Re: [RFC] relinquish_fs() syscall

From: Alan Cox
Date: Mon Nov 29 2004 - 11:21:49 EST

Next message: Service de messagerie: "Message incompatible avec le système de messagerie"
Previous message: Stephen Smalley: "Re: [2.6 patch] selinux: possible cleanups"
In reply to: Mitchell Blank Jr: "Re: [RFC] relinquish_fs() syscall"
Next in thread: Mitchell Blank Jr: "Re: [RFC] relinquish_fs() syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Llu, 2004-11-29 at 13:55, Mitchell Blank Jr wrote:
> OK, good point, at least on i386/x86_64. So before jailing itself a task
> will have to take CAP_SYS_RAWIO out of its permitted set. That shouldn't
> be too bad of a restriction for most programs to live with.

> > Pardon. Its equally ineffectual. It might take someone a week longer to
> > write the exploit but an hour after that its no different.
>
> OK, could you please describe other attacks against it then?

With CAP_SYS_RAWIO I can ask the IDE controller to DMA into the kernel
as one example. Without it should be sane. However if you take away all
the capabilities then you don't need the other changes because mount
works just fine.

> > That doesn't do name lookup, character set translation, or time (and a
> > few other things).
>
> Alan - have you looked at privsep implementation in, say, opensshd. The
> way privsep works is that you have two processes communicating over a
> UNIX domain socket. One then jails itself and handles all the hairy
> untrusted data. The unjailed process handles requests from inside as
> needed. So if the program needs to do DNS lookups then your privsep
> protocol would include a primitive for doing that.

Yes I realise that but you also need to realise that glibc has a lot of
supporting baggage it likes to find if its going to function sanely. Yes
you can deal with it but SELinux can deal with it better.

> > > Imagine, for example, a jpeg decoder that after opening its input and
> > > output files called relinquish_fs(). Now if the decoder has a flaw and
> >
> > Imagine a jpeg decoder using an SELinux policy.
>
> SELinux is great but it's a pretty orthoginal issue. There's no reason the
> two can't coexist.

I don't see it as orthogonal except for the "done by user" aspect. "foo"
isnt allowed to open files or chdir is SELinux policy at work (or for
that matter the rather nice bitmap filtered syscall stuff Andrea was
talking about some time back).

BTW: you also have to deal with fchdir() and potentially AF_UNIX
sockets.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Service de messagerie: "Message incompatible avec le système de messagerie"
Previous message: Stephen Smalley: "Re: [2.6 patch] selinux: possible cleanups"
In reply to: Mitchell Blank Jr: "Re: [RFC] relinquish_fs() syscall"
Next in thread: Mitchell Blank Jr: "Re: [RFC] relinquish_fs() syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]