| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jan 2007 16:30:54 -0500 From: Mimi Zohar <zohar@...ibm.com> To: Arjan van de Ven <arjan@...radead.org> Cc: akpm@...l.org, Christoph Hellwig <hch@...radead.org>, kjhall@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org, safford@...son.ibm.com Subject: Re: mprotect abuse in slim Arjan van de Ven <arjan@...radead.org> wrote on 01/08/2007 10:07:25 PM: > Hi, > >maybe this is a silly question, but do you revoke not only the current >fd entries, but also the ones that are pending in UNIX domain sockets >and that are already being sent to the process? If not.. then you might >as well not bother ;) > >Greetings, > Arjan van de Ven In the new slim code, which we haven't sent out but will soon, we added the unix_may_send and unix_stream_connect hooks. The unix_may_send hook prevents a demoted process from sending data on a higher integrity socket; and the unix_may_connect hook prevents a process from connecting to a lower integrity socket. The integrity level of the socket is based on the integrity of the file associated with the Unix domain socket. The bottom line is that although we don't demote the pending socket and would allow it to connect at the higher integrity, we simply don't allow anything of lesser integrity to be sent over it. Mimi Zohar - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists