[cap-talk] "ACLs don't" paper rejected from Oakland 09

Matej Kosik kosik at fiit.stuba.sk
Tue Feb 3 04:41:21 EST 2009

Hi Rob,

Rob Meijer wrote:
> On Mon, February 2, 2009 12:06, Matej Kosik wrote:
>> However, if we consider mobile code (and today everything is mobile
>> code) then we realize that we must "climb higher". And this is where we
>> will find that while to certain degree we can also climb up on the ACL
>> mountain, it has finite height and we cannot go much higher without
>> returning to the "valey of insecurity" and starting to climb "mountain
>> of capabilities". Understandably, in reality that is not at all so
>> simple. We are not free to choose. To much investments where already
>> made to climbing "Mountain of ACL" and enabling others to climb it. So
>> final "logical" step is to build an SELinux/UAC "tower" there. Did we
>> reached desired hight? (Did we reached the desired level of security
>> from mobile code?) Some might choose to continue to live in delusion
>> that yes. Others returned back to the valey and started to climb a
>> different mountain. It may be frustrating relelation but should we
>> delude ourselves?
> You forget about the bridge that can take you from the top of ACL mountain
> to a plateau somewhere halfway on capability mountain.
> The bridge starts at AppArmor peak and is well supported by both Netfiler
> pillar and file descriptor pillar ;-)
> That is, make processes run under the most restrictive AppArmor profile
> possible under a uid that is denied from initiating any network traffic by
> NetFilter. Than pass those processes file descriptors (or MinorFs strong
> paths) and/or networking sockets, and you will find you have traveled
> succesfully from ACL mountain to Capability mountain without losing much
> altitude :-)

Thanks for bringing this path up. May I bother you with few questions?

There might be different viewpoints on the acceptable size of TCB. We
can be indeed motivated to accept huge TCB if we:
- retain the ability to run legacy applications
- we open a possibility to enforce POLA over them
Does MinorFS+AppArmor+Netfilter enable us to reach those goals? Can you
also realize some kind of powerbox similar to those we can make in E:
- http://altair.sk/mediawiki/upload/f/f9/Powerbox-rants.article.pdf
- http://altair.sk/mediawiki/upload/c/c7/Powerbox-rants.beamer.pdf
That is, can you raise authority of untrusted component initially
running with minimal authority to the desired level? Are current
applications written in such a way that this is easy to do?

More information about the cap-talk mailing list