MAC system can prevent hijacked processes from changing anything badly in /dev .
But MAC system can't prevent hijacked processes from doing
"mv /dev/hda1 /dev/hda1.tmp; mv /dev/hda2 /dev/hda1; mv /dev/hda1.tmp /dev/hda2"
if permissions to rename device nodes in /dev are given to hijacked processes.
This is because MAC implementation doesn't check filename/attribute pairs.
But this filesystem can prevent hijacked processes from doing
"mv /dev/hda1 /dev/hda1.tmp; mv /dev/hda2 /dev/hda1; mv /dev/hda1.tmp /dev/hda2"
even if permissions to rename device nodes in /dev are given to hijacked processes.
This filesystem is not designed to
"forbid modifying nodes if that process needn't to modify nodes".
This filesystem is designed to
"forbid breaking filename/attribute pairs of nodes
even if that process need to (or permitted to) modify nodes".
You can use "nodev" mount option to prevent attackers from opening device files.
You can use MAC system to prevent attackers from mounting partitions (other than
/dev partition) without "nodev" option.
I think the reason why MAC system doesn't handle filename/attributes pairs is that:
Filename and its attributes pairs are conventionally considered as
constant and reliable.
It makes the MAC's policy syntax complicated to describe this attribute
enforcement information in MAC's policy.
Thus, this should be a global check. But usually device nodes are only in /dev .
This filesystem is doing what MAC system is not doing.
So, please don't complain about inability of this filesystem to close all attacks.
You can use MAC system to prevent attackers from mounting other filesystem
over this filesystem.
The filename/attribute pairs are something like system call entry tables.
The application will go wrong if __NR_read is mapped to sys_write() and
__NR_write is mapped to sys_read().
Userland applications access special functionalities (e.g. /dev/zero and /dev/random)
by name (i.e. syscall numbers). Therefore, keeping the filename/attribute pairs
tamper-proof is important.
You recognize that there is a threat that device nodes may have irregular
attribute (e.g. /dev/null existing as a regular file), do you?
You don't deny implementing mechanisms somehow to avoid such threat, do you?
OK. Then the matter is the comparison of code efficiency.
This patch is less than 1100 lines in total.
Large part of this patch is for parsing and managing policy file.
If you try to extend every MAC implementation (SELinux, SMACK, AppArmor, TOMOYO)
so that they can handle filename/attributes pairs (i.e. expand policy file's syntax
and both in-kernel and userland data structures, manage strings with variant length
and non-printable characters etc.), I think that modification exceeds this patch.
I think guaranteeing filename/attribute pairs in filesystem layer can keep
MAC system implementation simple and compact.
http://www.mail-archive.com/linux-fsdevel@vger.kernel.org/msg10653.html
Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
