lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090925072248.GB9821@c.hsd1.tn.comcast.net>
Date:	Fri, 25 Sep 2009 07:22:48 +0000
From:	Andy Spencer <andy753421@...il.com>
To:	David Wagner <daw-news@...berkeley.edu>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [RFC] Privilege dropping security module

> If I understand correctly, this isn't sufficient to run untrusted code,
> because it only restricts access to the filesystem.  You gotta restrict
> access to the network, interaction with other processes, and so on.
> (For instance, does dpriv let the untrusted process take over another of
> your processes using ptrace?)

Yes, currently dpriv allows a process to take over another process using
ptrace. However, I plan on supporting limits on ptrace (and other
things) in the future.


> I suspect making all permissions recursive is going to lead to overly
> permissive policies.  Suppose I want to allow read access to everything
> under /lib and /usr/lib, read-execute access to everything under /bin
> and /usr/bin, and read-write access to everything under /tmp.  (But I
> do not want to allow any access to any other directories.)  How do I
> do it?

The important thing is that limits can be overridden while they are
still in the stage. This allows you to deny access to a directory, but
still allow access to specific subdirectories.

  $ echo -----X /        > /sys/kernel/security/dpriv/stage
  $ echo r--R-X /lib     > /sys/kernel/security/dpriv/stage
  $ echo r--R-X /usr/lib > /sys/kernel/security/dpriv/stage
  $ echo r-xR-X /bin     > /sys/kernel/security/dpriv/stage
  $ echo r-xR-X /usr/bin > /sys/kernel/security/dpriv/stage
  $ echo rw-RWX /tmp     > /sys/kernel/security/dpriv/stage
  $ echo commit          > /sys/kernel/security/dpriv/control

Does this answer your question? It should be noted that you can still
walk to any directory because X is allowed on /. To prevent this you
would have to allow X on / and then specifically deny X on /*/, but
expanding * is something that I would rather have done in userspace.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ