Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Crispin Cowan

Subject: Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.

Date: Sunday, April 13, 2008 - 6:41 pm

Matthew Wilcox wrote:
quoted text> On Fri, Apr 11, 2008 at 11:12:27PM +0900, Tetsuo Handa wrote:
>   
>> If write access is denied because of a rule "No modifications to /etc/passwd",
>> a rule "Allow modifications to /tmp/passwd" can no longer be enforced after
>> "mount --bind /etc/ /tmp/" or "mount --bind /etc/passwd /tmp/passwd" or
>> "mv /etc/passwd /tmp/passwd" or "ln /etc/passwd /tmp/passwd" is done.
>>     
> That's a fundamental limitation of pathname-based security though.
> If the same file exists in two places, you have to resolve the question
> of which rule overrides the other.
>
> In my role as a sysadmin, I would consider it a flaw if someone could
> edit a file I'd marked uneditable -- simply by creating a hard-link to it.
> If we look at existing systems, such as the immutable bit, those apply to
> inodes, not to paths, so they can't be evaded.  If a system such as TOMOYA
> allows evasion this easily, then it doesn't seem like an improvement.
>   
You are discussing a straw-man, because AppArmor (and I think TOMOYO) do 
not operate that way.

It is not, and never has been, "mark /etc/passwd not writable". Please 
delete this broken concept from the discussion.

Rather, it is "can write to /tmp/ntpd/*". You *grant* permissions. You 
do *not* throw deny rules.

So if you grant write access to /tmp/mumble/barf you should expect it to 
always be accessible, regardless of whether someone creates an alias for it.

Please re-consider the rest of your analysis, because it doesn't work if 
there are only "allow" rules and no "deny" rules. You are correct that a 
pathname-based deny rule is trivially bypassable, that's why there 
aren't any :)

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
Botnets are the only commercially viable utility computing market

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Fri Apr 4, 5:23 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Daniel Walker, (Fri Apr 4, 9:29 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Mon Apr 7, 6:56 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Daniel Walker, (Mon Apr 7, 8:39 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Paul Moore, (Mon Apr 7, 8:40 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Casey Schaufler, (Mon Apr 7, 3:57 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Toshiharu Harada, (Wed Apr 9, 1:37 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Wed Apr 9, 5:49 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Matthew Wilcox, (Wed Apr 9, 6:11 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Serge E. Hallyn, (Wed Apr 9, 6:22 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Wed Apr 9, 6:26 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Toshiharu Harada, (Wed Apr 9, 10:57 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Thu Apr 10, 5:51 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Toshiharu Harada, (Thu Apr 10, 8:57 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Toshiharu Harada, (Fri Apr 11, 4:48 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Fri Apr 11, 7:12 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Matthew Wilcox, (Fri Apr 11, 7:30 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Sat Apr 12, 4:33 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Serge E. Hallyn, (Sun Apr 13, 9:36 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Sun Apr 13, 6:41 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Sun Apr 13, 7:05 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Matthew Wilcox, (Mon Apr 14, 6:48 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Mon Apr 14, 7:17 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Casey Schaufler, (Mon Apr 14, 10:05 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Mon Apr 14, 8:21 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Al Viro, (Mon Apr 14, 9:57 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Mon Apr 14, 9:59 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Tue Apr 15, 4:14 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Toshiharu Harada, (Tue Apr 15, 6:00 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Casey Schaufler, (Tue Apr 15, 9:32 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Wed Apr 16, 9:31 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Pavel Machek, (Wed Apr 16, 12:13 pm)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Thu Apr 17, 12:24 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Crispin Cowan, (Thu Apr 17, 12:49 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Jamie Lokier, (Thu Apr 17, 1:45 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Tetsuo Handa, (Thu Apr 17, 4:58 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Stephen Smalley, (Thu Apr 17, 5:42 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Pavel Machek, (Thu Apr 17, 10:46 am)

Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO., Serge E. Hallyn, (Fri Apr 18, 6:21 am)


linux-kernel:
Greg Kroah-Hartman	[PATCH 01/75] platform: prefix MODALIAS with "platform:"
stephane eranian	Re: perf_counters issue with PERF_SAMPLE_GROUP
Eric Sandeen	Re: [PATCH] xfs: do not pass unused params to xfs_flush_pages
Daniel Hazelton	Re: x86: 4kstacks default
Mathieu Desnoyers	Re: Linux 2.6.25-rc2
git:
Johannes Schindelin	[PATCH] fetch: refuse to fetch into the current branch in a non-bare repository
Junio C Hamano	Re: [PATCH] http-push: making HTTP push more robust and more user-friendly
Oliver Kullmann	Re: how to move with history?
Alex Riesen	Re: git exclude patterns for directory
Andreas Ericsson	Re: why not TortoiseGit
linux-netdev:
Andi Kleen	Re: RFC: Nagle latency tuning
Herbert Xu	Re: Oops in tun: bisected to Limit amount of queued packets per device
gregkh	Patch "IPv6: keep route for tentative address" has been added to the 2.6.34-stable...
Patrick McHardy	Re: [rfc 02/13] [RFC 02/13] netfilter: nf_conntrack_sip: Add callid parser
Krzysztof Oledzki	Re: Error: an inet prefix is expected rather than "0/0".
git-commits-head:
Linux Kernel Mailing List	sh: Fix compile error by operands(mov.l) in sh3/entry.S
Linux Kernel Mailing List	New device ID for sc92031 [1088:2031]
Linux Kernel Mailing List	tmpfs: depend on shmem
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	Staging: et131x: prune all the debug code
openbsd-misc:
Andres Salazar	About priorities in /etc/resolv.conf
Tonnerre LOMBARD	Re: bge0: watchdog timeout
ropers	Re: Real men don't attack straw men
Damien Miller	Re: Patching a SSH 'Weakness'
Tony Abernethy	Re: The Atheros story in much fewer words