Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook

From: Crispin Cowan
Date: Sat May 26 2007 - 01:27:58 EST

Next message: Tej Parkash: "reg: modules make in Ubuntu"
Previous message: Kyle Moffett: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
In reply to: Casey Schaufler: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
Next in thread: Alan Cox: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler wrote:
> --- Andreas Gruenbacher <agruen@xxxxxxx> wrote:
>
>> AppArmor cannot assume anything about argv[0],
>>
>> and it would be a really bad idea to change the well-established semantics of
>>
>> argv[0].
>>
>> There is no actual need for looking at argv[0], though: AppArmor decides
>> based
>> on the actual pathname of the executable...
>>
> Right. My point was that if you wanted to use the gzip/gunzip
> example of a file with two names being treated differently based
> on the name accessed as an argument for AppArmor you could.
AppArmor detects the pathname of the file exec'd at the time the parent
exec's it, and not anything inside the child involving argv[0].

As such, AA can detect whether you did exec("gzip") or exec("gunzip")
and apply the policy relevant to the program. It could apply different
policies to each of them, so whether it has access to /tmp/mumble/barf
depends on whether you called it 'gzip' or 'gunzip'. Caveat: it makes no
sense to profile either gzip or gunzip in the AppArmor model, so I won't
defend what kind of policy you would put on them.

Finally, AA doesn't care what the contents of the executable are. We
assume that it is a copy of metasploit or something, and confine it to
access only the resources that the policy says.

> If
> you don't want to, that's ok too. Jeremy raised a reasonable objection,
> and AppArmor could address it if y'all chose to do so. I seriously
> doubt that enforcing the argv[0] convention would break much, and I
> also expect that if it did there's a Consultant's Retirement to be
> made fixing the security hole it points out.
>
AppArmor does address it, and I hope this explains how we detect which
of multiple hard links to a file you used to access the file without
mucking about with argv[0].

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
Security: It's not linear

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tej Parkash: "reg: modules make in Ubuntu"
Previous message: Kyle Moffett: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
In reply to: Casey Schaufler: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
Next in thread: Alan Cox: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]