[apparmor] Implicit delegation of deleted files

John Johansen john.johansen at canonical.com
Thu Jul 29 23:22:08 BST 2010 

Years ago during the modified vfs hook rewrite of AppArmor, the idea
of implicit delegation for open deleted files was added.  This was
done as the deleted name is not a reliable handle for the object,
it used to represent because another object may be residing in the
fs with that name at the point the deleted object is revalidated
and two the deleted name can be a different name than the object
ever had when it existed.

With the security_path rewrite AppArmor moved back to mediating
files via the deleted path name, with the 2.5 (Lucid) and
2.6 versions (Maverick) providing a profile flag to turn on
implicit delegation.

I propose we drop the implicit delegation of deleted files
* the implicit delegation flag has never been used
* deleted file name mediation is adequate in that the name given is the
  name the object would have had if it still existed.  The arguments
  for implicit delegation can be rebutted as follows.
  - The name is returned is what the object would have had if it wasn't
    deleted and the revalidation behavior is the same as rename which
    can also change the objects name after it was opened.
  - The revalidation only occurs at points of passing the opened object,
    so revalidation behavior is consistent with regular access
  - The name overlayed object behavior is weird but consistent.  New
    accesses get the new object with the name.  Old object accesses
    behave as if the old object still existed and hence would be the
    object at the name.  This does not allow any new flow of information
    that would not be allowed in the object was not deleted.
  - Implicit delegation of the object can allow flow of information that
    would not have been allowed if the object still existed*.
    * from a model point this is true however there are several current
      implementation caveats we will ignore for the sake of argument.
* implicit deleted file delegation is a kludge that was put in because
  AA lacked true delegation.  Since we are working towards providing
  true delegation this ability will no longer be needed.

More information about the AppArmor mailing list