Upstream first policy
in [Kernel]
|
Prev: fork problem in multithreaded process -- segmentation fault seen
Next: [PATCH 2/2 V3] io-controller: Document for blkio.weight_device
From: Alan Cox on 8 Mar 2010 15:30 > That's the point. Just admit that, and then let the calm of "Ooh, there > are different kinds of circumstances that may want different kinds of > rules" permeate you. man restorecond I don't think the SELinux folks would or could deny that case existed... Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Chris Adams on 8 Mar 2010 16:30 Once upon a time, Alan Cox <alan(a)lxorguk.ukuu.org.uk> said: >Its path based in the sense that public_html has a path based meaning by >convention understood by httpd. Copy a jpeg into your public_html and it >will be labelled up for http access under the Fedora shipped rule sets. I'm pretty sure the "copy into a directory" only gets the correct label by inheritance from the parent directory. "mkdir public_html" only gets the correct label by running the restorecond daemon, which is really kind of a hack. You have a user-space daemon that watches for creation of specific things with inotify, and resets their label when a match is found. It doesn't scale up to many rules, certainly not the full SELinux list. -- Chris Adams <cmadams(a)hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Ulrich Drepper on 8 Mar 2010 17:20 On Mon, Mar 8, 2010 at 10:08, Linus Torvalds <torvalds(a)linux-foundation.org> wrote: > Notice how it's really fundamentally about the pathname? When you create a > new file and overwrite /etc/passwd with that file, the security rules > really do _not_ come from your newly created inode, they come from the > fact that you made the path "/etc/passwd" point to that inode. This is not a fundamental problem. It's rather a detail of the current policies and legacy apps. I think I would like to see /etc/passwd to also get a file type like /etc/shadow. This is I think today not done because of the work involved and the perceived lower severity because passwords are in /etc/shadow. So let's talk about /etc/shadow. If somehow the file is removed and somebody creates a new file that file won't automatically get the right label. This means that code reading the file then could be prevented from doing this with appropriate policy rules. Here the filename is not sufficient for access. You also need the label and that you won't get without subverting the system. With filename based mechanisms this isn't the case: once the file is compromised the attack succeeded. Yes, the current situation isn't optimal. We have to make the policies more complicated and we have to get rid of restorecond (at least for most cases). But there is no fundamental problem with labels while filename-based mechanisms provide no security improvement. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Eric W. Biederman on 8 Mar 2010 18:10 Linus Torvalds <torvalds(a)linux-foundation.org> writes: > On Mon, 8 Mar 2010, Alan Cox wrote: >> >> Quite untrue. I've actually *used* path based security systems (DEC10 >> ACLs) and for almost every case its brain-dead. >> >> Imagine a world where this happened > > Alan, stop right there. > > You're making the same silly and incorrect mistake that Al did. > > Namely thinking that you have to have just one or the other. > > When you say "your /etc/passwd example is a special case", you are > admitting that there are two different cases, but then after that, you > still don't see the whole point I'm trying to make. > > Let me try again: > > THERE ARE DIFFERENT CASES > > That's the point. Just admit that, and then let the calm of "Ooh, there > are different kinds of circumstances that may want different kinds of > rules" permeate you. > > My whole (and only) argument is against the "only one way is correct" > mentality. Reading through all of this it occurred to me there is a case where path names are fundamentally important shows up for me all of the time. If pathnames were not fundamentally important we could apply a patch like the one below and allow unprivileged users to unshare the mount namespace and mount filesystems wherever. There is nothing fundamental about those operations that require root privileges except that you are manipulating the pathnames of objects. Unfortunately if we did that suid executables would become impossible because they couldn't trust anything to start with. Even little things like /lib64/ld-linux-x86-64.so are very special things that you can't let just anyone change. Eric diff --git a/fs/namespace.c b/fs/namespace.c index d69c06f..85ba785 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1650,10 +1650,6 @@ static int do_new_mount(struct path *path, char *type, int flags, if (!type) return -EINVAL; - /* we need capabilities... */ - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - lock_kernel(); mnt = do_kern_mount(type, flags, name, data); unlock_kernel(); diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 1e8cda0..00fd7c5 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -180,9 +180,6 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, CLONE_NEWNET | CLONE_NEWPID))) return 0; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - *new_nsp = create_new_namespaces(unshare_flags, current, new_fs ? new_fs : current->fs); if (IS_ERR(*new_nsp)) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Rik van Riel on 8 Mar 2010 18:20
On 03/08/2010 01:08 PM, Linus Torvalds wrote: > Things like "/etc/passwd" really are about the _pathname_, not the inode. > It really is the _path_ that is special, because that is fundamentally the > thing you trust. On the other hand, '/etc/shadow' has the opposite constraint, where the system will not trust most of the applications with the data from that file. Using label security to protect the contents makes sense there. Your example appears to be about "can the application trust the data?", while the label based security solves "can the application be trusted with the data?" These are two different things. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |