Kernel Summit 2006: Security
Posted Jul 24, 2006 20:12 UTC (Mon) by nix
In reply to: Kernel Summit 2006: Security
Parent article: Kernel Summit 2006: Security
It doesn't take a genius to grasp that AppArmor counters this by banning namespace changes (other than chroot(), which can be handled) for covered applications. Yes, this means no fancy shared subtree hacks can be carried out by apps that are *actually covered*, but since shared subtree hacks are often done by login PAM modules, and that's not going to be stuff you're going to protect with AppArmor...
You continue to complain that AppArmor is useless because it doesn't try to protect absolutely everything all of the time, even though *this was a design goal*.
to post comments)