Re: Pass struct vfsmount to the inode_create LSM hook

On May 26, 2007, at 10:44:46, Tetsuo Handa wrote:

Andreas Gruenbacher wrote:
Tetsuo Handa wrote:
Therefore, TOMOYO Linux checks the combination of filename andargv[0] passed to execve().
So you are indeed trying to control the value of argv[0]? Well,good luck with that, but it's totally insane. You are guaranteedto break some applications.
TOMOYO Linux ristricts argv[0] using allow_argv0 syntax."allow_argv0 /bin/bash -bash" to allow passing "/bin/bash" tofilename and "-bash" to argv[0]. "allow_argv0 /bin/gzip gunzip" toallow passing "/bin/gzip" to filename and "gunzip" to argv[0]."allow_argv0 /sbin/busybox cat" to allow passing "/sbin/busybox" tofilename and "cat" to argv[0]. No need to use allow_argv0 syntaxif the basename of filename and basename of argv[0] are the same(i.e. "allow_argv0 /bin/bash bash" is not required). TOMOYO Linuxdoesn't unconditionally forbid passing different values forfilename and argv[0]. TOMOYO Linux allows passing different valuesfor filename and argv[0] only if it is allowed by allow_argv0 syntax.
Could you please explain me why this approach breaks applications?

One of my servers runs 3 different instances of the "kadmind"Kerberos daemon, one for each realm which I need to be able to modify/change-passwords/etc. In order to differentiate and stop/restart theappropriate daemon, I have a simple starter script which runs eachkadmind process with a unique name derived from the realm (EG:"kadmind(EXAMPLE.COM)", "kadmind(OTHER.EXAMPLE.COM)"). Since this isa Kerberos server I use a very strict SELinux-based policy, yet mymanagement tools need to be able to easily add and remove realms in asecure fashion. It sounds like TOMOYO Linux would not be able tohandle this situation at all; I would either have to completely turnoff that security "feature" and lose most of the functionality ofTOMOYO Linux, or hard-code the list of realms into the policy fileand have to completely reload policy every time I need to add/removerealms (big gaping security hole).


Cheers,
Kyle Moffett



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Casey Schaufler <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Andreas Gruenbacher <[email protected]>
- Re: Pass struct vfsmount to the inode_create LSM hook
  - From: Tetsuo Handa <[email protected]>
- Re: Pass struct vfsmount to the inode_create LSM hook
  - From: Andreas Gruenbacher <[email protected]>
- Re: Pass struct vfsmount to the inode_create LSM hook
  - From: Tetsuo Handa <[email protected]>

Prev by Date: Re: [PATCH] MIPS: Transform old-style macros to newer "__noreturn" standard.
Next by Date: Re: [BUG] Warning in mm/slab.c:777
Previous by thread: Re: Pass struct vfsmount to the inode_create LSM hook
Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]