LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Novell releases AppArmor

Novell releases AppArmor

Posted Jan 16, 2006 11:53 UTC (Mon) by nix (subscriber, #2304)
In reply to: Novell releases AppArmor by etbe
Parent article: Novell releases AppArmor

Well, as I understand it AppArmor uses the filename to *look up* the inode number and then tags the inode. Obviously no other system would be secure under hardlinks, especially if as standard POSIX semantics demand any user can hardlink files owned by other users into directories they control. (I think it reasonable to assume that any system designed by Crispin Cowan wouldn't have a design flaw as large as you imply in it!)

Obviously the AppArmor globbing/regexing thing is something which should be used with care: don't put wildcards at the front of the name!

What might really cause problems for AppArmor, and for any filename-based system, is wide use of filesystem namespaces. If /etc/shadow refers to a different file depending on the PID, what do you do?

(Mind you, this screws up conventional Unix security as well. I think that no matter what you do to the filesystem namespace, / and /etc had better remain non-writable by anyone but root.)

(Log in to post comments)

Novell releases AppArmor

Posted Jan 17, 2006 2:43 UTC (Tue) by etbe (subscriber, #17516) [Link]

With SE Linux there are access controls to determine which processes can
create a hard link to a file. For example with the strict policy most
processes on the system are not permitted to create hard links to files
in /etc. I believe that some of the Common Criteria certifications
require that the system label Inodes not file names so any system that
doesn't do something similar to what SE Linux does will not do well in
certification.

In a conventional Unix system there is nothing preventing you from having
a /etc/shadow file in a chroot environment with different permissions to
the "real" one.

A bigger problem for AppArmor is the fact that file specs are relative to
the root of a file system. So /etc/shadow is equivalent
to /home/etc/shadow if /home is a separate file system.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds