Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Deny access to file for all applications with apparmor?
  • From: Boyan Tabakov <blade.alslayer@xxxxxxxxx>
  • Date: Sun, 8 Oct 2006 12:21:32 +0300
  • Message-id: <200610081221.36156.blade.alslayer@xxxxxxxxx>
On 8.10.2006 03:56, Crispin Cowan wrote:
> AppArmor currently does not have a way to do this, but it is in our road
> map. The idea would be a "default profile" that applies to *any* process
> started, which does not otherwise have an explicit profile. The problem
> with the default profile approach is that this profile has to
> simultaneously satisfy 2 requirements:
> 1. Be "tight" enough that a process confined only by the default
> profile cannot corrupt AppArmor itself.
> 2. Be "loose" enough that administrative processes, such as YaST and
> RPM, can still function.

I see. Hope you will come up with a solution!

> * The security of the default profile will be exceptionally weak if
> it is a negative profile. This is for all the usual security
> weaknesses of a default allow policy.

OK, but how would this 'weakness' be any different than the current state,
where there is no profile assigned at all to most of the processes. If the
default negative profile is empty, that would mean 'access granted' by
default, which won't corrupt anything.

> * The usability of the system will be severely compromised if the
> default profile is a positive (normal) profile. *Every* process in
> the system will be subject to this default profile, and so lots of
> "normal" UNIX administrative procedures won't work.

A default restrictive profile could render the system completely unusable.
Thats why I guess the default profile should be negative only. If it is
positive, it would truly need a lot time to develop.

> Therefore, using the default profile feature is likely to be appropriate
> only for specialized situations where the configuration can be limited
> to a specific need, and therefore its administrative needs will be
> relatively simple.

Exactly! My situation is like this. But having the tools to do this, only
gives the administrator more options. It means that the administrator should
be paying more attention, too.

Good luck with the project!

Blade hails you...

All the same take me away
We're dead to the world
< Previous Next >
List Navigation
This Thread