[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111107232132.2c6880a5@lxorguk.ukuu.org.uk>
Date: Mon, 7 Nov 2011 23:21:32 +0000
From: Alan Cox <alan@...rguk.ukuu.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Vasiliy Kulikov <segoon@...nwall.com>,
Eric Paris <eparis@...isplace.org>,
kernel-hardening@...ts.openwall.com, Valdis.Kletnieks@...edu,
linux-kernel@...r.kernel.org,
Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-security-module@...r.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to
/proc/interrupts
> Why? Because the problem really isn't about opening the file. The
> problem is about any access: once you've opened the file, you *still*
> must not be able to read the data from it if you have logged out and
> somebody else has logged in. Think opening the microphone (which you
> *should* be able to do) and just keeping it open until the next user
> logs in.
We need minimal revocation stuff. This hasn't changed in years. You can
mostly work around it with SELinux but the underlying problem is that you
need a small controlled subset of revokable devices and objects and a
meaningful way to revoke them.
The latter is hard to do with a simple noddy model because there are
multi-user systems with multiple audio devices, multiple displays and the
like where the mapping is not a simple 'this list of objects is console'
but needs user space to do the work.
> Faking it with posix acl's is what the /dev/audio stuff tends to do.
The audio stuff mostly uses daemons to manage it. A bigger problem is
file system mounts. If you've got an old handle on /dev/cdrom you can
pass it down a socket to a background irritant that just does an eject
every five minutes. Students were doing this in SunOS 4 and I'm sure
still find it funny today.
> It's better than nothing, but it really isn't wonderful - because it's
> really not just about audio. And revoke doesn't work universally.
BSD invented revoke but never implemented it universally. It turns out
that this isn't a big problem. Right now we basically only have revoke
for tty devices but we don't need it for that much more. Revoke on disk
files and the like has simply never happened because its not a matter of
revoke being universal so much as universal revoke being universally
pointless.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists