Re: AppArmor Security Goal

From: Bodo Eggert
Date: Mon Nov 12 2007 - 13:44:16 EST

Next message: Roland Dreier: "Re: snd_hda_intel 2.6.24-rc2 bug: interrupts don't always work on Lenovo X60s"
Previous message: Frank Seidel: "Re: [RFC] Re: nozomi version 2.1d for review"
In reply to: Rob Meijer: "Re: AppArmor Security Goal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rogelio M. Serrano Jr. <rogelio@xxxxxxxxxxxxx> wrote:
> Dr. David Alan Gilbert wrote:

>> Allowing a user to tweak (under constraints) their settings might allow
>> them to do something like create two mozilla profiles which are isolated
>> from each other, so that the profile they use for general web surfing
>> is isolated from the one they use for online banking.
>>
>>
> Doesnt this allow the user to shoot their own foot? The exact thing
> mandatory access control are supposed to prevent?

cat `which mozilla` > ~/bin/mymozilla; chmod +x ~/bin/mozilla; mymozilla

Unless you lock down the system to a state where it's barely usable, MAC
isn't going to protect you from shooting your own feet. But having more
restricted roles and a safe way of activating them (as in "damn obvious
if or if not this role is active"), you can have e.g. one mozilla for
banking and one for pr0n.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Roland Dreier: "Re: snd_hda_intel 2.6.24-rc2 bug: interrupts don't always work on Lenovo X60s"
Previous message: Frank Seidel: "Re: [RFC] Re: nozomi version 2.1d for review"
In reply to: Rob Meijer: "Re: AppArmor Security Goal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]