lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Jan 2012 13:45:27 +0100 From: Miklos Szeredi <miklos@...redi.hu> To: john.johansen@...onical.com CC: apparmor@...ts.ubuntu.com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, draht@...e.com Subject: security_path hooks for xattr Forwarding from an internal bug report: "AppArmor does not mediate the xattr system calls for confined processes. As a consequence, a confined process can cross the confinement privilege boundary by reading or writing to extended attributes that the confined task should not have access to. The restrictions for security and user attributes read and write still apply according to DAC; however, this does not comply with the claim of AppArmor to mediate fipe operations. The use of extended attributes is very flexible, so that the effect of a missing mediation can lead to false assumptions in subsequent policy decisions (eCryptfs)." AFAIU this boils down to missing security hooks in *xattr(). Would it be possible to add these hooks? Thanks, Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists