:: Re: [DNG] What does this remind you…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dr. Nikolaus Klepp
Date:  
À: dng
Sujet: Re: [DNG] What does this remind you of?
Anno domini 2021 Sun, 7 Mar 19:18:42 +0100
tito via Dng scripsit:
> On Sun, 7 Mar 2021 19:11:18 +0100
> "dng@???" <dng@???> wrote:
>
> > On 07-03-2021 18:20, tito via Dng wrote:
> > > On Sun, 7 Mar 2021 18:03:30 +0100
> > > Antony Stone <Antony.Stone@???> wrote:
> > >
> > >> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote:
> > >>
> > >>> See this web page:
> > >>>
> > >>> https://en.wikipedia.org/wiki/Anti-pattern
> > >>>
> > >>> I'd say at least half of the listed anti-patterns are used by
> > >>> systemd.
> > >> Very nice.
> > >>
> > >> Antony.
> > >>
> > > Hi,
> > > this makes me think of the times when you could startx
> > > with IceWM on a 1.44 floppy disk. That was simplicity
> > > and to a certain extent poetry. I personally would scrap:
> > > dbus
> > > consolekit
> > > packagekit
> > > policykit
> > > systemd
> > > apparmor
> > > selinux
> > > I am sure I've forgot some other garbage.
> > >
> > > P.S.: I'm open to new technologies......
> > > when they follow a simple rule: less code is better
> > > as I can understand only as much code as fits
> > > onto my screen.
> > >
> > > Ciao,
> > > Tito
> >
> > Hi,
> >
> > Mostly agree with you and in its current state apparmor belongs to
> > this list. In the same time I like the idea of apparmor in limiting
> > apps behavior. It could be most useful if implemented correctly.
> >
> > Grtz.
> >
> > Nick
> >
> >
>
> Hi,
> I doubt this could be ever implemented correctly as you have to check
> every code path of every app you will armorize or as soon as your usage
> diverges from what the distro gurus have envisioned your program
> will stop working without even a warning.
> Next then we will need a uber-apparmor that checks apparmor safety
> and anyway more code more bugs less security. Why not fix the existing
> programs instead?


The point is to delegate access control to a higher instance e.g. kernel. The problem is, that apparmor looks at a program from the the outside and tries to do the right thing with that black box - or what the profiles provider thought was the right thing.

OpenBSD has quite an interesting aproach with unveil ( https://man.openbsd.org/unveil.2 ) and pledge ( https://man.openbsd.org/pledge ). The programmer itself takes care what the program will use and tells the system that what e.g. access privileges it does not want to use from now on. That's the look at the world from the inside, no black box involved. If you droped things, you can never get them back, so evil hackers code is confined inside the same cage.


Nik

>
> Ciao,
> Tito
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>




--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...