| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20091227145428.GA19414@hallyn.com> Date: Sun, 27 Dec 2009 08:54:28 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Valdis.Kletnieks@...edu Cc: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, serue@...ibm.com, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: A basic question about the security_* hooks Quoting Valdis.Kletnieks@...edu (Valdis.Kletnieks@...edu): > On Sun, 27 Dec 2009 13:02:54 +0900, Tetsuo Handa said: > > I believe TOMOYO can safely coexist with other security modules. > > Why TOMOYO must not be used with SELinux or Smack or AppArmor? > > What interference are you worrying when enabling TOMOYO with SELinux or Smack > > or AppArmor? ... > First, it's possible to totally screw up your box - consider 2 defective > policies where each prevents a reload of the other's policy. Now note that it > doesn't even need to be the *policy* - if the Tomoyo policy files get > mislabeled with the wrong SELinux context, then an SELinux component will > probably prevent access to the policy and thus prevent the load. Your system > is now *at best* running SELinux-only (and now vulnerable to to any attacks you > were depending on Tomoyo to stop). At worst, the wrecked Tomoyo policy will > mean that Tomoyo will then reject the SELinux 'restorecon' command to correct > the labels, leaving you in a situation where you can't recover your box. > > Second, it's unclear what a combo of two different MAC systems would *mean*, > and whether it creates corner cases that can be exploited - the "two systems > block each other's reloads" mentioned above is but one example. If a system that > depends on inode labeling is active at the same time as a path-based system, > what happens if you manage to do an 'mv' command that changes the security > context in the path-based system while leaving the inode label the same, or > relabel an inode without rename it to match? The file has just experienced > a security transition for one system, but not the other. Are there any > files and transitions where the mismatch matters? > > If the two systems load policies with the same semantics, why are you > bothering? And if they load different semantics, can the difference be > leveraged by an attacker? Agree with everything Valdis said (including after this part, which I cut). Why do you compose the two? I assume you went to the trouble because you have a specific use case, a definite advantage? -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists