[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-dev
Subject:    Re: [Apparmor-dev] Delegating file descriptors (was: [ANN]
From:       Mark Seaborn <mseaborn () onetel ! com>
Date:       2006-08-30 18:18:28
Message-ID: 20060830.191828.343192435.mrs () localhost ! localdomain
[Download RAW message or body]

"Ed Reed (Aesec)" <Ed.Reed@aesec.com> wrote:

> Mark Seaborn wrote:
>
> > Yes, you can change between profiles dynamically, but the profiles are
> > statically defined, so the criticism still applies.
> >   
>  And why, if minimalism is appropriate for a policy file, is it not also 
> appropriate for the programs to which the policy applies?
> 
> If the program does more than it needs to do to perform its appropriate 
> function, it should be refactored, should it not?

I'm not sure how this follows on from what I wrote.  However:

If a program accesses some resources that are not actually necessary
for performing its task, and it consequently fails when these
resources are not granted to it, of course it should be changed.  But
that is not the case in the examples I am talking about.

Can you give an example of the sort of refactoring you mean?  How
would you change Mike Hearn's image decoder example so that the
decoder process is granted access only to the image file to be
decoded?

The point I'm trying to make is that there are many programs for which
the minimal authority necessary is not known statically.  The program
needs access to a resource specified by its invoker and that resource
cannot be specified statically.  You can't refactor this away.  If you
try to put a static bound on the set of resources that the program
might legitimately be invoked to operate on, the bound will be way too
large.

Take a text editor as an example.  Assuming you launch one process for
each file to be edited, you would ideally want to give each process
read/write access to the individual text file it is editing.  How
would you achieve this in a static policy system such as AppArmor or
SELinux?

Mark
_______________________________________________
Apparmor-dev mailing list
Apparmor-dev@forge.novell.com
http://forge.novell.com/mailman/listinfo/apparmor-dev
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic