| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <877hlqas9e.fsf@basil.nowhere.org>
Date: Wed, 23 Jun 2010 13:43:41 +0200
From: Andi Kleen <andi@...stfloor.org>
To: Kees Cook <kees.cook@...onical.com>
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v2] security: Yama LSM
Kees Cook <kees.cook@...onical.com> writes:
> +
> +config SECURITY_YAMA_SYMLINKS
> + bool "Yama: protect symlink following in sticky world-writable
> dirs"
IMHO it's bad style to have CONFIGs that just set defaults,
if that can be done at runtime too. Especially as in your case if it's
a lot of settings. Is it that bad to have a init script and drop these
CONFIGs?
However the help texts are useful, these should be in the sysctl
documentatin in Documentation instead.
> + if (rc) {
> + printk_ratelimited(KERN_INFO "ptrace of non-child"
> + " pid %d was attempted by: %s (pid %d)\n",
> + child->pid, get_task_comm(name, current),
> + current->pid);
It's probably obscure and other kernel code has this too, but at some point
there were attacks to use terminal ESC sequences to attack root's
terminal when they dmesg. Couldn't that be done through "comm" here?
At least the other code who has this problem doesn't claim to enhance
security :)
-Andi
--
ak@...ux.intel.com -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists