Linux security non-modules and AppArmor
Posted Jul 2, 2007 8:52 UTC (Mon) by farnz
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
You've read a bit too much into what I'm saying. All I'm trying to point out is that the use of pathnames as your stable identifiers is rather weak if you're not thinking things through; this becomes especially true if a program uses hard links in normal operation. If you're thinking things through in enough detail to catch all the corner cases, you're also thinking things through in enough detail to write a label-based policy that works.
It's all too easy to write a policy like "Read /etc/resolv.conf, read/write/modify/hardlink in /tmp" without thinking about the details of what that allows; worse, the exact behaviour of that security policy depends on system partitioning. On my home machines, where /tmp is in its own partition, that policy is safe. On my work machines, where I have a single large /, that policy is dangerous.
Note that it's the use of pathnames as stable identifiers in policy that concerns me, not the rest of the AppArmor kernel-side. A simpler policy format using file labels wouldn't worry me at all.
to post comments)