Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11]security: AppArmor - Overview

From: Stephen Smalley
Date: Fri Apr 28 2006 - 07:24:37 EST

Next message: Malcolm Rowe: "Can't change priority via sys_sched_setscheduler()?"
Previous message: Fortier,Vincent [Montreal]: "sata_via + Plextor 716SA + ATAPI error"
In reply to: Ken Brush: "Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Andi Kleen: "Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2006-04-27 at 10:58 -0700, Ken Brush wrote:
> > No, it wouldn't. The question itself is flawed - it presumes that AA
> > does confine the application to its expected behavior.
>
> I can confine a process to my idea of it's expected behavior.

Um, only if your idea is limited to authorized capabilities and paths.
If you actually want to circumscribe the full behavior of the program
(e.g. IPC, inter-process operations), you don't have the necessary
enforcement mechanism.

> I can guarantee that if my profile does not allow write access to /etc
> that apache's write to "/etc/new_file" will not be allowed.

If it uses that path as the argument, then yes (although to be clear, AA
operates at file level and skips directory write/search checking, IIUC
from the code - see aa_filter_mask). But you don't know whether or not
it can write to the same file via another path that is included in its
profile.

> The argument that somehow someone would setup a soft link or something
> so that apache could write to /etc via indirection is not my primary
> concern. That is systematic of a more concerted attack and a very
> determined attacker. Or at the very least, a mistake on my part. And
> in that case, I cannot protect myself from myself.

So you are only worried about script kiddies? Further, once someone
crafts an exploit specifically targeting AA, knowing full well its
limitations, that exploit will become fodder for the kiddies as well.
If a security mechanism only prevents attacks that weren't designed
against it, what good is it aside from a temporary stopgap?

> I have no requirements like that. I just would prefer that when people
> try to exploit my internet services, that the programs are not allowed
> to do things that I would rather it not do. AA seems to fulfill that
> requirement.

Why can't you use existing virtualization solutions ala Vservers or
OpenVZ or whatever?

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Malcolm Rowe: "Can't change priority via sys_sched_setscheduler()?"
Previous message: Fortier,Vincent [Montreal]: "sata_via + Plextor 716SA + ATAPI error"
In reply to: Ken Brush: "Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Next in thread: Andi Kleen: "Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]