| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1210684747.6206.108.camel@moss-spartans.epoch.ncsc.mil> Date: Tue, 13 May 2008 09:19:07 -0400 From: Stephen Smalley <sds@...ho.nsa.gov> To: Mathieu Desnoyers <mathieu.desnoyers@...ymtl.ca> Cc: David Woodhouse <dwmw2@...radead.org>, linux-kernel@...r.kernel.org, mingo@...hat.com Subject: Re: System call audit On Tue, 2008-05-13 at 09:12 -0400, Mathieu Desnoyers wrote: > * David Woodhouse (dwmw2@...radead.org) wrote: > > On Tue, 2008-05-13 at 08:51 -0400, Mathieu Desnoyers wrote: > > > * David Woodhouse (dwmw2@...radead.org) wrote: > > > > On Mon, 2008-05-12 at 20:06 -0400, Mathieu Desnoyers wrote: > > > > > Hi David, > > > > > > > > > > As I am looking into the system-wide system call tracing problem, I > > > > > start to wonder how auditsc deals with the fact that user-space could > > > > > concurrently change the content referred to by the __user pointers. > > > > > > > > In general we have to copy the content into kernel space, audit it, and > > > > then act on it from there. See the explanation on the IPC audit patch at > > > > http://lwn.net/Articles/125350/ for example. > > > > > > > > Auditing one thing and then acting on another would be simply broken. > > > > > > > > > This would be the case for execve. If we create a program with two > > > > > thread; one is executing execve syscalls and the other thread would be > > > > > modifying the userspace string containing the name of the program to > > > > > execute. > > > > > > > > I was going to suggest that that attack vector won't work, because > > > > execve() kills all threads. But all you have to do to avoid that is put > > > > the data in question into a shared writable mmap and modify it from > > > > another _process_. And in fact I suspect there's a combination of CLONE_ > > > > flags which would avoid the thread-killing behaviour anyway. > > > > > > > > > > Even better : if execve fails, it doesn't kill the threads. Therefore, > > > all we have to do is to busy-loop doing failing execve() calls and > > > atomically change the string to what we want to be executed. Can anyone > > > test the sample snippet in a context where executing /bin/bash is > > > disallowed on a SMP system ? I don't have a selinux setup handy. > > > > You were talking about audit earlier. Now you seem to be talking about > > selinux. > > > > I thought selinux did hook into syscall audit ? (sorry, I am new to the > kernel auditing field) The race I refer to is in the auditsc.c kernel > code, so syscall audit would be the one I am talking about. I refer to > selinux here just because, as of my understanding, it happens to be one > module-based callback which can hook on syscall audit. SELinux is a user of the audit subsystem in terms of generating audit messages for permission denials. It doesn't rely on any inputs from the audit subsystem. -- Stephen Smalley National Security Agency -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists