| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2010 21:07:37 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: linux-security-module@...r.kernel.org Cc: linux-kernel@...r.kernel.org Subject: [PATCH 0/4] TOMOYO: Add conditional ACL support. James Morris wrote: > On Wed, 9 Jun 2010, Tetsuo Handa wrote: > > > This patch allows users to check argv[]/envp[] for execve() operation. > > > > This patch allows users to check caller task's uid/gid etc. for each operation. > > > 10 files changed, 1615 insertions(+), 96 deletions(-) > > This is a huge patch, and I think it warrants more than two sentences of > changelog. > > It'd be great to have some explanation of what these features are about in > terms of the security model, e.g. what threats do they address? > > Also, this code needs wider technical review, to ensure it's being done > the best way. > > It might help to cc: linux-kernel with your patches. I see. Reposting as a patchset. The xattr based security (e.g. SELinux/Smack) is good at isolating information because access decision is not affected unless xattr on the inode changes. But, I know that xattr parameter cannot control for what purposes information is used if access is granted. I consider using information for purposes other than the original intent as a security threat. Therefore, I implemented a parameter based security (i.e. TOMOYO) which deals parameters which affect for what purposes information is used. Change of filename can change how the file is used. For example, renaming from /var/www/html/index.txt to /var/www/html/.htaccess makes Apache handle the file differently. Therefore, TOMOYO restricts string parameters that causes change of filename (e.g. link() rename() mount()). This was done by Linux 2.6.34. Change of DAC's permission can change how the file is used. For example, removing execute bit from /sbin/init will make the system unbootable. For example, adding group writable bit or world writable bit to ~/.ssh/authorized_keys will make SSH server refuse using the file (even if write access to ~/.ssh/authorized_keys by non-owner is forbidden by MAC's permission). Therefore, TOMOYO restricts numeric parameters (e.g. chmod() chown()). This will be done by Linux 2.6.36 as the code is now in linux-next tree. Although in-kernel access control mechanism cannot deal all of parameters which affect for what purposes information is used, argv[]/envp[] and symlink's target are one of parameters which in-kernel access control mechanism can deal. This patchset implements below things. [1/4] Add caller task's credential condition support. [2/4] Add argv[]/envp[] condition support. [3/4] Add symlink's target condition support. [4/4] Remove alias support. Regards. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists