[cap-talk] "ACLs don't" paper rejected from Oakland 09

[Rob Meijer]

On Mon, February 2, 2009 12:06, Matej Kosik wrote:
> <CONTINUING SILLY FAIRYTALE>
> However, if we consider mobile code (and today everything is mobile
> code) then we realize that we must "climb higher". And this is where we
> will find that while to certain degree we can also climb up on the ACL
> mountain, it has finite height and we cannot go much higher without
> returning to the "valey of insecurity" and starting to climb "mountain
> of capabilities". Understandably, in reality that is not at all so
> simple. We are not free to choose. To much investments where already
> made to climbing "Mountain of ACL" and enabling others to climb it. So
> final "logical" step is to build an SELinux/UAC "tower" there. Did we
> reached desired hight? (Did we reached the desired level of security
> from mobile code?) Some might choose to continue to live in delusion
> that yes. Others returned back to the valey and started to climb a
> different mountain. It may be frustrating relelation but should we
> delude ourselves?
> </CONTINUING SILLY FAIRYTALE>

You forget about the bridge that can take you from the top of ACL mountain
to a plateau somewhere halfway on capability mountain.

The bridge starts at AppArmor peak and is well supported by both Netfiler
pillar and file descriptor pillar ;-)

That is, make processes run under the most restrictive AppArmor profile
possible under a uid that is denied from initiating any network traffic by
NetFilter. Than pass those processes file descriptors (or MinorFs strong
paths) and/or networking sockets, and you will find you have traveled
succesfully from ACL mountain to Capability mountain without losing much
altitude :-)


Rob