lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 16 Apr 2007 14:37:06 -0700
From:	John Johansen <jjohansen@...e.de>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
Cc:	jjohansen@...e.de, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, chrisw@...s-sol.org,
	Andreas Gruenbacher <agruen@...e.de>
Subject: Re: [AppArmor 38/41] AppArmor: Module and LSM hooks

On Thu, Apr 12, 2007 at 11:21:01AM +0100, Alan Cox wrote:
> > +
> > +	/**
> > +	 * parent can ptrace child when
> > +	 * - parent is unconfined
> > +	 * - parent is in complain mode
> > +	 * - parent and child are confined by the same profile
> > +	 */
> 
> Your profiles are name based. That means the same profile in a different
> namespace does different things. It would be a very odd case where it
> mattered but surely the parent ptrace child rule should also require that
> the parent and child are in the same namespace when using apparmor name
> based security.
> 
you are right we should be requiring parent and child are in the same
namespace.  This has been fixed.

> > +static int apparmor_capget(struct task_struct *task,
> > +			    kernel_cap_t *effective,
> > +			    kernel_cap_t *inheritable,
> > +			    kernel_cap_t *permitted)
> > +{
> > +	return cap_capget(task, effective, inheritable, permitted);
> > +}
> 
> Pointless function should go away.
> 
yes we had a few of those thanks for pointing it out.

> > +static int apparmor_sysctl(struct ctl_table *table, int op)
> > +{
> > +	int error = 0;
> > +
> > +	if ((op & 002) && !capable(CAP_SYS_ADMIN))
> > +		error = aa_reject_syscall(current, GFP_KERNEL,
> > +					  "sysctl (write)");
> > +
> > +	return error;
> 
> The usual file permission security override is DAC not ADMIN. What is the
> logic of this choice.
> 
This was a very course grain check that was done to restrict access to
sysctl's that could be potentially used to elevated priledge.  The check
is inconsistent with AppArmor's model and we should be modelling
sysctl accesses as pathname access, and then we could be using standard
mediation.

thanks for the review
john


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ