Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks

[Kristian Sørensen]

Christoph Hellwig wrote:
> On Fri, Sep 03, 2004 at 09:54:23PM +0200, Kristian Sørensen wrote:
>
> > > > We are working on a project called Umbrella, (umbrella.sf.net) which 
> > > > implements processbased mandatory accesscontrol in the Linux kernel. 
> > > > This access control is controlled by "restriction", e.g. by restricting 
> > > > some process from accessing any given file or directory.
> > > >
> > > > E.g. if a root owned process is restricted from accessing /var/www, and 
> > > > the process is compromised by an attacker, no mater what he does, he 
> > > > would not be able to access this directory.
> > >
> > >
> > > mount --bind /var/www /home/joe/p0rn/, and then?
> >
> > Actually this "attack" is avoided, because restrictions are enherited, 
> > from parent proces to its children.
>
>
> If you restrict your process on the path /var/ww/ but the same objects
> are also available below a different path, what does that have to do with
> child processes?
Well nothing :-) The point was, that links and mount bindings are 
handled, and if the parent is restricted from accessing a file, the 
child is too.

KS.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/