lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LRH.1.10.0808292034550.30593@tundra.namei.org>
Date:	Fri, 29 Aug 2008 20:47:37 +1000 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Markku Savela <msa@...h.iki.fi>
cc:	Theodore Tso <tytso@....edu>, pavel@...e.cz,
	linux-kernel@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov>
Subject: Re: Frustrated with capabilities..

On Fri, 29 Aug 2008, Markku Savela wrote:

> File capabilities (nor selinux) won't work, because the "helper
> applications" need to be executed with different capabilities and
> permissions, depending on the "manifests" of the downloaded
> "code". Obviously, serious permissions are granted only to properly
> verified "code" (signed).
> 
>   [Any ideas how selinux would help to enforce a permission which is
>   dynamically defined by installing application?]

You could implement a specialized userpsace application launcher, which 
parses the manifest, determines a security context for the application, 
performs any requiste object labeling, then launches the application it in 
that context.  The kernel policy could enforce which particular contexts 
the launcher was authorized to use, and which applications could be 
launched in this way, then confine the launched applications.

> 
> I'm using "code" in quotes, because in my mind, it can include HTML, 
> word documents, spreadsheets, images. Data formats are getting so 
> complex, that they start to look more like interpreted code, than plain 
> passive data.
> 
> File capabilities (and setuid/setgid bits, selinux attributes) have
> another problem: they only work properly on internal disk. No sane
> person would allow them to be effective from removable media or NFS.

There is a project underway to extend SELinux (and MAC labeling in 
general) over NFS: http://selinuxproject.org/page/Labeled_NFS


- James
-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ