| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Dec 2009 22:30:03 -0500 From: Michael Stone <michael@...top.org> To: linux-kernel@...r.kernel.org Cc: Michael Stone <michael@...top.org> Subject: [PATCH] Security: Document RLIMIT_NETWORK. Signed-off-by: Michael Stone <michael@...top.org> --- Documentation/rlimit_network.txt | 55 ++++++++++++++++++++++++++++++++++++++ 1 files changed, 55 insertions(+), 0 deletions(-) create mode 100644 Documentation/rlimit_network.txt diff --git a/Documentation/rlimit_network.txt b/Documentation/rlimit_network.txt new file mode 100644 index 0000000..3307866 --- /dev/null +++ b/Documentation/rlimit_network.txt @@ -0,0 +1,55 @@ +Purpose +------- + +Daniel Bernstein has observed [1] that security-conscious userland processes +may benefit from the ability to irrevocably remove their ability to create, +bind, connect to, or send messages except in the case of previously connected +sockets or AF_UNIX filesystem sockets. + +This facility is particularly attractive to security platforms like OLPC +Bitfrost [2] and to isolation programs like Rainbow [3] and Plash [4] because: + + * it integrates well with standard techniques for writing privilege-separated + Unix programs + + * it integrates well with the need to perform limited socket I/O, e.g., when + running X clients + + * it's available to unprivileged programs + + * it's a discretionary feature available to all of distributors, + administrators, authors, and users + + * its effect is entirely local, rather than global (like netfilter) + + * it's simple enough to have some hope of being used correctly + +Implementation +-------------- + +After considering implementations based on the Linux Security Module (LSM) +framework, on SELinux in particular, on network namespaces (CLONE_NEWNET), and +on direct modification of the kernel syscall and task_struct APIs, we came to +the conclusion that the best way to implement this feature was to extend the +resource limits framework with a new RLIMIT_NETWORK field and to modify the +implementations of the relevant socket calls to return -EPERM when + + current->signal->rlim[RLIMIT_NETWORK].rlim_cur == 0 + +unless we are manipulating an AF_UNIX socket whose name does not begin with \0 +or, in the case of sendmsg(), unless we are manipulating a previously connected +socket, i.e. one with + + msg.msg_name == NULL && msg.msg_namelen == 0 + +Finally, in response to criticism from Alan Cox, we insert a similar access +check into __ptrace_may_access() to prevent processes which have dropped their +networking privileges from performing network I/O by ptracing other processes. + +References +---------- + +[1]: http://cr.yp.to/unix/disablenetwork.html +[2]: http://wiki.laptop.org/go/OLPC_Bitfrost +[3]: http://wiki.laptop.org/go/Rainbow +[4]: http://plash.beasts.org/ -- 1.5.6.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists