Re: Pass struct vfsmount to the inode_create LSM hook

On May 26, 2007, at 10:44:46, Tetsuo Handa wrote:

Andreas Gruenbacher wrote:

Tetsuo Handa wrote:

Therefore, TOMOYO Linux checks the combination of filename and argv[0] passed to execve().

So you are indeed trying to control the value of argv[0]? Well, good luck with that, but it's totally insane. You are guaranteed to break some applications.

TOMOYO Linux ristricts argv[0] using allow_argv0 syntax. "allow_argv0 /bin/bash -bash" to allow passing "/bin/bash" to filename and "-bash" to argv[0]. "allow_argv0 /bin/gzip gunzip" to allow passing "/bin/gzip" to filename and "gunzip" to argv[0]. "allow_argv0 /sbin/busybox cat" to allow passing "/sbin/busybox" to filename and "cat" to argv[0]. No need to use allow_argv0 syntax if the basename of filename and basename of argv[0] are the same (i.e. "allow_argv0 /bin/bash bash" is not required). TOMOYO Linux doesn't unconditionally forbid passing different values for filename and argv[0]. TOMOYO Linux allows passing different values for filename and argv[0] only if it is allowed by allow_argv0 syntax.

Could you please explain me why this approach breaks applications?

One of my servers runs 3 different instances of the "kadmind" Kerberos daemon, one for each realm which I need to be able to modify/ change-passwords/etc. In order to differentiate and stop/restart the appropriate daemon, I have a simple starter script which runs each kadmind process with a unique name derived from the realm (EG: "kadmind(EXAMPLE.COM)", "kadmind(OTHER.EXAMPLE.COM)"). Since this is a Kerberos server I use a very strict SELinux-based policy, yet my management tools need to be able to easily add and remove realms in a secure fashion. It sounds like TOMOYO Linux would not be able to handle this situation at all; I would either have to completely turn off that security "feature" and lose most of the functionality of TOMOYO Linux, or hard-code the list of realms into the policy file and have to completely reload policy every time I need to add/remove realms (big gaping security hole).

Cheers,
Kyle Moffett



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
    • From: Casey Schaufler <[email protected]>
  • Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
    • From: Andreas Gruenbacher <[email protected]>
  • Re: Pass struct vfsmount to the inode_create LSM hook
    • From: Tetsuo Handa <[email protected]>
  • Re: Pass struct vfsmount to the inode_create LSM hook
    • From: Andreas Gruenbacher <[email protected]>
  • Re: Pass struct vfsmount to the inode_create LSM hook
    • From: Tetsuo Handa <[email protected]>

• Prev by Date: Re: [PATCH] MIPS: Transform old-style macros to newer "__noreturn" standard.
• Next by Date: Re: [BUG] Warning in mm/slab.c:777
• Previous by thread: Re: Pass struct vfsmount to the inode_create LSM hook
• Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]