Re: TOMOYO in linux-next

From: Bodo Eggert
Date: Mon Mar 30 2009 - 07:22:24 EST


On Sun, 29 Mar 2009, Pavel Machek wrote:

>
> >>> How would you exclude mozilla from writing to .* then? ".a" is bad,
> >>> ".b" is bad ...? or "A" is OK, "a" is OK, "zzzzzzzzzzzzz" is OK"?
> >>> Either way, you'd need several universes to store the security profile.
> >>
> >> What is magic about .* files? I want mozilla to store the pictures as
> >> .naughty.picture.jpg -- I don't see anything wrong with that.
> >
> > As long as you have a guaranteed-to-be-complete list of config files, you
> > can get along without wildcards. And still if you do, I'll write a
> > program to make it incomplete.
>
> Not all config files match .* pattern. I have at least hugo.ini
> mxmap.ini in my ~.
^^^^
I see a pattern there.

IMO there is no use in a security system if it allows you to modify
something like ~/.bashrc, and a security system not allowing mozilla to
create ~/.mozilla or ~/pr0n.jpg is not usable at all.

You must handle different files in one directory diffrerently, and since
they are not there yet, you can't label them. Instead, you'll have to label
them at runtime, and you have to do it based on the filename. At the same
time, you have a HUGE number of problematic filenames and a HUGE number of
safe filenames. Unless you have about 500 universes, you can't implement a
bitmap of allowed an non-allowed filenames.

What will you do? Give up and let mozilla modify all the config files you
didn't think of? Or not let mozilla store tux.png in ~?

--
Artificial Intelligence usually beats real stupidity.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/