From: Arjan van de Ven <arjan@...>
Subject: Re: [AppArmor 00/45] AppArmor security module overview
 [0]Date: Oct 26, 10:37 am 2007

On Thu, 25 Oct 2007 23:40:24 -0700
jjohansen@suse.de [1] wrote:

before going into the LSM / security side of things, I'd like to get
the VFS guys to look at your VFS interaction code.

In addition, I'd like to ask you to put a file in Documentation/
somewhere that describes what AppArmor is intended security protection
is (it's different from SELinux for sure for example); by having such a
document for each LSM user, end users and distros can make a more
informed decision which module suits their requirements... and it also
makes it possible to look at the implementation to see if it has gaps
to the intent, without getting into a pissing contest about which
security model is better; but unless the security goals are explicitly
described that's a trap that will keep coming back... so please spend
some time on getting a good description going here..

-- 
If you want to reach me at my work email, use arjan@linux.intel.com [2]
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org [3]
-


From: Andreas Gruenbacher <agruen@...>
Subject: Re: [AppArmor 00/45] AppArmor security module overview
 [3]Date: Oct 26, 4:44 pm 2007

On Friday 26 October 2007 16:37, Arjan van de Ven wrote:
> In addition, I'd like to ask you to put a file in Documentation/
> somewhere that describes what AppArmor is intended security protection
> is (it's different from SELinux for sure for example); by having such a
> document for each LSM user, end users and distros can make a more
> informed decision which module suits their requirements... and it also 
> makes it possible to look at the implementation to see if it has gaps
> to the intent, without getting into a pissing contest about which
> security model is better; but unless the security goals are explicitly
> described that's a trap that will keep coming back... so please spend
> some time on getting a good description going here..

Hmm, I agree that it makes sense to give a short overview of each LSM. A 
description of the AppArmor model and implementation can be found in the 
directory that John referred to actually. I'm unsure how much of that makes 
sense under Documentation/ -- what do you think? 

 http://forgeftp.novell.com/apparmor/LKML_Submission-Oct-07/techdoc.pdf [4]

I guess actual end user information doesn't belong in the kernel sources; that 
really seems wrong.

Thanks,
Andreas
-


From: Arjan van de Ven <arjan@...>
Subject: Re: [AppArmor 00/45] AppArmor security module overview
 [4]Date: Oct 26, 5:13 pm 2007

On Fri, 26 Oct 2007 22:44:56 +0200
Andreas Gruenbacher <agruen@suse.de> wrote:

> On Friday 26 October 2007 16:37, Arjan van de Ven wrote:
> > In addition, I'd like to ask you to put a file in Documentation/
> > somewhere that describes what AppArmor is intended security
> > protection is (it's different from SELinux for sure for example);
> > by having such a document for each LSM user, end users and distros
> > can make a more informed decision which module suits their
> > requirements... and it also makes it possible to look at the
> > implementation to see if it has gaps to the intent, without getting
> > into a pissing contest about which security model is better; but
> > unless the security goals are explicitly described that's a trap
> > that will keep coming back... so please spend some time on getting
> > a good description going here..
> 
> Hmm, I agree that it makes sense to give a short overview of each
> LSM. A description of the AppArmor model and implementation can be
> found in the directory that John referred to actually. I'm unsure how
> much of that makes sense under Documentation/ -- what do you think? 
> 
>  http://forgeftp.novell.com/apparmor/LKML_Submission-Oct-07/techdoc.pdf [5]
> 
> I guess actual end user information doesn't belong in the kernel
> sources; that really seems wrong.
> 

My main concern for now is a description of what it tries to protect
against/in what cases you would expect to use it. THe reason for asking
this explicitly is simple: Until now the LSM discussions always ended
up in a nasty mixed up mess around disagreeing on the theoretical model
of what to protect against and the actual implementation of the threat
protection. THe only way I can think of to get out of this mess is to
have the submitter of the security model give a description of what his
protection model is (and unless it's silly, not argue about that), and
then only focus on how the code manages to achieve this model, to make
sure there's no big gaps in it, within its own goals/reference.

On the first part (discussion of the model) I doubt we can get people
to agree, that's pretty much phylosophical... on the second part (how
well the code/design lives up to its own goals) the analysis can be
objective and technical.


-- 
If you want to reach me at my work email, use arjan@linux.intel.com [6]
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org [7]
-


From: Crispin Cowan <crispin@...>
Subject: Re: [AppArmor 00/45] AppArmor security module overview
 [7]Date: Oct 26, 6:16 pm 2007

Arjan van de Ven wrote:
> My main concern for now is a description of what it tries to protect
> against/in what cases you would expect to use it. THe reason for asking
> this explicitly is simple: Until now the LSM discussions always ended
> up in a nasty mixed up mess around disagreeing on the theoretical model
> of what to protect against and the actual implementation of the threat
> protection. THe only way I can think of to get out of this mess is to
> have the submitter of the security model give a description of what his
> protection model is (and unless it's silly, not argue about that), and
> then only focus on how the code manages to achieve this model, to make
> sure there's no big gaps in it, within its own goals/reference.
>   
I really, really like this proposal. It is essentially what I have
always wanted.

> On the first part (discussion of the model) I doubt we can get people
> to agree, that's pretty much phylosophical... on the second part (how
> well the code/design lives up to its own goals) the analysis can be
> objective and technical.
>   
I will try to do that as soon as possible. While I will strive to be
both clear and precise, achieving both is challenging. So, if someone
discovers a mis-match between the description and the code, would a
patch to the description be an acceptable resolution, if it did not
render the model silly?

Crispin

-- 
Crispin Cowan, Ph.D.               http://mercenarylinux.com/ [8]
	       Itanium. Vista. GPLv3. Complexity at work

-


From: Arjan van de Ven <arjan@...>
Subject: Re: [AppArmor 00/45] AppArmor security module overview
 [8]Date: Oct 26, 6:23 pm 2007

On Fri, 26 Oct 2007 15:16:53 -0700
Crispin Cowan <crispin@crispincowan.com> wrote:

> 
> > On the first part (discussion of the model) I doubt we can get
> > people to agree, that's pretty much phylosophical... on the second
> > part (how well the code/design lives up to its own goals) the
> > analysis can be objective and technical.
> >   
> I will try to do that as soon as possible. While I will strive to be
> both clear and precise, achieving both is challenging. So, if someone
> discovers a mis-match between the description and the code, would a
> patch to the description be an acceptable resolution, if it did not
> render the model silly?
> 

I think it's entirely reasonable that if it turns out that the code
can't do a certain aspect of the envisioned security (eg not just a
code bug but a design level issue), the answer is to adjust the
vision...


-- 
If you want to reach me at my work email, use arjan@linux.intel.com [9]
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org [10]
-