Re: [PATCH 4/6] Add dynamic context transition support to SELinux

From: Chris Wright
Date: Thu Dec 02 2004 - 15:14:55 EST


* Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:
> On Thu, 2004-12-02 at 14:18, Chris Wright wrote:
> > No, I was thinking of actually tracking the threads, since you know when
> > they come and go. One way would be to share task_security_struct via
> > refcnt for threads, although this could get sticky.
>
> Hmm...that would be a significant change, and I'm not clear that the
> existing security_task_alloc() hook even allows for it (no clone_flags
> passed to it). ptrace_sid could also be an issue for sharing.

True, guess that's filed under "sticky" ;-)

> Note that the mm checking logic is already after one permission check
> (setcurrent), which will only be allowed to the small set of privileged
> processes that use this feature. That acts as the gatekeeper for any
> use of this feature, then the dyntransition check controls the possible
> transitions among security contexts using this feature. In the case of
> exec-based transitions, the corresponding transition check is deferred
> until the actual exec processing. So even as it stands, arbitrary
> processes aren't allowed to reach the code in question, which is better
> than the [gs]etpriority cases.

OK, I misread that any threaded app could write to /proc/self/attr/current
and trigger that loop, only to fail the avc lookup. Yes, now I see the
PROCESS__SETCURRENT test, thanks.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/