Re: [Apparmor-dev] Re: Re: [SC-L] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[John Johansen <jjohansen () suse de>]

On Thu, Apr 06, 2006 at 11:38:48AM -0400, Brian Eaton wrote:
> On 4/5/06, Crispin Cowan <crispin () novell com> wrote:
> > Pascal Meunier wrote:
> > >  but as you posted an example profile with "capability setuid", I must
> > > admit I am curious as to why an email client needs that.
> > Well now that is a very good question, but it has nothing to do with
> > AppArmor. The AppArmor learning mode just records the actions that the
> > application performs. With or without AppArmor, the Thunderbird mail
> > client is using cap_setuid. AppArmor gives you the opportunity to *deny*
> > that capability, so you can try blocking it and find out. But for
> > documentation on why Thunderbird needs it, you would have to look at
> > mozilla.org not the AppArmor pages.
>
> Does cap_setuid give a program enough authority to break out of the
> AppArmor profile?
No.  AppArmor's profile will confine a process the same no matter what the
uid is (including root).  When a confined program changes its uid the
apparmor profile persists and continues to confine the program the same as
it did under the old uid.

Note that there may be a change in what can be accessed because of DAC
(standard unix permission checking).  DAC permission's are checked before
apparmor's profile so it can be used to reduce permission's to a subset of
what is allowed by the apparmor profile.

john

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/