lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 27 Dec 2009 17:36:48 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	michael@...top.org, linux-kernel@...r.kernel.org
Cc:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
	andi@...stfloor.org, david@...g.hm, socketcan@...tkopp.net,
	alan@...rguk.ukuu.org.uk, herbert@...dor.apana.org.au,
	Valdis.Kletnieks@...edu, bdonlan@...il.com, zbr@...emap.net,
	cscott@...ott.net, jmorris@...ei.org, ebiederm@...ssion.com,
	bernie@...ewiz.org, mrs@...hic-beasts.com, randy.dunlap@...cle.com,
	xiyou.wangcong@...il.com, penguin-kernel@...ove.sakura.ne.jp,
	sam@...ack.fr, casey@...aufler-ca.com, serue@...ibm.com,
	pavel@....cz
Subject: Re: RFC: disablenetwork facility. (v4)

Michael Stone wrote:
> Further suggestions?

I expect that the future figure of this "disablenetwork" functionality becomes
"disablesyscall" functionality.

What about defining two types of masks, one is applied throughout the rest of
the task_struct's lifetime (inheritable mask), the other is cleared when
execve() succeeds (local mask)?

When an application is sure that "I know I don't need to call execve()" or
"I know execve()d programs need not to call ...()" or "I want execve()d
programs not to call ...()", the application sets inheritable mask.
When an application is not sure about what syscalls the execve()d programs
will call but is sure that "I know I don't need to call ...()", the application
sets local mask.

When I started TOMOYO project in 2003, I implemented above two types of masks.
I found that the characteristics of task_struct (i.e. duplicated upon fork(),
modified upon execve(), deleted upon exit()) suits well for implementing
discretionary dropping privileges.

Application writers know better what syscalls the application will call than
application users. I think that combination of policy based access control
(which restricts operations from outside applications, like SELinux, Smack,
TOMOYO) and voluntary access control (which restricts operations from inside
applications, like disablenetwork) is a good choice. Above two types of masks
can give application writers chance to drop unneeded privileges (in other
words, chance to disable unneeded syscalls).
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ