Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Thu, 21 Jun 2007, Lars Marowsky-Bree wrote:

quoted text

> A veto is not a technical argument. All technical arguments (except for > "path name is ugly, yuk yuk!") have been addressed, have they not?

AppArmor doesn't actually provide confinement, because it only operates on filesystem objects. What you define in AppArmor policy does _not_ reflect the actual confinement properties of the policy. Applications can simply use other mechanisms to access objects, and the policy is effectively meaningless. You might define this as a non-technical issue, but the fact that AppArmor simply does not and can not work is a fairly significant consideration, I would imagine. - James -- James Morris <jmorris@namei.org> -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
FUJITA Tomonori	Re: [Scst-devel] Integration of SCST in the mainstream Linux kernel
Rafael J. Wysocki	[Bug #11287] Regression in 2.6.27-rc2 in acpi_processor_init()
Ingo Molnar	Re: [PATCH] x86: silence section mismatch warning - uv_cpu_init
Ingo Molnar	Re: [GIT PULL] time.c - respin
Paul E. McKenney	Re: [PATCH, RFC] v7 scalable classic RCU implementation
git:
Mark Junker	git on MacOSX and files with decomposed utf-8 file names
Junio C Hamano	Re: git-svnimport
Junio C Hamano	Re: [PATCH] Detached HEAD (experimental)
Johannes Schindelin	Re: [PATCH] Fix approxidate("never") to always return 0
A Large Angry SCM	Re: [RFC] origin link for cherry-pick and revert
linux-netdev:
Arnaldo Carvalho de Melo	Re: [PATCH 06/37] dccp: Limit feature negotiation to connection setup phase
Gerrit Renker	[PATCH 1/5] dccp: Initialisation framework for feature negotiation
Daniel Lezcano	getsockopt(TCP_DEFER_ACCEPT) value change
David Miller	Re: 2.6.27.18: bnx2/tg3: BUG: "scheduling while atomic" trying to ifenslave a seco...
Gerrit Renker	[PATCH 37/37] dccp: Debugging functions for feature negotiation
git-commits-head:
Linux Kernel Mailing List	ath9k_htc: Allocate URBs properly
Linux Kernel Mailing List	powerpc/kexec: Add support for FSL-BookE
Linux Kernel Mailing List	timer: Try to survive timer callback preempt_count leak
Linux Kernel Mailing List	V4L/DVB (8976): af9015: Add USB ID for AVerMedia A309
Linux Kernel Mailing List	ARM: 5670/1: bcmring: add default configuration for bcmring arch
openbsd-misc:
Stephen J. Bevan	GRE over IPsec
Christophe Rioux	Implementation example of snmp
Nick Holland	Re: booting openbsd on eee without cd-rom
Cabillot Julien	Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
Guido Tschakert	Re: what exactly is enc0?