lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <49639039.4060708@cs.columbia.edu>
Date:	Tue, 06 Jan 2009 12:09:13 -0500
From:	Shaya Potter <spotter@...columbia.edu>
To:	"Serge E. Hallyn" <serue@...ibm.com>
CC:	Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Add in_execve flag into task_struct.

Serge E. Hallyn wrote:
> Quoting Tetsuo Handa (penguin-kernel@...ove.sakura.ne.jp):
>> Serge,
>>
>> James is now reviewing TOMOYO Linux patch and he is caring about
>> your comment below.
>>
>> Serge E. Hallyn wrote:
>>> I don't like the 'in_exec' bit in the task_struct, but adding LSM hooks
>>> to let just TOMOYO mark whether you're in exec seems even uglier.
>> Let me (once again) ask your comment on 'in_exec' approach
>> originally suggested by David Howells ( http://lkml.org/lkml/2008/10/2/127 ).
> 
> I still don't like it.  Now I gather the reason for this is that you
> want to allow a less trusted domain to execute a file (in a new domain)
> without giving it the right to read it?  I'd be interested in hearing
> whether others think that's a worthy goal.

I assume this has been asked and answered by whats the advantage of this
in_exec flag over a single function that set the security domain, oncee
at the beginning of exec to set the new domain (B) and once in the
fail/exit path to reset it back (to A) in case of failure.

the only difference I can see is that you want what is basically a 3rd
security domain of "execing B".

The question would then be, why is "execing B" different than B itself?

otherwise, the same changes you do to set/unset the in_exec flag could
be used to set and reset the security domains.

it just seems weird to say that we are technically in security domain A,
but are going to treat the process as if its in security domain B when
you can just as easily put it in security domain B and put it back in
security domain A if the operation fails.

but again, I could very well be missing something.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ