lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1163105609.12241.395.camel@moss-spartans.epoch.ncsc.mil>
Date:	Thu, 09 Nov 2006 15:53:28 -0500
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Zack Weinberg <zackw@...ix.com>
Cc:	Chris Wright <chrisw@...s-sol.org>,
	Sergey Vlasov <vsu@...linux.ru>, linux-kernel@...r.kernel.org,
	jmorris@...ei.org
Subject: Re: RFC PATCH: apply security_syslog() only to the syslog()
	syscall, not to /proc/kmsg

On Thu, 2006-11-09 at 09:39 -0800, Zack Weinberg wrote:
> On 11/9/06, Stephen Smalley <sds@...ho.nsa.gov> wrote:
> > Unless I missed something, your plan above would disable SELinux
> > syslog-related permission checking upon reads of a previously opened
> > file descriptor to /proc/kmsg.  So it would change SELinux behavior in a
> > way that is directly contrary to the notion of mandatory access control.
> 
> Yes, it would do that; no, I don't see why that change is contrary to
> the notion of mandatory access control.  An open fd on /proc/kmsg
> (with my changes applied) offers strictly fewer privileges than
> SYSTEM__SYSLOG_MOD (no access to opcodes 4 and 5), and with SELinux
> active, you can't get that open fd without having had
> SYSTEM__SYSLOG_MOD at some prior time.

Sure you can.  You can inherit or receive a descriptor opened by another
process that had that permission (and even accidental descriptor leakage
isn't as uncommon as you might think; SELinux has turned up numerous
cases of it).

>   SELinux does not (as far as I
> can tell) do MAC checks for access to normal files at read() time,
> only open().

Look for security_file_permission() calls in the core code, and its
implementation in SELinux (selinux_file_permission).  That is just a
revalidation of access to help with relabeling and policy changes,
albeit necessarily incomplete in coverage.  More crucially, SELinux
rechecks descriptors on inheritance across execve
(flush_unauthorized_files) and transfer across local IPC
(selinux_file_receive) to prevent unauthorized propagation of access
rights in the first place.  

> I see this as bringing /proc/kmsg in line with standard Unix file
> permission semantics, overall.

It may fit with Linux DAC checking, but it isn't what we want for MAC.
You also have to be careful about drawing an analogy to typical Linux
permission checking, since this is proc rather than a normal filesystem.

> > But having a mapping in the core to a much
> > smaller set of permissions would be even better, and help with
> > maintenance; the next time someone added a new code, they would more
> > likely see the mapping table in the core and update it than go digging
> > into the individual security modules.
> 
> But that mapping is itself a security policy decision, and could
> plausibly need to be done differently in different security modules...

Even the set of security hook interfaces and placements impose some
limits on security policies that can be implemented.  But just as those
hooks can be adjusted over time for the needs of new modules, the
mapping can be adjusted over time as needed.  No harm done, and some
benefit. 

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ