lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <eb97335b0611090939x7afbca7fkb5da56a15f0895c0@mail.gmail.com>
Date:	Thu, 9 Nov 2006 09:39:13 -0800
From:	"Zack Weinberg" <zackw@...ix.com>
To:	"Stephen Smalley" <sds@...ho.nsa.gov>
Cc:	"Chris Wright" <chrisw@...s-sol.org>,
	"Sergey Vlasov" <vsu@...linux.ru>, linux-kernel@...r.kernel.org,
	jmorris@...ei.org
Subject: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg

On 11/9/06, Stephen Smalley <sds@...ho.nsa.gov> wrote:
> Unless I missed something, your plan above would disable SELinux
> syslog-related permission checking upon reads of a previously opened
> file descriptor to /proc/kmsg.  So it would change SELinux behavior in a
> way that is directly contrary to the notion of mandatory access control.

Yes, it would do that; no, I don't see why that change is contrary to
the notion of mandatory access control.  An open fd on /proc/kmsg
(with my changes applied) offers strictly fewer privileges than
SYSTEM__SYSLOG_MOD (no access to opcodes 4 and 5), and with SELinux
active, you can't get that open fd without having had
SYSTEM__SYSLOG_MOD at some prior time.  SELinux does not (as far as I
can tell) do MAC checks for access to normal files at read() time,
only open().

I see this as bringing /proc/kmsg in line with standard Unix file
permission semantics, overall.

> Part 4 appears to further expose /proc/kmsg to access by any uid 0
> process even if it has no capabilities (think privilege shedding or
> containers).

Only in the default privilege model, not in SELinux.  (CAP_SYS_ADMIN
is a hell of a lot more powerful than SYSTEM__SYSLOG_MOD.)  And I
could be talked out of part 4.

> But having a mapping in the core to a much
> smaller set of permissions would be even better, and help with
> maintenance; the next time someone added a new code, they would more
> likely see the mapping table in the core and update it than go digging
> into the individual security modules.

But that mapping is itself a security policy decision, and could
plausibly need to be done differently in different security modules...

zw
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ