Re: [RFC][PATCH 4/11] security: AppArmor - Core access controls

[Crispin Cowan]

Rik van Riel wrote:
> On Wed, 19 Apr 2006, Seth Arnold wrote:
>   
>> On Wed, Apr 19, 2006 at 07:05:08PM -0400, Rik van Riel wrote:
>>     
>>> Are confined processes always restricted from starting
>>> non-confined processes?
>>>       
>> It is specified in policy via an unconstrained execution flag: 'ux'. Any 
>> unconfined children can of course do whatever they wish.
>>     
> And the default is for the children to inherit the security
> policy from the parent process, like in SELinux ?
>
> How do apparmor and selinux differ in how they contain bad
> things?
>   
To be able to execute any child, the confined process must have explicit
permission to execute it:

    * "/bin/foo px" says that the child will execute with its own
      policy. The policy must exist, or access is denied. This is useful
      if, say, xinetd wants to exec Sendmail.
    * "/bin/foo ix" says that the child will execute with its parent's
      policy, "inherit". This is useful if, say, a shell script wants to
      exec cp.
    * "/bin/foo ux" says that the child will exec with no confinement at
      all. This should be used carefully, say, if sshd wants to exec
      bash to allow an administrator to have an unconfined shell.

You can also say something like "/bin/** ix" which would let you run
anything in /bin, but all subject to the parent's policy. You could say
"/bin/** px" but that would mostly cause exec() failures except to the
extent that policies exist. You could say "/bin/** ux" but that would
not be wise :)

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/