On Sun, Jan 15, 2012 at 12:16 PM, Casey Schaufler
<casey@xxxxxxxxxxxxxxxx> wrote:
On 1/14/2012 12:22 PM, Linus Torvalds wrote:Can you think of *any* plausible attack that is possible with my patchAnd yes, I really seriously do believe that is both safer and simpler
than some model that says "you can drop stuff", and then you have to
start making up rules for what "dropping" means.
Does "dropping" mean allowing setuid(geteuid()) for example? That *is*
dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying
that no, we should not even allow that. It's simply all too "subtle".
I am casting my two cents worth behind Linus. Dropping
privilege can be every bit as dangerous as granting privilege
in the real world of atrocious user land code. Especially in
the case of security policy enforcing user land code.
(i.e. no_new_privs allows setuid, setresuid, and capset) that would be
prevented or even mitigated if I blocked those syscalls? I can't.
(The sendmail-style attack is impossible with no_new_privs.)
Also, how would you even block setuid(2) in a non-confusing manner?
The semantics and error returns are already such a disaster than it's
barely worth it for anything to check the return value.
This even more important in environments that support fineMy patch does not (barring bugs) allow selinux domain transitions. I
granularity of privilege, including capabilities and SELinux.
Under SELinux a domain transition can increase, decrease or
completely change a process' access rights and there is really
no way for the kernel to tell which it is because that's all
encoded in the arbitrary SELinux policy. Smack does not try
to maintain a notion of hierarchy of privilege, so the notion
of any change being equivalent to any other is in line with
the Smack philosophy.
certainly think that all security transitions that vary across
distributions should be blocked by no_new_privs.
--Andy