Kernel Summit 2006: Security
Posted Jul 24, 2006 16:13 UTC (Mon) by crispin
In reply to: Kernel Summit 2006: Security
Parent article: Kernel Summit 2006: Security
... so lets take just one argument at a time: "paths are ambiguous".
Hmmm. Yes, more than one path name can refer to a single file. This would be a problem in a black-list system, in which you try to name all the files you cannot access. But AppArmor is a white list system that names the files you can access. So if policy grants you access to /etc/shadow, it doesn't matter if /tmp/mumblebarf also points to the same place.
If policy grants you access to /tmp/* and someone created an alias so that /tmp/mumblebarf points to /etc/shadow, then they must have had the privileges necessary to create such a powerful alias.
On the other hand, pathnames are unambiguous in that a give pathname always points exactly to a single file.
Now lets look at labels. A file can have only a single label. So all policies that want to grant access to a given file have to grant access to that label.
OTOH, many different files can have the same label. So it is difficult for a policy to grant access to just that specific file; you have to grant access to its label, and that also grants access to all the other files that have that same label.
Visually, it looks like this:
Path ---- File
Label ---- File
So if you ever find yourself in the position of wanting to grant an access to *some* of the files that share a label and not others, then you would have to re-label them all with some new labels that distinguish as such, and then go change all of the policies that use that label to then use the new 2 or more labels.
Oh, and this blows your object tranquility because it requires re-labeling. Unless you anticipated all possible such scenarios and got your labels *perfect* the first time.
So which kind of ambiguity do you prefer?
to post comments)