Linux security non-modules and AppArmor
Posted Jun 29, 2007 15:06 UTC (Fri) by farnz
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
AppArmor faces a much bigger problem; you've just said that you don't want a broken application to have unconstrained access to /etc/resolv.conf. that application also needs to create files (e.g. log files, temporary files etc), what stops it from doing something like
'ln /etc/resolv.conf /tmp/mytempfile && echo broken >> /tmp/mytempfile'? Bear in mind that the interesting applications to confine run as root for part of their lifecycle, so that you need your confinement solution to confine root, too.
The basic issue with pathname based-security is the ease of accidentally breaking it. Most real-world programs that you want to secure (Apache, Mozilla, mutt) either have log files, or create temporary files, or both. Making it impossible to create hard links breaks expected UNIX functionality, so the reality is that unless you take an immense amount of care in writing policy, AppArmor ends up being security theatre, and easy to bypass.
to post comments)