[Apparmor-dev] AppArmor and capabilities?
Crispin Cowan
crispin at mercenarylinux.com
Mon Nov 12 12:54:43 MST 2007
John Johansen wrote:
> On Mon, Nov 12, 2007 at 02:09:25PM +0200, Markku Savela wrote:
>
>> Perhaps someone needs to make trivial profile system like AppArmor for
>> executables, and implement only capability granting there
> It has been considered and even prototyped, it could even be included
> in the future depending on community feedback. The larger question
> is if this is a feature that really belongs in AppArmor, and whether
> we wouldn't just be better off stacking with the fscaps project.
>
I personally think it is a bad idea for AppArmor. AppArmor is
*deliberately* purely restrictive: AA *never* grants more permission
than the program had without AppArmor. This provides 2 nice properties:
* You can "trust" an AppArmor policy set to not screw your security
any worse than it was without AppArmor; it will not open
surprising new holes.
* You can rip AppArmor out at a moment's notice, and your system has
zero dependence on AppArmor. It will continue functioning just as
it did before, but with less security.
If you want to have a security system that adds privileges instead of
subtracting them, you should do it in a different module, and then stack
them. Load the privilege adder first, and then AppArmor second. The
FSCaps project would be a good contender for this.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
More information about the Apparmor-dev
mailing list