The AppArmor debate begins
Posted Apr 27, 2006 12:02 UTC (Thu) by jamesh
In reply to: The AppArmor debate begins
Parent article: The AppArmor debate begins
For some applications you might be able to restrict them enough for this to be true, but many apps will need fairly liberal policies.
Consider a text editor for example. The user expects to be able to edit files all over the system, so even if there is a final "deny all" rule, there will be many paths that the policy needs to allow. Each of these paths is a potential attack vector (assuming that they manage to create the hardlink or bind mount).
to post comments)