On Wed, Jan 04, 2012 at 03:34:18PM -0800, John Johansen wrote: > On 01/04/2012 02:35 PM, Steve Beattie wrote: > > I recognize you're not adding permissions here so it's not a failing > > of your patch, but I really dislike having abstractions/nameservice > > included within the HANDLING_UNTRUSTED_INPUT hat, because it > > grants access to so much stuff. The HANDLING_UNTRUSTED_INPUT hat is > > intended to be a minimal set of privileges needed while parsing an > > http request. Once it's been parsed, then mod_apparmor is supposed > > to switch to the appropriate hat for the request which may have wider > > privileges (but still a subset of the whole). > > > > (Ideally, some form of privilege separation would get added to apache > > proper.) > > > What do you think about splitting up the nameservice abstraction, and > maybe including some of it? Of course that is really vague as without > knowing how its split its going to be hard to say.
Yeah, that'd be fine, perhaps named abstractions/nameservice-minimal, unless there's a clearer functional set of commonality to pull out. The trick will be what minimal set is necessary; for apache's HANDLING_UNTRUSTED_INPUT hat, it really does need tcp access and if it's going to log with hostnames (i.e. needs to do a reverse DNS lookup) it will also need udp network access. > Reworking the abstractions has been a goal for a long time now. Maybe > we should just start cherry picking some and doing it. Hopefully with > the dfa permissions rework that is coming we will finally be able to > hack together a tool to help us in finding and generating abstractions. Yeah, a tool that would examine the existing set of policy and come up with commonly repeated rules to propose for abstraction inclusion/creation would be great. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
