Mod parent up. It is correct and informative. Emperor Linux has been a part of the Linux community for years, selling laptops with Linux pre-installed and drivers configured to work.
I've never watched "The Sopranos" BTW, it's just that I'm interested in these kinds of stories,
Ah. Well then, to clarify WtF people are talking about, the Soprano's ended with an ambiguous ending. It suggested that Tony was about to be shot by an assassin, but in a really vague way, so it could have been totally innocent. Then just when you might expect some resolution, the screen literally goes black.
IMHO, this is precisely the kind of BS that hack writers use to make their story seem more profound than it really is; spent all this time on build-up, can't decide how to end it, so hack some ambiguous crap that "lets the reader/viewer decide for themselves", i.e. punt and give up.
I'd make some analogy to code, but I can't think of one because code doesn't seem to have the same need for resolution that drama does. So it is like an Olympic ski jumper doing an awesome back flip of a jump, and then failing to stick the landing. Or just not bothering to show the landing, the way a lot of snowboard videos do:-)
Not at all, setcon() has been around for a long time it's just not advertised/used for this case explicitly because it's not secure. The fact you added a stupid cookie value doesn't make change_hat secure, and the fact you are advocating it as secure means that it's insecurity is a bug.
So, setcon() is more secure than change_hat() because you don't use it and don't document it?:-)
But, as I said, do they those profiles do anything useful. With SELinux you can have firefox allowed to write files everywhere you can, but they'll be labeled firefox_net_untrusted_t or whatever. You won't be allowed to overwrite files that haven't been previously downloaded from firefox, you can disable exec privilages on downloaded executables etc. etc. AIUI AppArmor can do none of this "higher level, useful, things" all it can do is blanket "firefox can't write files in ~/home, etc.".
That is actually kind of neat. You're correct, AppArmor cannot do that. At best, you could restrict Firefox to saving files in your Downloads directory or something.
Question: how would the SELinux user make a file downloaded via Firefox be 'useful'? If it is labeled firefox_net_untrusted_t then no sane program will trust it. Purist tranquility requires that you shut down to re-label, and non-purist at least requires super-user and unconfined_t to re-label. So how do you recommend a user to download something and then use it?
The AppArmor equivalent of this is to 'reclassify' your downloaded objects by moving them from your Download folder to some other place, where other programs are allowed to access it.
Of course it makes sense, as long as you continually advocate that the "best" way to generate policies is to run applications and allow them to do everything that they are doing... that isn't confinment.
That is pure BS. AppArmor allows you to write your profiles by hand, or via the learning tool, and to interleave the two. SELinux also allows both hand-authored policies or audit-to-allow generated policies, so the security confinement of each system is identical with respect to 'WtF?' behavior of applications.
The main difference is that AppArmor's learning mode actually works well:) Audit-to-allow only works to the extent that the admin has already constructed an effective labeling scheme. The fact that AppArmor's lerning mode is effective enough to actually be attractive doesn't make the model any less secure, or even any different, than SELinux with respect to quirky application behavior. The fact remains that Thunderbird asks for setuid, it is up to the policy author to decide whether to allow that, and you would have to ask the Thunderbird dev. team why they did that. But blaming AppArmor for this behavior in Thunderbird is just specious.
The upstream effort is under way. The delay is because it is hard work; upstreaming has sucked up several man years of effort so far. It has also produced substantial improvements in the code, so it is not wasted effort, but it is a lot of effort, and not surprising that it takes a while. It took SELinux a while too, and they didn't have to contend with AppArmor advocates complaining about their model:)
AS for distros, AppArmor is included in SUSE and Ubuntu; 2 of the 3 leading distros is not bad. Packages are additionally available for Slackware, Red Hat, and some specialty distributions. This could be better, but AppArmor is availabel to a lot of people now.
change_hat is not a feature... it's a horrible bug, real security solutions like SELinux have explicitly rejected bugs like this. Please don't pretend you've done something useful. More unsubstantiated opinion.
change_hat() is very useful. It is the only technique I am aware of that can useufully confine mod_perl and mod_php code. We stipulate that hats are less secure than full process profiles, but escaping a hat requires the presence of very particular classes of vulnerabilities, and at most it gets you to the containing process profile.
Do you plan on shipping Firefox with a useful profile that will stop it doing this? We do ship Firefox profiles with every SUSE release. You'll find them in/etc/apparmor/profiles/extras
Also have you at least worked out why AppArmor thinks thunderbird needs setuid()? SELinux advocates love to throw that at me, but it makes no sense. If you want to know wny Thunderbird, or any given application, does a silly thing, go ask the developers of that program. AppArmor just faithfully noted that it did it. How is this a problem with AppArmor?
AppArmor in learning mode is actually quite good at generating 'WtF?' moments as you observe what your software is doing. This is a strength of AppArmor, not a defect.
AppArmor does not require you to disable AppArmor to install something. Notably, AppArmor's equivalent of 'permissive' mode (called 'complain') is per-profile, not system-wide, so you can do permissive learning on a new application while leaving others secured.
Can you confirm that the situation is still like you described? I have no clue at all (been using openSUSE for less than a month now), but I won't take any advise from anyone who points to a year old article about a project under active (heavy) development. Welcome to openSUSE! Have a lot of fun:-)
The one fact in his review that was correct is that AppArmor does not currently do network access control. We are working on a network access control, so you will be able to specify, per profile, if the program gets to do various network activities, e.g. sshd can talk to eth0 (the private LAN) but not eth1 (the public Internet), or Apache can accept connections from any IP address, but can only initiate connections to 10.0.0.0/24 (private backend servers).
Join irc.oftc.net/#apparmor for real time discussion of future AppArmor features.
That review is pretty thin, and IMHO quite biased. You give a very short description of what AppArmor does, and then assert (without foundation) that it there are not many scenarios where it gives a reasonable security improvement. I beg to differ:
Any network service (Apache, Sendmail, BIND, etc.) if compromised by a remote exploit, can give the attacker a local shell, an easy stepping stone to control of the machine. AppArmor confinement blocks this.
Web applications, such as things like PHP Nuke, can often be induced to load PHP code from some other server and run it. AppArmor's unique change_hat confinement can block this, providing AppArmor-style confinement for entities as small as a single PHP page, even though it never appeared in the kernel process table.
Any network client (Firefox, Thunderbird, Gaim/Pidgin, etc.) can be compromised by remote vulnerabilities and malicious content, giving the attacker total control of your user account. AppArmor confinement of your clients makes it safe to e.g. IRC to strangers.
So to claim that there aren't many is just wrong. Perhaps you meant that the security improvement was not reasonable? It may not cover everything that you want, but what is unreasonable about blocking takeover?
The main disadvantage of AppArmor is that it relies on file paths, not the inodes. All you need to do is be able to create a hard link in the right directory to get around it.
This is a mis-understanding of the AppArmor model. AppArmor confines the processes you tell it to, you are to confine any process that you think might be a threat. Therefore if some process made such a hard link, it is because you either left it unconfined, or you explicitly gave it permission to make such a hard link.
You are not "getting around" AppArmor, it is doing exactly what you told it to. This is a common complaint from people who have read about AppArmor, but never used it. It does not happen in practice.
They can have my TiVo when they pry it from my cold dead hands.
Apple TV, from all the reports I've read, sounds spectacularly weak. I don't expect it to ever succeed.
Conjecture: "Apple TV" is the Newton of Apple's play into the convergence market. A cute idea, nice try, but they totally blew it. Apple will likely go back to the lab and come out with something that doesn't suck so much, just as they did with the iPod.
Sure, but I consider C++ to be an abomination that needs to be wiped from the Earth: it gives you the safety of C, and the peformance of Smalltalk:)
C is an appropriate language for systems programming, and for high performance/small footprint applications where every last byte of memory and cycle of compute matters.
Statically type-safe languages like Java, C#, ML, and Haskall, are appropriate where space and time are less tight, but correctness matters. Like, it would be nice if your desktop applications didn't bomb:)
C++ is a gross kludge that gives you the appearance of type safety, but doesn't really deliver it. Similarly, you work hard to program in a tight language that is C-like, and then C++ bloats it out and hands you huge, slow executables. IMHO C++ is not appropriate for anything at all.
"offtopic"? WtF? Ok, apparently that wasn't enough said. Ada was developed by the DoD precisely because they wanted to have one programming language for the entire US department of defense. Naturally this was a massive undertaking. The programming language had to be all things to all people, and thus grew very, very large.
The problem with this large programming language is that it is so complex that most programmers can't know all of it, and they only use a part of it. That, in turn, becomes a problem whe two sequential developers on the same piece of code know different parts of the language, and the second developer can't read the first developer's code.
It also produces a few problems in trying to build a correct, compliant compiler:)
So the point here is that "standardizing on one language" has been tried before, and it was a huge flop.
I don't understand what is unclear. The detailed description spends six paragraphs explaining how and why mediation is done in the kernel and not at other layers. It also goes into considerable detail on how the static analysis and dynamic learning tools mean that you do not have to write out long lists of what files each program can use; the software does that for you. That is what makes it "easy to use."
You do not have to "wait for all the apps to catch up." Anyone can create a profile for an application, all you need is a decent use case for the application. You do not need to modify the application at all.
IMHO, it is not so strange that the security policy for an application comse from the provider of the application. Consider that without AppArmor, you are completely trusting the application provider, because the application can do absolutely anything the invoking user can do. Providing an AppArmor profile means that you have an explicit declaration of what the application is permitted to do.
You can even edit it to suit your taste, if you like. For instance, it annoys the crap out of me that Adobe Acrobat actually supports embedded Javascript inside PDF documents. This annoys me because vendors embed Javascript inside documents that act like web-bugs, reporting back to the vendor each time you open the document! Eww! So the Acrobat profile on my personal workstation has been hacked to not provide access to Javascript libraries to the Acrobat program, thus depriving spyware PDF files of the opportunity to execute and squeel on me.
The reason the numbers are so different is that they are apples and grapes: different sized units. Lumping all of Linux and UNIX together into a single category distorts the data. The fact that Solaris or AIX had some defect does not affect Linux and *BSD systems. Putting all their union set of vulnerabilities into a single bucket makes the UNIX/Linux crowd look much more vulnerable than it is. FUD FUD FUD.
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
That Kzinti can be ripped off badly does not surprise me:)
I kind of disagree about Lucas; the problem with Jar Jar and company in TPM is the crappy writing not the CG.
For Stephenson, the stuff I think would be good choices would be his earlier books, before he started to suck:) Zodiac would be the easiest to produce, because the setting is just contemporary. It isn't even really SF, just a slightly imaginative contemporary thriller a la Tom Clancy. Snowcrash and Diamond Age would be great movies, but more expensive to produce.
The Baroque Cycle? Hell no. Those books are sooooooooooo over written, long, and boring. That would be so dull it would make me wish I was watching Earthsea:)
I couldn't stand to watch it,and turned it off after about 30 minutes.
But I'm unsure who to blame; the director, or Le Guin? Because it sure did feel a lot like her books, which bore me to tears. I know there are a lot of Le Guin fans out there; to each their own.
Now, when is someone going to make a movie from a Stephenson book? Or Niven? C'mon, finding great SF to make movies from is easy, and getting easier. I submit that CGI recently got to the point where you could make a really good Kzin movie.
I'm still asking why you have not installed OOo instead of upgrading Office. THAT document shoud open correctly within OOo.
Try to pay attention:) I do have OOo installed, I have used it extensively, and it sucks so bad that I find it unusable, and prefer to switch back to PP97. But now, because someone is using OO in my organization, I can no longer use PP97 and so I have to go get PP2003.
This isn't an argument against OOo; it's an argument against PowerPoint97. (Consider that basically the same thing could have happened if your colleague had been using Office 2003.)
Except that it did not happen. Another collegue in this office does use PP2003, and no such problem ever occurred. OpenOffice was defnitely the element that abrupty introducted the compatibility problem that made PP97 suddenly obsolete.
I figured that too:) The interesting point is that the inclusion of this feature not supported by PowerPoint97 resulted in, effectively, a hard to erradicate virus running around our office that motivates people to upgrade to Microsoft Office 2003.
I'm curious why people have bothered to upgrade MS Office past 97 or 2000 at all.
Good question. I am still running Office 97 (on VMware on my Linux laptop) and until very recently I had no motive at all to upgrade. The new motive: OpenOffice.
"WtF?!" you might ask:) A collegue tried switching to OpenOffice. We got into swapping a PowerPoint document back and forth, and at some point I started getting.ppt files that PowerPoint97 could not open, claiming that the file had been created by a future version of PowerPoint. So something is broken in OpenOffice's "export to PowerPoint" that is emitting files that PowerPoint97 cannot read.
Oh, the irony. Forced to upgrade to Office 2003 because someone in my organization tried OpenOffice:(
I love the open document format concept. I think it is vitally important. I can't believe that enterprises and governments are willing to store critical archival documents in Microsoft Office format, and put them selves at risk of being unable to open these documents as little as 10 years hence.
However I have tried hard to switch to OpenOffice. Even our business people have tried to use it. And the sad truth is that it just sucks. There is no way in hell that OpenOffice competes with Microsoft Office for usability. The PowerPoint clone is especially weak: in PP, common buttons like "make the font bigger" are prominently displayed, while in OO you have to hunt hard for the button in the customization menus, and even then it doesn't work right.
This is not to say that OO is not a valuable asset. Clearly a lot of people have worked hard on it. But don't kid ourselves, this beast has a long way to go yet just to compete with MS Office 97, never mind 2003.
Slashdot Mirror
Mod parent up. It is correct and informative. Emperor Linux has been a part of the Linux community for years, selling laptops with Linux pre-installed and drivers configured to work.
IFC is owned by Rainbow Media Holdings, Inc. which is a conglomerate that also owns AMC among other things.
Sundance Channel is owned jointly by Showtime, Universal Studios, and Robert Redford.
Ah. Well then, to clarify WtF people are talking about, the Soprano's ended with an ambiguous ending. It suggested that Tony was about to be shot by an assassin, but in a really vague way, so it could have been totally innocent. Then just when you might expect some resolution, the screen literally goes black.
IMHO, this is precisely the kind of BS that hack writers use to make their story seem more profound than it really is; spent all this time on build-up, can't decide how to end it, so hack some ambiguous crap that "lets the reader/viewer decide for themselves", i.e. punt and give up.
I'd make some analogy to code, but I can't think of one because code doesn't seem to have the same need for resolution that drama does. So it is like an Olympic ski jumper doing an awesome back flip of a jump, and then failing to stick the landing. Or just not bothering to show the landing, the way a lot of snowboard videos do :-)
So, setcon() is more secure than change_hat() because you don't use it and don't document it? :-)
But, as I said, do they those profiles do anything useful. With SELinux you can have firefox allowed to write files everywhere you can, but they'll be labeled firefox_net_untrusted_t or whatever. You won't be allowed to overwrite files that haven't been previously downloaded from firefox, you can disable exec privilages on downloaded executables etc. etc. AIUI AppArmor can do none of this "higher level, useful, things" all it can do is blanket "firefox can't write files in ~/home, etc.".That is actually kind of neat. You're correct, AppArmor cannot do that. At best, you could restrict Firefox to saving files in your Downloads directory or something.
Question: how would the SELinux user make a file downloaded via Firefox be 'useful'? If it is labeled firefox_net_untrusted_t then no sane program will trust it. Purist tranquility requires that you shut down to re-label, and non-purist at least requires super-user and unconfined_t to re-label. So how do you recommend a user to download something and then use it?
The AppArmor equivalent of this is to 'reclassify' your downloaded objects by moving them from your Download folder to some other place, where other programs are allowed to access it.
Of course it makes sense, as long as you continually advocate that the "best" way to generate policies is to run applications and allow them to do everything that they are doingThat is pure BS. AppArmor allows you to write your profiles by hand, or via the learning tool, and to interleave the two. SELinux also allows both hand-authored policies or audit-to-allow generated policies, so the security confinement of each system is identical with respect to 'WtF?' behavior of applications.
The main difference is that AppArmor's learning mode actually works well :) Audit-to-allow only works to the extent that the admin has already constructed an effective labeling scheme. The fact that AppArmor's lerning mode is effective enough to actually be attractive doesn't make the model any less secure, or even any different, than SELinux with respect to quirky application behavior. The fact remains that Thunderbird asks for setuid, it is up to the policy author to decide whether to allow that, and you would have to ask the Thunderbird dev. team why they did that. But blaming AppArmor for this behavior in Thunderbird is just specious.
AS for distros, AppArmor is included in SUSE and Ubuntu; 2 of the 3 leading distros is not bad. Packages are additionally available for Slackware, Red Hat, and some specialty distributions. This could be better, but AppArmor is availabel to a lot of people now.
change_hat() is very useful. It is the only technique I am aware of that can useufully confine mod_perl and mod_php code. We stipulate that hats are less secure than full process profiles, but escaping a hat requires the presence of very particular classes of vulnerabilities, and at most it gets you to the containing process profile.
Do you plan on shipping Firefox with a useful profile that will stop it doing this? We do ship Firefox profiles with every SUSE release. You'll find them inAppArmor in learning mode is actually quite good at generating 'WtF?' moments as you observe what your software is doing. This is a strength of AppArmor, not a defect.
AppArmor does not require you to disable AppArmor to install something. Notably, AppArmor's equivalent of 'permissive' mode (called 'complain') is per-profile, not system-wide, so you can do permissive learning on a new application while leaving others secured.
The one fact in his review that was correct is that AppArmor does not currently do network access control. We are working on a network access control, so you will be able to specify, per profile, if the program gets to do various network activities, e.g. sshd can talk to eth0 (the private LAN) but not eth1 (the public Internet), or Apache can accept connections from any IP address, but can only initiate connections to 10.0.0.0/24 (private backend servers).
Join irc.oftc.net/#apparmor for real time discussion of future AppArmor features.
- Any network service (Apache, Sendmail, BIND, etc.) if compromised by a remote exploit, can give the attacker a local shell, an easy stepping stone to control of the machine. AppArmor confinement blocks this.
- Web applications, such as things like PHP Nuke, can often be induced to load PHP code from some other server and run it. AppArmor's unique change_hat confinement can block this, providing AppArmor-style confinement for entities as small as a single PHP page, even though it never appeared in the kernel process table.
- Any network client (Firefox, Thunderbird, Gaim/Pidgin, etc.) can be compromised by remote vulnerabilities and malicious content, giving the attacker total control of your user account. AppArmor confinement of your clients makes it safe to e.g. IRC to strangers.
So to claim that there aren't many is just wrong. Perhaps you meant that the security improvement was not reasonable? It may not cover everything that you want, but what is unreasonable about blocking takeover?This is a mis-understanding of the AppArmor model. AppArmor confines the processes you tell it to, you are to confine any process that you think might be a threat. Therefore if some process made such a hard link, it is because you either left it unconfined, or you explicitly gave it permission to make such a hard link.
You are not "getting around" AppArmor, it is doing exactly what you told it to. This is a common complaint from people who have read about AppArmor, but never used it. It does not happen in practice.
They can have my TiVo when they pry it from my cold dead hands.
Apple TV, from all the reports I've read, sounds spectacularly weak. I don't expect it to ever succeed.
Conjecture: "Apple TV" is the Newton of Apple's play into the convergence market. A cute idea, nice try, but they totally blew it. Apple will likely go back to the lab and come out with something that doesn't suck so much, just as they did with the iPod.
Crispin
C is an appropriate language for systems programming, and for high performance/small footprint applications where every last byte of memory and cycle of compute matters.
Statically type-safe languages like Java, C#, ML, and Haskall, are appropriate where space and time are less tight, but correctness matters. Like, it would be nice if your desktop applications didn't bomb :)
C++ is a gross kludge that gives you the appearance of type safety, but doesn't really deliver it. Similarly, you work hard to program in a tight language that is C-like, and then C++ bloats it out and hands you huge, slow executables. IMHO C++ is not appropriate for anything at all.
Compared to C++, Ada is just wonderful :)
Crispin
The problem with this large programming language is that it is so complex that most programmers can't know all of it, and they only use a part of it. That, in turn, becomes a problem whe two sequential developers on the same piece of code know different parts of the language, and the second developer can't read the first developer's code.
It also produces a few problems in trying to build a correct, compliant compiler :)
So the point here is that "standardizing on one language" has been tried before, and it was a huge flop.
Crispin
'nuff said :)
You do not have to "wait for all the apps to catch up." Anyone can create a profile for an application, all you need is a decent use case for the application. You do not need to modify the application at all.
IMHO, it is not so strange that the security policy for an application comse from the provider of the application. Consider that without AppArmor, you are completely trusting the application provider, because the application can do absolutely anything the invoking user can do. Providing an AppArmor profile means that you have an explicit declaration of what the application is permitted to do.
You can even edit it to suit your taste, if you like. For instance, it annoys the crap out of me that Adobe Acrobat actually supports embedded Javascript inside PDF documents. This annoys me because vendors embed Javascript inside documents that act like web-bugs, reporting back to the vendor each time you open the document! Eww! So the Acrobat profile on my personal workstation has been hacked to not provide access to Javascript libraries to the Acrobat program, thus depriving spyware PDF files of the opportunity to execute and squeel on me.
Crispin
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
Crispin
Crispin
I kind of disagree about Lucas; the problem with Jar Jar and company in TPM is the crappy writing not the CG.
For Stephenson, the stuff I think would be good choices would be his earlier books, before he started to suck :) Zodiac would be the easiest to produce, because the setting is just contemporary. It isn't even really SF, just a slightly imaginative contemporary thriller a la Tom Clancy. Snowcrash and Diamond Age would be great movies, but more expensive to produce.
The Baroque Cycle? Hell no. Those books are sooooooooooo over written, long, and boring. That would be so dull it would make me wish I was watching Earthsea :)
Crispin
But I'm unsure who to blame; the director, or Le Guin? Because it sure did feel a lot like her books, which bore me to tears. I know there are a lot of Le Guin fans out there; to each their own.
Now, when is someone going to make a movie from a Stephenson book? Or Niven? C'mon, finding great SF to make movies from is easy, and getting easier. I submit that CGI recently got to the point where you could make a really good Kzin movie.
Crispin
Crispin
Crispin
Crispin
"WtF?!" you might ask :) A collegue tried switching to OpenOffice. We got into swapping a PowerPoint document back and forth, and at some point I started getting .ppt files that PowerPoint97 could not open, claiming that the file had been created by a future version of PowerPoint. So something is broken in OpenOffice's "export to PowerPoint" that is emitting files that PowerPoint97 cannot read.
Oh, the irony. Forced to upgrade to Office 2003 because someone in my organization tried OpenOffice :(
Crispin
However I have tried hard to switch to OpenOffice. Even our business people have tried to use it. And the sad truth is that it just sucks. There is no way in hell that OpenOffice competes with Microsoft Office for usability. The PowerPoint clone is especially weak: in PP, common buttons like "make the font bigger" are prominently displayed, while in OO you have to hunt hard for the button in the customization menus, and even then it doesn't work right.
This is not to say that OO is not a valuable asset. Clearly a lot of people have worked hard on it. But don't kid ourselves, this beast has a long way to go yet just to compete with MS Office 97, never mind 2003.
Crispin
Crispin