Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 24 Apr 2006 10:14:34 +0200, Lars Marowsky-Bree said:
> On 2006-04-21T10:24:37, Stephen Smalley <[email protected]> wrote:
> 
> > > (With AppArmor, of course, you never lose labels at all, because there
> > > aren't any.)
> > But you do lose preservation of security properties, e.g. renaming a
> > file suddenly moves it under different protection.  Same end result.
> 
> This is not correct, as far as I understand. As the app can only rename
> in it has access to both the old and the new path.

People seem to have a blind spot for this sort of thing.  Given *two* processes,
one of which can be convinced to do a rename, and another that can be convinced
to write a file, you can subvert everything (quite possibly in opposite order -
if you can get process A to write /etc/foobar, and process B to rename foobar
to passwd, you've won).

Those who think that 2 processes can't be subverted should consider that symlink
attacks have been around for a quarter of a century - and in that time, it's
*always* been "one process to create the symlink, another to follow it to disaster".

Attachment: pgpCxRnVdTToA.pgp
Description: PGP signature

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux