:: Re: [DNG] Apparmor Excalibur issues
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Msawbona at <-
MAndrew Bower at ->
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: Dng
Subject: Re: [DNG] Apparmor Excalibur issues
Le 24/02/2026 à 14:17, sawbona@??? a écrit :
>> Pledge: Pledge is the OpenBSD
>> ... fine-grained configuration of permissions is set by the program
>> itself instead of invisible executable file attributes.
> This would seem to be a good start.
>
>> Landlock:
>> Landlock "restrictions" are set by the program itself, in the same
>> fashion as Pledge, and are inherited by any child process or
>> executed program.
>> ... works by globally denying itself a large set of access rights and then
>> introducing selected exceptions for selected objects.
> At least the owner of the box*knows* what is going on and can work
> on that as needed.
>
> If I understood the half of it (pledge/landlock), it sounds good.
>
> That said, why would anyone need Pledge or Landlock installed by
> default in a desktop box? ie: like it happens with apparomor,
> selinux, etc.

    Pledge and Landlock do not take control over your system. File
permissions exist to protect the user against other users, but also
against herself/himself. Security features built inside the application
itself by the programmer have a similar role: protect the whole system
against bugs within priviledged applications -- there are always bugs.
And, for server, protect against attacks.

    The author of (eg) the mount command must give this application the
root priviledge, but doesn't want it to do silly things to the system.
Of course he/her takes care of doing it well, but it is good programming
to enforce the protection of the program against its own bugs by some
contract passed with the kernel. Similarly some high level programming
languages feature directives which allow a subprogram source to declare
which variable it intends to modify, and, possibly the value that some
variables should have at the end. The compiler then verifies that the
instructions to achieve this goal actually match the intention. Be it
with Pledge or Landlock, there is no visible effect on the user; the
program does exactly what it is intended to do; you can just be assured
than it could hardly do harm, even if there was a bug or an attack. This
is built into the program with the help of the kernel, but under program
control and without any mysterious external mechanism.

--     Didier

This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] [Contribution] minimalist, deterministic archiver (pure text output)Re: [DNG] rsyslog alternative->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)