Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.

From: Tetsuo Handa
Date: Tue Apr 15 2008 - 07:14:58 EST


Casey Schaufler wrote:
> The question of protections on the object named /etc/passwd came
> up time and time again. The notion that /etc/passwd could be a
> symlink to /home/smalley/heeheehee really gave evaluators the
> whillies. As did the chroot environment, where /roots/crispin/etc/passwd
> could magicly become /etc/passwd.
Why do people continue speaking symlinks and chroots?
To avoid the effect of symlinks and chroots, AppArmor and TOMOYO Linux
derive pathnames from dentry and vfsmount.
If /etc/passwd was a symlink, the derived pathname will be /home/smalley/heeheehee.
If accessed from inside a chroot, the derived pathname will be /roots/crispin/etc/passwd.

It is true that namespace may differ between processes,
but I think that that is the matter of how to restrict namespace manipulation operations.
As I said, a system can't survive if namespace is madly manipulated.
To keep the system workable, /bin/ must be the directory for binary programs,
/etc/ must be the directory for configuration files, and so on in all namespaces.

It is true that the pathname may change while traversing up the dentry/vfsmount trees.
But the change does not occur infinitely.
As I said, a system can't survive if files and directories are madly renamed.
The possible changes are bounded by the policy.

At least, I want people not to speak symlinks and chroots when talking about
AppArmor and TOMOYO Linux.

Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/