Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

On Wed, 19 Apr 2006 11:32:56 PDT, Crispin Cowan said:

> AppArmor initially validates your access at open time, and there after
> you can read&write to it without mediation. AppArmor re-validates your
> access if policy is reloaded, you exec() a new program, you get passed
> the fd from another process, or you call our change_hat() API.
> 
> So, if the file is unlinked or renamed while you have it open, and
> policy says you don't have access to the new name, then:
> 
>     * within the same process you get to keep accessing it until
>           o policy is reloaded by the administrator
>           o you call the change_hat() API
>     * in some other process, either a child or some process you passed
>       an fd to, you don't get to access it because your access gets
>       revalidated

My brain is small, and my eyes glaze over easily... ;)

What happens for the following sequence:

a) Process A does   fd = open("/some/protected");
b) Somebody then does an unlink("/some/protected");
c) A then does a fork/exec, handing the exec'ed process B the open FD 
as its stdin.

What name do you use to re-validate B's access to the data described by
the inode that open file is referencing?

Note that although B can't get any access to the data that A didn't have,
it can still be used to bypass security, because B may be able to *copy* that
data to an area where A couldn't write (presumably because A is in a confined box).

This can be mitigated by saying "A can't fork/exec" - which may not work if
A in fact needs to exec things (webserver CGI comes to mind).  I don't see
any provision for saying "A can only exec B, C, and D and nothing else..."

Attachment: pgpV0ESpiy8sA.pgp
Description: PGP signature

---

• Follow-Ups:
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Tony Jones <[email protected]>

• References:
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Gerrit Huizenga <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Karl MacMillan <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Crispin Cowan <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Arjan van de Ven <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Crispin Cowan <[email protected]>

• Prev by Date: PATCH [3/3]: Provide generic backlight support in Toshiba ACPI driver
• Next by Date: Re: PATCH [1/3]: Provide generic backlight support in Asus ACPI driver
• Previous by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Next by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]