Novell releases AppArmor
Posted Jan 14, 2006 0:27 UTC (Sat) by etbe
In reply to: Novell releases AppArmor
Parent article: Novell releases AppArmor
In the Unix permission scheme (IE user, group, and other having RWX bits)
the file name is NOT used for access control. If for example I use the
"mv" command to rename a file it will have the same permissions after the
rename operation. Any MAC system which does not control access based on
the Inode (as SE Linux does with XATTRs that are associated with the
Inode) will not preserve the same semantics as Unix permissions in regard
to renaming files.
Then there's the issue of hard-links. In Unix file systems a file with
hard links does not have one canonical name, each of the hard links can
be considered equally authoritative. When access is based on a regular
expression and you have two different regexes matching different hard
links to a file then you have different access granted to a file
depending on which name you use to access it.
For a comprehensive MAC system you want to be able to audit the
policy. For example to secure the /etc/shadow file we want to know which
domains can read/write it and which programs can be used to enter those
domains so that we know which programs to audit to verify that there is
no possibility of stealing or changing passwords. Such analysis is not
possible when the programs that have access to the shadow file may have
different labels depending on which name is used to access them.
A further complication of AppArmor is that file paths seem only valid
within a file system. So if /home is a separate file system then a
hostile user could request that the administrator give them an account
name which matches a regular expression for some system files. Think
about if a user had an account named "lib" or "opt"...
to post comments)