Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching

From: Joshua Brindle
Date: Sun Jun 10 2007 - 17:18:20 EST

Next message: Bjorn Helgaas: "Re: [KJ] [PATCH] drivers/acpi: sizeof/sizeof array size calculations replaced with ARRAY_SIZE"
Previous message: Rene Herman: "Re: kconfig .po files in kernel tree? [Was: Documentation/HOWTO translatedinto Japanese]"
In reply to: Crispin Cowan: "Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching"
Next in thread: Andreas Gruenbacher: "Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Crispin Cowan wrote:

david@xxxxxxx wrote:

On Fri, 8 Jun 2007, Greg KH wrote:

I still want to see a definition of the AA "model" that we can then use
to try to implement using whatever solution works best. As that seems
to be missing the current argument of if AA can or can not be
implemented using SELinux or something totally different should be
stopped.

the way I would describe the difference betwen AA and SELinux is:

SELinux is like a default allow IPS system, you have to describe
EVERYTHING to the system so that it knows what to allow and what to stop.

AA is like a default deny firewall, you describe what you want to
happen, and it blocks everything else without you even having to
realize that it's there.

That's not quite right:

* SELinux Strict Policy is a default-deny system: it specifies
everything that is permitted system wide, and all else is denied.
* AA and the SELinux Targeted Policy are hybrid systems:
o default-deny within a policy or profile: confined processes
are only permitted to do what the policy says, and all else
is denied.
o default-allow system wide: unconfined processes are allowed
to do anything that classic DAC permissions allow.

Still not completely correct, though the targeted policy has an unconfined domain (unconfined_t) the policy still has allow rules for everything unconfined can do, 2 examples of things unconfined still can't do (because they aren't allowed by the targeted policy) is execmem and a while back when there was a /proc exploit that required setattr on /proc/self/environ; unconfined_t wasn't able to do that either (and therefore the exploit didn't work on a targeted system).

That said, the differentiation between strict and targeted is going away soon so that one can have some users be unconfined (but still with a few restrictions) and others can be fully restricted.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: [KJ] [PATCH] drivers/acpi: sizeof/sizeof array size calculations replaced with ARRAY_SIZE"
Previous message: Rene Herman: "Re: kconfig .po files in kernel tree? [Was: Documentation/HOWTO translatedinto Japanese]"
In reply to: Crispin Cowan: "Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching"
Next in thread: Andreas Gruenbacher: "Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]