LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The AppArmor debate begins

The AppArmor debate begins

Posted Apr 27, 2006 15:16 UTC (Thu) by vmole (guest, #111)
In reply to: The AppArmor debate begins by drag
Parent article: The AppArmor debate begins

Lots of applications need temporary files with unpredictable names. For these, your AppArmor profile will have something like "/tmp/*" allowed. Or consider a mail reader, that might allow access to "/var/mail/**" (AA designation for all subdirs of "/var/mail", IIRC). Or, consider one that was pointed out on the LKML: The bind9 profile was "/**", i.e. everything, under the assumption that it would be running chroot("/var/named"), but there's no way for AA to enforce that expectation.

Another thing to realize is that a lot of the objections are to AA using paths in the kernel. This leads to AA trying to convert dentry values to paths, which is both expensive and unreliable.

(Log in to post comments)

The AppArmor debate begins

Posted Apr 28, 2006 5:49 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

note that AppArmor is planning to make all paths be absolute paths, so if you chroot bind in /bind then it's profile would be /bind/** to close this exact vunerability.

don't mistake a weakness in the current implementation with a fundamental flaw in the design

The AppArmor debate begins

Posted Apr 28, 2006 17:28 UTC (Fri) by MenTaLguY (subscriber, #21879) [Link]

Since Linux supports per-process namespaces, there ARE no globally absolute paths.

The AppArmor debate begins

Posted May 4, 2006 9:13 UTC (Thu) by renox (subscriber, #23785) [Link]

I disagree: the kernel has to do the translation so it has 'absolute' paths.

That each process can have a different view doesn't imply that there is no absolute path.

The AppArmor debate begins

Posted May 4, 2006 16:58 UTC (Thu) by MenTaLguY (subscriber, #21879) [Link]

No, it doesn't. As I recall (it's been a long time since I've messed with filesystem stuff), each namespace can have its own root dentry, and dentries are mostly used used for looking up inodes by their path within a particular namespace.

There is no real "absolute" path to a file because the kernel doesn't need it. Most interesting things happen at the filesystem/inode level.

(One of the reasons that people object to AppArmor is that it'd require pushing a lot of things up into dentry-land, when the whole system was designed around inodes.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds