Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
From: Valdis . Kletnieks
Date: Mon Apr 24 2006 - 20:21:02 EST
On Mon, 24 Apr 2006 10:14:34 +0200, Lars Marowsky-Bree said:
> On 2006-04-21T10:24:37, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > > (With AppArmor, of course, you never lose labels at all, because there
> > > aren't any.)
> > But you do lose preservation of security properties, e.g. renaming a
> > file suddenly moves it under different protection. Same end result.
> This is not correct, as far as I understand. As the app can only rename
> in it has access to both the old and the new path.
People seem to have a blind spot for this sort of thing. Given *two* processes,
one of which can be convinced to do a rename, and another that can be convinced
to write a file, you can subvert everything (quite possibly in opposite order -
if you can get process A to write /etc/foobar, and process B to rename foobar
to passwd, you've won).
Those who think that 2 processes can't be subverted should consider that symlink
attacks have been around for a quarter of a century - and in that time, it's
*always* been "one process to create the symlink, another to follow it to disaster".
Description: PGP signature