Casey Schaufler wrote: > --- Andreas Gruenbacher <agruen@xxxxxxx> wrote: > >> AppArmor cannot assume anything about argv[0], >> >> and it would be a really bad idea to change the well-established semantics of >> >> argv[0]. >> >> There is no actual need for looking at argv[0], though: AppArmor decides >> based >> on the actual pathname of the executable... >> > Right. My point was that if you wanted to use the gzip/gunzip > example of a file with two names being treated differently based > on the name accessed as an argument for AppArmor you could. AppArmor detects the pathname of the file exec'd at the time the parent exec's it, and not anything inside the child involving argv[0]. As such, AA can detect whether you did exec("gzip") or exec("gunzip") and apply the policy relevant to the program. It could apply different policies to each of them, so whether it has access to /tmp/mumble/barf depends on whether you called it 'gzip' or 'gunzip'. Caveat: it makes no sense to profile either gzip or gunzip in the AppArmor model, so I won't defend what kind of policy you would put on them. Finally, AA doesn't care what the contents of the executable are. We assume that it is a copy of metasploit or something, and confine it to access only the resources that the policy says. > If > you don't want to, that's ok too. Jeremy raised a reasonable objection, > and AppArmor could address it if y'all chose to do so. I seriously > doubt that enforcing the argv[0] convention would break much, and I > also expect that if it did there's a Consultant's Retirement to be > made fixing the security hole it points out. > AppArmor does address it, and I hope this explains how we detect which of multiple hard links to a file you used to access the file without mucking about with argv[0]. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com Security: It's not linear - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html