Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754415AbXFVKu1 (ORCPT ); Fri, 22 Jun 2007 06:50:27 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752185AbXFVKuM (ORCPT ); Fri, 22 Jun 2007 06:50:12 -0400 Received: from gate.in-addr.de ([212.8.193.158]:52044 "EHLO mx.in-addr.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752160AbXFVKuK (ORCPT ); Fri, 22 Jun 2007 06:50:10 -0400 Date: Fri, 22 Jun 2007 12:49:31 +0200 From: Lars Marowsky-Bree To: Joshua Brindle , david@lang.hm Cc: Stephen Smalley , James Morris , Pavel Machek , Crispin Cowan , Greg KH , Andreas Gruenbacher , jjohansen@suse.de, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching Message-ID: <20070622104931.GG20105@marowsky-bree.de> References: <20070621160840.GA20105@marowsky-bree.de> <20070621183311.GC18990@elf.ucw.cz> <20070621192407.GF20105@marowsky-bree.de> <20070621195400.GK20105@marowsky-bree.de> <1182459594.20464.16.camel@moss-spartans.epoch.ncsc.mil> <20070621211743.GN20105@marowsky-bree.de> <467B14D9.8050000@manicmethod.com> <467B45E0.3040207@manicmethod.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <467B45E0.3040207@manicmethod.com> X-Ctuhulu: HASTUR User-Agent: Mutt/1.5.9i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1731 Lines: 46 On 2007-06-21T23:45:36, Joshua Brindle wrote: > >remember, the policies define a white-list > > Except for unconfined processes. The argument that AA doesn't mediate what it is not configured to mediate is correct, yes, but I don't think that's a valid _design_ issue with AA. > Or through IPC or the network, that is the point, filesystem only > coverage doesn't cut it; there is no way to say the browser can't access > the users mail in AA, and there never will be. We have a variety of filtering mechanisms which are specific to a domain. iptables filters networking only; file permissions filter file access only. This argument is not really strong. If you're now arguing the "spirit of Unix", I can turn your argument around too: the Unix spirit is to have smallish dedicated tools. If AA is dedicated to mediating file access, isn't that nice! AA _could_ be extended to mediate network access and IPC (and this is WIP). If we had tcpfs and ipcfs - you know, everything is a filesystem, the Linux spirit! ;-) - AA could mediate them as well. However, we're discussing the way it mediates file accesses here, for which it appears useful and capable of functionality which SELinux's approach cannot provide. Regards, Lars -- Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N?rnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/