| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1183470580.12218.253.camel@moss-spartans.epoch.ncsc.mil> Date: Tue, 03 Jul 2007 09:49:40 -0400 From: Stephen Smalley <sds@...ho.nsa.gov> To: Andreas Gruenbacher <agruen@...e.de> Cc: James Morris <jmorris@...ei.org>, John Johansen <jjohansen@...e.de>, Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Miklos Szeredi <mszeredi@...e.cz> Subject: Re: [AppArmor 32/44] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames On Thu, 2007-06-28 at 20:15 +0200, Andreas Gruenbacher wrote: > On Thursday 28 June 2007 18:12, James Morris wrote: > > Are you trying to cater for the case where you're holding an open fd for a > > file which has been deleted, and thus has no pathname? > > Yes, see the AA_CHECK_FD flag in security/apparmor/main.c:aa_perm_dentry(). We > want to distinguish between the following two cases: > > - process performs an operation on an open file descriptor, > > - process performs an operation on a pathname, and between the dentry > lookup and the LSM permission check, the file gets deleted. > > In the former case, we obviously want to continue giving the process access to > his fd (the classical pattern: open temporary file; delete it so that it will > self-recycle, continue using the open file descriptor). > > In the latter case, The file still existed at the time of the lookup but not > anymore at the time of the permission check. The file obviously doesn't have > a filename anymore, so we cannot check permissions. If we granted access in > that case, processes could bypass their profile permissions in that race > window. We close the race by returning -ENOENT in that case, the same result > as if the file had already been deleted before the lookup. So you don't actually need/use the struct file pointer; you just need a flag indicating whether or not access was by open file descriptor or by pathname? And what does this mean for a process that has "changed hats"? Which might not be authorized to access the file anymore, even via an already opened descriptor. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists