| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1161884706.16681.270.camel@moss-spartans.epoch.ncsc.mil>
Date: Thu, 26 Oct 2006 13:45:06 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: David Howells <dhowells@...hat.com>
Cc: aviro@...hat.com, linux-kernel@...r.kernel.org,
selinux@...ho.nsa.gov, chrisw@...s-sol.org, jmorris@...ei.org
Subject: Re: Security issues with local filesystem caching
On Thu, 2006-10-26 at 18:09 +0100, David Howells wrote:
> > and prior to creating a file within the cache, it would set the current
> > fscreate attribute (via a security hook call) to that per-cache value, in
> > much the same way it is presently setting the fsuid/fsgid.
>
> That sounds reasonable. There has to be some way to revert it, though.
Yes, that can be done. See below.
> > The fscreate attribute is normally set via the security_setprocattr hook
> > (when a task writes to /proc/self/attr/fscreate);
>
> That makes it sound like fscreate is a per-process attribute, not a per-thread
> attribute. The former would definitely be a problem.
It is actually per-task (thread), sorry for the confusing reference
to /proc/self.
> > You may also want to convert the context value to a secid once when it is
> > first configured, and then later just pass the secid to the hook call for
> > setting the fscreate value for efficiency.
>
> I'm not sure what you mean by that. Can you give a pseudo-code example?
When the daemon writes the context value (a string) to the cachefiles
module interface for a given cache, the cachefiles module would do
something like the following:
/* Map the context to an integer. */
rc = security_secctx_to_secid(value, size, &secid);
if (rc)
goto err;
/* Check permission of current to set this context. */
rc = security_cache_set_context(secid);
if (rc)
goto err;
cache->secid = secid;
SELinux would then provide selinux_secctx_to_secid() and
selinux_cache_set_context() implementations; the former would just be
call to selinux_string_to_sid(), while the latter would require some new
permission check to be defined unless we can treat this as equivalent to
some existing operation. You'll find that there is already a
security_secid_to_secctx() hook defined for LSM, so the first hook just
adds the other direction.
Later, when going to create a file in that cache, the cachefiles module
would do something like:
/* Save and switch the fs secid for creation. */
fssecid = security_getfssecid();
security_setfssecid(cache->secid);
<create file>
/* Restore the original fs secid. */
security_setfssecid(fssecid);
SELinux would then provide selinux_getfsecid() and selinux_setfssecid()
implementations that are just:
u32 selinux_getfssecid(void)
{
struct task_security_struct *tsec = current->security;
return tsec->create_sid;
}
void selinux_setfssecid(u32 secid)
{
struct task_security_struct *tsec = current->security;
tsec->create_sid = secid;
}
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists