[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100421223059.GA20626@us.ibm.com>
Date: Wed, 21 Apr 2010 17:30:59 -0500
From: "Serge E. Hallyn" <serue@...ibm.com>
To: Andrew Lutomirski <luto@....edu>
Cc: Stephen Smalley <sds@...ho.nsa.gov>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Eric Biederman <ebiederm@...ssion.com>,
"Andrew G. Morgan" <morgan@...nel.org>
Subject: Re: [PATCH 0/3] Taming execve, setuid, and LSMs
Quoting Andrew Lutomirski (luto@....edu):
> So if we give up on changing nosuid, there are a couple of things we
> might want to do:
>
> 1. A mode where execve acts like all filesystems are MNT_NOSUID. This
> sounds like a bad idea (if nothing else, it will cause apps that use
> selinux's exec_sid mechanism (runcon?) to silently malfunction).
I think at this point we've lost track of exactly what we're trying
to do.
The goal, at least for myself and (I think) Eric, was to prevent
certain changes in environment, initiated by an unprivileged user,
from confusing setuid-root programs (initiated by the user).
A concrete example was the proposed disablenet feature, with which
an unprivileged task can remove its ability to open any new network
connections.
With that in mind, I think option 1 is actually the best option.
I especially hate option 2 because of the resulting temptation to
fudge with pE :) If you're going to fudge with pE, then IMO it
MUST be done in a new securebits mode.
Now actually, re-reading my msg, given our original goal, I dare
say that Andrew Morgan's approach of simply returning -EPERM for
any app which tries to setuid or change privileges on exec just
might be the sanest way, at least to start with.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists