On Wed, 19 Apr 2006 17:19:04 PDT, Crispin Cowan said:
> Valdis.Kletnieks@vt.edu wrote:
> > In other words, it's quite possible to accidentally introduce a vulnerability
> > that wasn't exploitable before, by artificially restricting the privs in a way
> > the designer didn't expect.  So this is really just handing the sysadmin
> > a loaded gun and waiting.
> >   
> While that is true of the voluntary model of acquiring and dropping
> privs, it is not true of AppArmor containment, which will just not give
> you the priv if it is not in your policy.

The threat model is that you can take a buggy application, and constrain its
access to priv A in a way that causes a code failure that allows you to abuse
an unconstrained priv B.