Re: AppArmor Security Goal

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <casey@...>

Cc: Crispin Cowan <crispin@...>, Dr. David Alan Gilbert <linux@...>, Arjan van de Ven <arjan@...>, Linux Kernel Mailing List <linux-kernel@...>, LSM ML <linux-security-module@...>, apparmor-dev <apparmor-dev@...>

Subject: Re: AppArmor Security Goal

Date: Monday, November 12, 2007 - 8:10 pm

Casey Schaufler wrote:
quoted text> --- Crispin Cowan <crispin@crispincowan.com> wrote:
>
>   
>> Dr. David Alan Gilbert wrote:
>> ...
>>
>> Can you explain why you want a non-privileged user to be able to edit
>> policy? I would like to better understand the problem here.
>>
>> Note that John Johansen is also interested in allowing non-privileged
>> users to manipulate AppArmor policy, but his view was to only allow a
>> non-privileged user to further tighten the profile on a program. To me,
>> that adds complexity with not much value, but if lots of users want it,
>> then I'm wrong :)
>>     
>
> Now this is getting interesting. It looks to me as if you've implemented
> a mandatory access control scheme that some people would like to be able
> to use as a discretionary access control scheme. This is creepy after
> seeing the MCS implementation in SELinux, which is also a DAC scheme
> wacked out of a MAC scheme. Very interesting indeed.
>   

This is the same sort of thing we are trying to do in SELinux with the 
policy management server 
<http://oss.tresys.com/projects/policy-server/wiki/PolicyServerDesign>, 
ofcourse the policy management server enforces SELinux policy on what 
can be changed and what can't. We devised a scheme to allow the policy 
to become more restrictive without being able to change the policy 
'intent' using a type hierarchy.

In fact I was talking to a coworker today about how this could be done 
with smack, using the same kind of hierarchy and allowing unprivileged 
users (eg., those without MAC_OVERRIDE) to create new smack labels 
'under' their own which would be restricted. This is interesting because 
of the ability to create new smack domains on the fly but since only 
privileged users can do it it is of limited use. Imagine if a user could 
create a new domain for their webbrowser or anything else they care to. 
Since they can't add rules to the policy it would effectively just be a 
user sandbox, an interesting use indeed.

-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

AppArmor Security Goal, Crispin Cowan, (Thu Nov 8, 5:33 pm)

Re: AppArmor Security Goal, Andi Kleen, (Sat Nov 10, 5:04 pm)

Re: AppArmor Security Goal, , (Sat Nov 10, 5:28 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:36 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 5:24 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:23 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:04 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:11 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 6:24 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 6:41 pm)

Re: AppArmor Security Goal, Casey Schaufler, (Sat Nov 10, 10:17 pm)

Re: AppArmor Security Goal, Joshua Brindle, (Mon Nov 12, 8:10 pm)

Re: AppArmor Security Goal, Casey Schaufler, (Tue Nov 13, 12:58 am)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:55 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:25 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:50 pm)

Re: AppArmor Security Goal, John Johansen, (Mon Nov 12, 9:20 pm)

Re: AppArmor Security Goal, Rogelio M. Serrano Jr., (Sun Nov 11, 3:02 am)

Re: AppArmor Security Goal, , (Sat Nov 10, 7:52 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 8:13 pm)

Re: AppArmor Security Goal, John Johansen, (Sun Nov 11, 12:17 am)

Re: AppArmor Security Goal, , (Sun Nov 11, 12:50 am)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:56 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Mon Nov 12, 7:58 pm)

Re: AppArmor Security Goal, , (Sat Nov 10, 9:27 pm)

Re: AppArmor Security Goal, John Johansen, (Sat Nov 10, 11:59 pm)

Re: AppArmor Security Goal, Dr. David Alan Gilbert, (Sat Nov 10, 7:47 pm)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 6:57 pm)

Re: AppArmor Security Goal, Crispin Cowan, (Sat Nov 10, 7:14 pm)

Re: AppArmor Security Goal, Alan Cox, (Sat Nov 10, 7:54 pm)


linux-kernel:
debian developer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 014/196] kobject: remove incorrect comment in kobject_rename
Vladislav Bolkhovitin	Re: Integration of SCST in the mainstream Linux kernel
Stephen Rothwell	Re: Announce: Linux-next (Or Andrew's dream :-))
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Radu Rendec	htb parallelism on multi-core platforms
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
openbsd-misc:

Re: AppArmor Security Goal

Online users