Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c

From: Chris Wright
Date: Thu Sep 09 2004 - 19:24:29 EST

Next message: Sid Boyce: "linux-2.6.9-rc1-bk16 Still cdrom/DVD oops"
Previous message: Linus Torvalds: "Re: [PATCH][5/8] Arch agnostic completely out of line locks / ppc64"
In reply to: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Next in thread: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Luke Kenneth Casson Leighton (lkcl@xxxxxxxx) wrote:
> i am not so worried about this scenario _because_:
>
> under an selinux system, you would set up a policy which only
> allowed the good_proc to exec other_good_procs (with the
> macro can_exec(good_proc, { other_good_proc1, other_good_proc2 })

OK, good. Although, this does not help xinetd, so we're still trusting
that code.

> consequently, you'd design your firewall rules (in conjunction with
> your selinux policy) to add _two_ dev+inode-program-enabled firewall rules
> to cover the same socket, e.g. apache2 (good_proc) and some cgi script
> helper (other_good_proc) - one for each program:
>
> iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/bin/apache2 -j ACCEPT
>
> and:
>
> iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/cgi-bin/blahblah -j ACCEPT

Isn't this likely to be in modcgi/modperl/etc instead of fork/exec'd?
This is one specific example (which SELinux doesn't support, so it's
moot there) where changing security domains during execution would
confuse these rules. E.g. reducing to a more restrictive domain while
executing cgi-scripts.

> > > so it's a socket: let's take an example - and i'm assuming for now
> > > that things like passing file descriptors over unix-domain-sockets
> > > between processes just ... doesn't happen, okay? :)
> >
> > These do happen, which is part of the problem ;-)
>
> i would not consider this to be a problem [in an environment where
> you specify DENY as the default and ALLOW specific instances]
>
> under such circumstances [file descs passed between programs]...
> you would end up having to create _two_ program-specific rules, like
> above.
>
> one for each of the two programs.

Actually you wouldn't, just one. It will match, then one of those
processes will get woken up and receive the data, regardless of whether
you meant to allow it. So, having some security layer involved mediated
file desc passing clearly helps. Point remains, any match will deliver
data to socket. However, if socket is shared, it could be a different
process picking up data off of socket.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sid Boyce: "linux-2.6.9-rc1-bk16 Still cdrom/DVD oops"
Previous message: Linus Torvalds: "Re: [PATCH][5/8] Arch agnostic completely out of line locks / ppc64"
In reply to: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Next in thread: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]