Re: Security issues with local filesystem caching

From: Stephen Smalley
Date: Thu Oct 26 2006 - 13:45:45 EST

Next message: Inter filmati: "Re: cpufreq/powernowd limiting CPU frequency on kernels >=2.6.16"
Previous message: thunder7: "Re: cpufreq/powernowd limiting CPU frequency on kernels >=2.6.16"
In reply to: David Howells: "Re: Security issues with local filesystem caching"
Next in thread: David Howells: "Re: Security issues with local filesystem caching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2006-10-26 at 18:09 +0100, David Howells wrote:
> > and prior to creating a file within the cache, it would set the current
> > fscreate attribute (via a security hook call) to that per-cache value, in
> > much the same way it is presently setting the fsuid/fsgid.
>
> That sounds reasonable. There has to be some way to revert it, though.

Yes, that can be done. See below.

> > The fscreate attribute is normally set via the security_setprocattr hook
> > (when a task writes to /proc/self/attr/fscreate);
>
> That makes it sound like fscreate is a per-process attribute, not a per-thread
> attribute. The former would definitely be a problem.

It is actually per-task (thread), sorry for the confusing reference
to /proc/self.

> > You may also want to convert the context value to a secid once when it is
> > first configured, and then later just pass the secid to the hook call for
> > setting the fscreate value for efficiency.
>
> I'm not sure what you mean by that. Can you give a pseudo-code example?

When the daemon writes the context value (a string) to the cachefiles
module interface for a given cache, the cachefiles module would do
something like the following:
/* Map the context to an integer. */
rc = security_secctx_to_secid(value, size, &secid);
if (rc)
goto err;
/* Check permission of current to set this context. */
rc = security_cache_set_context(secid);
if (rc)
goto err;
cache->secid = secid;
SELinux would then provide selinux_secctx_to_secid() and
selinux_cache_set_context() implementations; the former would just be
call to selinux_string_to_sid(), while the latter would require some new
permission check to be defined unless we can treat this as equivalent to
some existing operation. You'll find that there is already a
security_secid_to_secctx() hook defined for LSM, so the first hook just
adds the other direction.

Later, when going to create a file in that cache, the cachefiles module
would do something like:
/* Save and switch the fs secid for creation. */
fssecid = security_getfssecid();
security_setfssecid(cache->secid);
<create file>
/* Restore the original fs secid. */
security_setfssecid(fssecid);
SELinux would then provide selinux_getfsecid() and selinux_setfssecid()
implementations that are just:
u32 selinux_getfssecid(void)
{
struct task_security_struct *tsec = current->security;
return tsec->create_sid;
}
void selinux_setfssecid(u32 secid)
{
struct task_security_struct *tsec = current->security;
tsec->create_sid = secid;
}

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Inter filmati: "Re: cpufreq/powernowd limiting CPU frequency on kernels >=2.6.16"
Previous message: thunder7: "Re: cpufreq/powernowd limiting CPU frequency on kernels >=2.6.16"
In reply to: David Howells: "Re: Security issues with local filesystem caching"
Next in thread: David Howells: "Re: Security issues with local filesystem caching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]