:25 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:50 pm)

Re: AppArmor Security Goal, John Johansen, (Mon Nov 12, 9:20 pm)

Re: AppArmor Security Goal, Rogelio M. Serrano Jr., (Sun Nov 11, 3:02 am)

Re: AppArmor Security Goal, , (Sat Nov 10, 7:52 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 8:13 pm)

Re: AppArmor Security Goal, John Johansen, (Sun Nov 11, 12:17 am)

Re: AppArmor Security Goal, , (Sun Nov 11, 12:50 am)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:56 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:58 pm)

Re: AppArmor Security Goal, , (Sat Nov 10, 9:27 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:59 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:47 pm)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 6:57 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 7:14 pm)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:54 pm)


linux-kernel:
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Andrew Morton	Re: -mm merge plans for 2.6.23 -- sys_fallocate
Michael Opdenacker	[PATCH] x86: fix unconditional arch/x86/kernel/pcspeaker.c compiling
git:

linux-netdev:
David Miller	Re: [GIT]: Networking
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Andrew Morton	Re: [BUG] New Kernel Bugs
openbsd-misc:

Re: AppArmor Security Goal

Online users