Re: [RFC][PATCH 4/11] security: AppArmor - Core access controls

[Stephen Smalley]

On Wed, 2006-04-19 at 11:57 -0700, Crispin Cowan wrote:
> Arjan van de Ven wrote:
> > On Wed, 2006-04-19 at 10:49 -0700, Tony Jones wrote:
> >   
> >> Verify if profile
> >> + * authorizes mask operations on pathname (due to lack of vfsmnt it is sadly
> >> + * necessary to search mountpoints in namespace -- when nameidata is passed
> >> + * more fully, this code can go away).  If more than one mountpoint matches
> >> + * but none satisfy the profile, only the first pathname (mountpoint) is
> >> + * returned for subsequent logging.
> >>     
> > that sounds too bad ;) 
> > If I manage to mount /etc/passwd as /tmp/passwd, you'll only find the
> > later and your entire security system seems to be down the drain.
> >   
> If you are a confined process, then you don't get to mount things, for
> this reason, among others.

Which is an example of the brokenness of the security model - its
fragileness in the face of manipulation of the file tree leads to
inflexibility.  So for example, if you wanted to _protect_ a process
that does mount things as part of its legitimate purpose, e.g. by
limiting what it can access to prevent it from taking untrustworthy
inputs, then you are out of luck - it is either confined and can't mount
or not confined and can mount.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/