Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

From: Valdis . Kletnieks
Date: Mon Apr 24 2006 - 20:21:02 EST

Next message: Chandra Seetharaman: "Re: Linux 2.6.17-rc2 - notifier chain problem?"
Previous message: Jeff Chua: "Re: sata suspend resume ... (fwd)"
In reply to: Lars Marowsky-Bree: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Next in thread: Nix: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 24 Apr 2006 10:14:34 +0200, Lars Marowsky-Bree said:
> On 2006-04-21T10:24:37, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> > > (With AppArmor, of course, you never lose labels at all, because there
> > > aren't any.)
> > But you do lose preservation of security properties, e.g. renaming a
> > file suddenly moves it under different protection. Same end result.
>
> This is not correct, as far as I understand. As the app can only rename
> in it has access to both the old and the new path.

People seem to have a blind spot for this sort of thing. Given *two* processes,
one of which can be convinced to do a rename, and another that can be convinced
to write a file, you can subvert everything (quite possibly in opposite order -
if you can get process A to write /etc/foobar, and process B to rename foobar
to passwd, you've won).

Those who think that 2 processes can't be subverted should consider that symlink
attacks have been around for a quarter of a century - and in that time, it's
*always* been "one process to create the symlink, another to follow it to disaster".

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Chandra Seetharaman: "Re: Linux 2.6.17-rc2 - notifier chain problem?"
Previous message: Jeff Chua: "Re: sata suspend resume ... (fwd)"
In reply to: Lars Marowsky-Bree: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Next in thread: Nix: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]