lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 23 Aug 2006 13:35:56 -0700
From:	Kylene Jo Hall <kjhall@...ibm.com>
To:	Benjamin LaHaise <bcrl@...ck.org>
Cc:	linux-kernel <linux-kernel@...r.kernel.org>,
	LSM ML <linux-security-module@...r.kernel.org>,
	Dave Safford <safford@...ibm.com>,
	Mimi Zohar <zohar@...ibm.com>, Serge Hallyn <sergeh@...ibm.com>
Subject: Re: [PATCH 3/7] SLIM main patch

On Wed, 2006-08-23 at 15:27 -0400, Benjamin LaHaise wrote:
> On Wed, Aug 23, 2006 at 12:05:37PM -0700, Kylene Jo Hall wrote:
> > +/* 
> > + * Called with current->files->file_lock. There is not a great lock to grab
> > + * for demotion of this type.  The only place f_mode is changed after install
> > + * is in mark_files_ro in the filesystem code.  That function is also changing
> > + * taking away write rights so even if we race the outcome is the same.
> > + */
> > +static inline void do_revoke_file_wperm(struct file *file,
> > +					struct slm_file_xattr *cur_level)
> > +{
> > +	struct inode *inode;
> > +	struct slm_isec_data *isec;
> > +
> > +	inode = file->f_dentry->d_inode;
> > +	if (!S_ISREG(inode->i_mode) || !(file->f_mode && FMODE_WRITE))
> > +		return;
> > +
> > +	isec = inode->i_security;
> > +	spin_lock(&isec->lock);
> > +	if (is_lower_integrity(cur_level, &isec->level))
> > +		file->f_mode &= ~FMODE_WRITE;
> > +	spin_unlock(&isec->lock);
> > +}
> 
> This function does not do what you claim or hope it is supposed to do.  
> Looking at the races (you do nothing to shoot down writes that are in 
> progress) present, this does not instill confidence in the rest of the 
> code (as always seems to be the case with new security frameworks or 
> patches).  Cheers,
> 
This function is called in the process of authorizing the current
process to do something which would remove its right to write to the
given file. So it hasn't done anything at the lower integrity level yet
and therefore if a write gets through it can't possibly be of low
integrity data.

Example: The current process is running at the USER level and writing to
a USER file in /home/user/.  The process then attempts to read an
UNTRUSTED file.  The current process will become UNTRUSTED and the read
allowed to proceed but first write access to all USER files is revoked
including the ones it has open.

Thanks,
Kylie 

> 		-ben

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists