Kernel Summit 2006: Security
Posted Jul 24, 2006 17:01 UTC (Mon) by Method
In reply to: Kernel Summit 2006: Security
Parent article: Kernel Summit 2006: Security
I'm actually not going to go through this in LWN comments, its very unproductive. However, you had one entirely false statement in your comment:
"On the other hand, pathnames are unambiguous in that a give pathname always points exactly to a single file."
That is absolutely incorrect, as I pointed out in my blog entry and in previous email discussions a single path (eg., /etc/shadow) can refer to "/etc/shadow" in any namespace (chroots or private namespaces).
The great thing about this is that, for example, your bind "policy" gives access to /.* (that means any file on the filesystem), because it is assumed that bind is chrooted.
It doesn't take a genius to figure out that this is incredibly bad if bind fails to chroot, or if someone changes its configuration, etc.
This shows very clearly that apparmor is essentially a "fail open" security mechanism which is the worst possible thing from a security standpoint (particularly since the user won't even find out).
The alternative labeled security systems fail closed so if bind couldn't chroot it doesn't matter, it can't access anything on the system.
Anyway, thats it for my responses here, there are far more productive ways of relaying this information than through comments. ciao.
to post comments)