[apparmor] [patch] split off apache permissions to abstractions/apache2-common
Steve Beattie
steve at nxnw.org
Wed Jan 4 23:48:38 UTC 2012
On Wed, Jan 04, 2012 at 03:34:18PM -0800, John Johansen wrote:
> On 01/04/2012 02:35 PM, Steve Beattie wrote:
> > I recognize you're not adding permissions here so it's not a failing
> > of your patch, but I really dislike having abstractions/nameservice
> > included within the HANDLING_UNTRUSTED_INPUT hat, because it
> > grants access to so much stuff. The HANDLING_UNTRUSTED_INPUT hat is
> > intended to be a minimal set of privileges needed while parsing an
> > http request. Once it's been parsed, then mod_apparmor is supposed
> > to switch to the appropriate hat for the request which may have wider
> > privileges (but still a subset of the whole).
> >
> > (Ideally, some form of privilege separation would get added to apache
> > proper.)
> >
> What do you think about splitting up the nameservice abstraction, and
> maybe including some of it? Of course that is really vague as without
> knowing how its split its going to be hard to say.
Yeah, that'd be fine, perhaps named abstractions/nameservice-minimal,
unless there's a clearer functional set of commonality to pull out.
The trick will be what minimal set is necessary; for apache's
HANDLING_UNTRUSTED_INPUT hat, it really does need tcp access and
if it's going to log with hostnames (i.e. needs to do a reverse DNS
lookup) it will also need udp network access.
> Reworking the abstractions has been a goal for a long time now. Maybe
> we should just start cherry picking some and doing it. Hopefully with
> the dfa permissions rework that is coming we will finally be able to
> hack together a tool to help us in finding and generating abstractions.
Yeah, a tool that would examine the existing set of policy and
come up with commonly repeated rules to propose for abstraction
inclusion/creation would be great.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/8730e389/attachment.pgp>
More information about the AppArmor
mailing list