lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Aug 2006 13:35:56 -0700 From: Kylene Jo Hall <kjhall@...ibm.com> To: Benjamin LaHaise <bcrl@...ck.org> Cc: linux-kernel <linux-kernel@...r.kernel.org>, LSM ML <linux-security-module@...r.kernel.org>, Dave Safford <safford@...ibm.com>, Mimi Zohar <zohar@...ibm.com>, Serge Hallyn <sergeh@...ibm.com> Subject: Re: [PATCH 3/7] SLIM main patch On Wed, 2006-08-23 at 15:27 -0400, Benjamin LaHaise wrote: > On Wed, Aug 23, 2006 at 12:05:37PM -0700, Kylene Jo Hall wrote: > > +/* > > + * Called with current->files->file_lock. There is not a great lock to grab > > + * for demotion of this type. The only place f_mode is changed after install > > + * is in mark_files_ro in the filesystem code. That function is also changing > > + * taking away write rights so even if we race the outcome is the same. > > + */ > > +static inline void do_revoke_file_wperm(struct file *file, > > + struct slm_file_xattr *cur_level) > > +{ > > + struct inode *inode; > > + struct slm_isec_data *isec; > > + > > + inode = file->f_dentry->d_inode; > > + if (!S_ISREG(inode->i_mode) || !(file->f_mode && FMODE_WRITE)) > > + return; > > + > > + isec = inode->i_security; > > + spin_lock(&isec->lock); > > + if (is_lower_integrity(cur_level, &isec->level)) > > + file->f_mode &= ~FMODE_WRITE; > > + spin_unlock(&isec->lock); > > +} > > This function does not do what you claim or hope it is supposed to do. > Looking at the races (you do nothing to shoot down writes that are in > progress) present, this does not instill confidence in the rest of the > code (as always seems to be the case with new security frameworks or > patches). Cheers, > This function is called in the process of authorizing the current process to do something which would remove its right to write to the given file. So it hasn't done anything at the lower integrity level yet and therefore if a write gets through it can't possibly be of low integrity data. Example: The current process is running at the USER level and writing to a USER file in /home/user/. The process then attempts to read an UNTRUSTED file. The current process will become UNTRUSTED and the read allowed to proceed but first write access to all USER files is revoked including the ones it has open. Thanks, Kylie > -ben - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists