[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4806FB3E.10200@crispincowan.com>
Date: Thu, 17 Apr 2008 00:24:46 -0700
From: Crispin Cowan <crispin@...spincowan.com>
To: casey@...aufler-ca.com
CC: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
sds@...ho.nsa.gov, serue@...ibm.com, matthew@....cx,
paul.moore@...com, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, takedakn@...data.co.jp,
linux-fsdevel@...r.kernel.org
Subject: Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.
Casey Schaufler wrote:
> --- Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> wrote
>> Casey Schaufler wrote:
>>
>>> The question of protections on the object named /etc/passwd came
>>> up time and time again. The notion that /etc/passwd could be a
>>> symlink to /home/smalley/heeheehee really gave evaluators the
>>> whillies. As did the chroot environment, where /roots/crispin/etc/passwd
>>> could magicly become /etc/passwd.
>>>
>> Why do people continue speaking symlinks and chroots?
>>
> Because on any given Linux system you could have an arbitrarily
> large number of different things that might be accessed by the
> name "/etc/passwd" and a different, but similarly large number
> of names other than "/etc/passwd" that can be used to access them.
>
But that's not quite true.
"/etc/passwd" can indeed point anywhere, but it can only point to a
single place at a time. I've alluded to this several times in pointing
out that labels and names have dualistic many:one and one:many
relationships to actual files.
This is Tetsuo's point: if you symlink or chroot /etc/shadow to point
some place strange, then the redirection will be resolved *before*
AppArmor and TOMOYO consider the security question of whether access
should be allowed. Therefore, the fact that you re-directed it is
irrelevant to security.
>> To avoid the effect of symlinks and chroots, AppArmor and TOMOYO Linux
>> derive pathnames from dentry and vfsmount.
>> If /etc/passwd was a symlink, the derived pathname will be
>> /home/smalley/heeheehee.
>> If accessed from inside a chroot, the derived pathname will be
>> /roots/crispin/etc/passwd.
>>
> Which doesn't hold up under hard links, which I had carefully
> avoided and that both AppArmor and TOMOYO Linux have to place
> restrictions on for the systems to make sense.
>
Hard links are indeed handled differently, but they are handled. I don't
know what TOMOYO does. What AppArmor does is exploit the fact that you
cannot hard link a directory, so the target of a hard link must be a
file. From there, we can use the dentry to disambiguate which file.
So again, even though more than one name points to the inode, the name
that was actually used to get to this inode is unique, and we recover
it and then consider the security question of whether you get to access
that name.
>> It is true that namespace may differ between processes,
>> but I think that that is the matter of how to restrict namespace manipulation
>> operations.
>> As I said, a system can't survive if namespace is madly manipulated.
>>
> That's hardly the viewpoint of those who would have every
> user mount their own version of /tmp.
>
Well, AppArmor and TOMOYO don't do well if the namespace is madly
manipulated. They remain secure, because they prohibit name space
manipulations by confined processes. If what you wanted to do was lots
of name space manipulations, it makes (at least AppArmor) a poor choice
for you.
>> It is true that the pathname may change while traversing up the
>> dentry/vfsmount trees.
>> But the change does not occur infinitely.
>> As I said, a system can't survive if files and directories are madly renamed.
>> The possible changes are bounded by the policy.
>>
>> At least, I want people not to speak symlinks and chroots when talking about
>> AppArmor and TOMOYO Linux.
>>
> The issues with links, symlinks, chroots and mounts in the
> context of a name based access control scheme will always
> need to be addressed, just as the issues of unlabeled filesystems
> and /tmp will have to be in label based scheme.
>
Agreed. Duality abounds in this space.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
The Olympic Games: Symbolizing oppressiiion and corruption for over a
hundred years
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists