[cap-talk] "ACLs don't" paper rejected from Oakland 09
Matej Kosik
kosik at fiit.stuba.sk
Mon Feb 2 18:07:43 EST 2009
Rob Meijer wrote:
> On Mon, February 2, 2009 12:06, Matej Kosik wrote:
>> <CONTINUING SILLY FAIRYTALE>
>> However, if we consider mobile code (and today everything is mobile
>> code) then we realize that we must "climb higher". And this is where we
>> will find that while to certain degree we can also climb up on the ACL
>> mountain, it has finite height and we cannot go much higher without
>> returning to the "valey of insecurity" and starting to climb "mountain
>> of capabilities". Understandably, in reality that is not at all so
>> simple. We are not free to choose. To much investments where already
>> made to climbing "Mountain of ACL" and enabling others to climb it. So
>> final "logical" step is to build an SELinux/UAC "tower" there. Did we
>> reached desired hight? (Did we reached the desired level of security
>> from mobile code?) Some might choose to continue to live in delusion
>> that yes. Others returned back to the valey and started to climb a
>> different mountain. It may be frustrating relelation but should we
>> delude ourselves?
>> </CONTINUING SILLY FAIRYTALE>
>
> You forget about the bridge that can take you from the top of ACL mountain
> to a plateau somewhere halfway on capability mountain.
>
> The bridge starts at AppArmor peak and is well supported by both Netfiler
> pillar and file descriptor pillar ;-)
>
> That is, make processes run under the most restrictive AppArmor profile
> possible under a uid that is denied from initiating any network traffic by
> NetFilter. Than pass those processes file descriptors (or MinorFs strong
> paths) and/or networking sockets, and you will find you have traveled
> succesfully from ACL mountain to Capability mountain without losing much
> altitude :-)
Provided that there is not a single exploitable mistake in your TCB.
Am I right?
>
>
> Rob
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
More information about the cap-talk
mailing list