On Wed, 2007-04-18 at 13:15 -0700, David Lang wrote: > On Wed, 18 Apr 2007, James Morris wrote: > > > On Tue, 17 Apr 2007, Alan Cox wrote: > > > >> I'm not sure if AppArmor can be made good security for the general case, > >> but it is a model that works in the limited http environment > >> (eg .htaccess) and is something people can play with and hack on and may > >> be possible to configure to be very secure. > > > > Perhaps -- until your httpd is compromised via a buffer overflow or > > simply misbehaves due to a software or configuration flaw, then the > > assumptions being made about its use of pathnames and their security > > properties are out the window. > > since AA defines a whitelist of files that httpd is allowed to access, a > comprimised one may be able to mess up it's files, but it's still not going to > be able to touch other files on the system. > > > Without security labeling of the objects being accessed, you can't protect > > against software flaws, which has been a pretty fundamental and widely > > understood requirement in general computing for at least a decade. > > this is not true. you don't need to label all object and chunks of memory, you > just need to have a way to list (and enforce) the objects and memory that the > program is allowed to use. labeling them is one way of doing this, but not the > only way. You need a way of providing global and persistent security guarantees for the data, and per-program profiles based on pathname don't get you there. There is no system view in AA, just a bunch of disconnected profiles. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
