lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1248189524.2654.301.camel@localhost>
Date:	Tue, 21 Jul 2009 11:18:44 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
Cc:	linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-security-module@...r.kernel.org, sds@...ho.nsa.gov,
	jmorris@...ei.org, spender@...ecurity.net, dwalsh@...hat.com,
	cl@...ux-foundation.org, arjan@...radead.org, kyle@...artin.ca,
	cpardy@...hat.com, arnd@...db.de
Subject: Re: [PATCH 1/2] VM/SELinux: require CAP_SYS_RAWIO for all
 mmap_zero operations

On Tue, 2009-07-21 at 16:04 +0100, Alan Cox wrote:
> On Tue, 21 Jul 2009 10:41:58 -0400
> Eric Paris <eparis@...hat.com> wrote:
> 
> > Currently non-SELinux systems need CAP_SYS_RAWIO for an application to mmap
> > the 0 page.  On SELinux systems they need a specific SELinux permission,
> > but do not need CAP_SYS_RAWIO.  This has proved to be a poor decision by
> > the SELinux team as, by default, SELinux users are logged in unconfined and
> > thus a malicious non-root has nothing stopping them from mapping the 0 page
> > of virtual memory.
> 
> So the poor decision is in fact that the SELinux users start as
> unconfined rather than taking away a few things like the the min map
> stuff which can then be given back to specific apps.

See Fedora Core 2 of an example why confining users causes people to
just turn off SELinux.  In F10 we had around 90% SELinux enforcing of
machines the reported to smolt for more than 3 months.  We are trying to
slowly reign people in with SELinux and confining the user is one of
those near impossibilities without breaking every power user out
there....

> > On a non-SELinux system, a malicious non-root user is unable to do this, as
> > they need CAP_SYS_RAWIO.
> > 
> > This patch checks CAP_SYS_RAWIO for all operations which attemt to map a
> > page below mmap_min_addr.
> 
> So "wine" now needs to run with CAP_SYS_RAWIO or you turn all the
> security off.

Now, as in today, yes.  To run wine today it either needs CAP_SYS_RAWIO
or you disable for the whole system.  I noted that I believe ubuntu just
turns it off for the whole system when you install WINE.  This patch
doesn't change that fact.  All it does is add that requirement to
SELinux systems that already exists on non-selinux systems.

> Am I missing something here, this "solution" sounds completely brain
> dead ?

Well, with patch 2/2 you still get your SELinux protections (only for 1
page) even if you disable it for the whole system.  So in the end, you
have better protection than you have today with this series....

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ