[Apparmor-general] Moving To A Pure Capability Model?
Daniel de Kok
danieldk at pobox.com
Mon Jan 15 03:07:02 MST 2007
Hi,
On Fri, 12 Jan 2007, Crispin Cowan wrote:
> Our options going forward are:
>
> * Completely remove all revalidation, producing the pure capability
> model discussed previously in this thread.
One of the things I like about AppArmor is its clarity - it is pretty easy
to see just be reading a profile what is going on. I think moving to this
pure capability model adds to this clarity.
> * Close all open FDs on exec by default
> * Provide an extended capability (smells just like a POSIX.1e
> capability, but named "pass_fd_on_exec" or such like) that if enabled
> restores the classic behavior
> * similar capability for closing the special stdio FDs
I don't know anything about AppArmor internals, so I may be suggesting
something that is not really feasible or plain dumb :). But what about:
* Close all open FDs on exec by default
* Allow the administrator to use a flag in a profile exec rule that does
not force this default behavior.
As far as I can see there are two advantages: it allows for more
fine-grained access control on execs, and it doesn't require adding a new
capability to programs that want to pass their fd's.
-- Daniel
More information about the Apparmor-general
mailing list