Casey Schaufler wrote: > The question of protections on the object named /etc/passwd came > up time and time again. The notion that /etc/passwd could be a > symlink to /home/smalley/heeheehee really gave evaluators the > whillies. As did the chroot environment, where /roots/crispin/etc/passwd > could magicly become /etc/passwd. Why do people continue speaking symlinks and chroots? To avoid the effect of symlinks and chroots, AppArmor and TOMOYO Linux derive pathnames from dentry and vfsmount. If /etc/passwd was a symlink, the derived pathname will be /home/smalley/heeheehee. If accessed from inside a chroot, the derived pathname will be /roots/crispin/etc/passwd. It is true that namespace may differ between processes, but I think that that is the matter of how to restrict namespace manipulation operations. As I said, a system can't survive if namespace is madly manipulated. To keep the system workable, /bin/ must be the directory for binary programs, /etc/ must be the directory for configuration files, and so on in all namespaces. It is true that the pathname may change while traversing up the dentry/vfsmount trees. But the change does not occur infinitely. As I said, a system can't survive if files and directories are madly renamed. The possible changes are bounded by the policy. At least, I want people not to speak symlinks and chroots when talking about AppArmor and TOMOYO Linux. Regards. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
