Re: [PATCH] sysctl selinux: Don't look at table->de

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Stephen Smalley

Subject: Re: [PATCH] sysctl selinux: Don't look at table->de

Date: Monday, January 29, 2007 - 11:43 am

On Mon, 2007-01-29 at 10:43 -0700, Eric W. Biederman wrote:
quoted text> Stephen Smalley <sds@tycho.nsa.gov> writes:
> 
> > On Sun, 2007-01-28 at 12:21 -0700, Eric W. Biederman wrote:
> >> With the sysctl cleanups sysctl is not really a part of proc
> >> it just shows up there, and any path based approach will not
> >> adequately describe the data as sysctl is essentially a
> >> union mount underneath the covers.  As designed this mechanism
> >> is viewer dependent so trying to be path based gets even worse.
> >> 
> >> However the permissions in sys_sysctl are currently immutable
> >> and going through proc does not change the permission checks
> >> when accessing sysctl.  So we might as well stick with the well
> >> defined sysctl sid, as that is what selinux uses when proc is
> >> not compiled in.
> >> 
> >> I.e.  I see no hope for salvaging the selinux_proc_get_sid call
> >> in selinux_sysctl so I'm removing it.
> >> 
> >> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
> >> ---
> >>  security/selinux/hooks.c |    8 ++------
> >>  1 files changed, 2 insertions(+), 6 deletions(-)
> >> 
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index 7b38372..3a36057 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -1438,12 +1438,8 @@ static int selinux_sysctl(ctl_table *table, int op)
> >>  
> >>  	tsec = current->security;
> >>  
> >> -	rc = selinux_proc_get_sid(table->de, (op == 001) ?
> >> -	                          SECCLASS_DIR : SECCLASS_FILE, &tsid);
> >> -	if (rc) {
> >> -		/* Default to the well-defined sysctl SID. */
> >> -		tsid = SECINITSID_SYSCTL;
> >> -	}
> >> +	/* Use the well-defined sysctl SID. */
> >> +	tsid = SECINITSID_SYSCTL;
> >>  
> >>  	/* The op values are "defined" in sysctl.c, thereby creating
> >>  	 * a bad coupling between this module and sysctl.c */
> >
> > NAK.  Mapping all sysctls to a single security label prevents any kind
> > of fine-grained security on sysctls, and current policies already make
> > use of the current distinctions to limit access to particular sets of
> > sysctls to particular processes.  As is, I'd expect breakage of current
> > systems running SELinux from this patch, because (confined) processes
> > that formerly only required access to specific sysctl labels will
> > suddenly run into denials on the generic fallback label.
> 
> Reasonable.  There is the issue that your code already had this code
> path for when /proc was compiled out.

True, but a system that disables proc is likely a system with a custom
policy anyway, and dependency on proc is fairly basic to selinux these
days (due to reliance on /proc/self/attr for process attribute
manipulation in place of the old selinux syscalls).  Possibly we should
just make selinux depend on proc and drop the #ifdef there.

quoted text> > If the ctl_table supplied more information about the functional purpose
> > and the security sensitivity of the sysctl, then we could leverage that
> > information instead, as long as we can at least derive the current
> > labelings from that information for compatibility.
> 
> What do information do you need to do need?  Do you need extra fields in sysctl?
> I am more than willing to help but I am not familiar enough with selinux
> to do a reasonable job on my own.

At present, we map the sysctls into functional groups (e.g. net, vm,
fs, ...) that parallel the sysctl hierarchy so that we can limit access
to only those programs/processes that need access for their purpose, and
further partition where it makes sense to do so.  We also separate out
particularly security sensitive ones like modprobe and hotplug.  So if
the ctl_table carried some indication of functional grouping and
security relevance (for some relatively small number of equivalence
classes), then we could map those to labels instead of the current
scheme.  And if we could have the ctl_table inherit the information from
its logical "parent" in the hierarchy by default, then it shouldn't
require too invasive a patch.

-- 
Stephen Smalley
National Security Agency

-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] sysctl selinux: Don't look at table->de, Eric W. Biederman, (Sun Jan 28, 12:21 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Stephen Smalley, (Mon Jan 29, 6:04 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, James Morris, (Mon Jan 29, 8:23 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, Eric W. Biederman, (Mon Jan 29, 10:43 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, Eric W. Biederman, (Mon Jan 29, 10:55 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, Stephen Smalley, (Mon Jan 29, 11:43 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, Casey Schaufler, (Mon Jan 29, 12:08 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Eric W. Biederman, (Mon Jan 29, 12:16 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Stephen Smalley, (Mon Jan 29, 12:26 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Stephen Smalley, (Mon Jan 29, 1:07 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Russell Coker, (Mon Jan 29, 4:28 pm)

Re: [PATCH] sysctl selinux: Don't look at table->de, Christoph Hellwig, (Tue Jan 30, 3:25 am)

Re: [PATCH] sysctl selinux: Don't look at table->de, Casey Schaufler, (Tue Jan 30, 10:19 am)

[PATCH 1/2] sysctl: Add a parent entry to ctl_table and se ..., Eric W. Biederman, (Tue Feb 6, 2:16 pm)

[PATCH 2/2] sysctl: Restore the selinux path based label l ..., Eric W. Biederman, (Tue Feb 6, 2:21 pm)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Wed Feb 7, 11:24 am)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Wed Feb 7, 2:12 pm)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Wed Feb 7, 2:54 pm)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Eric W. Biederman, (Wed Feb 7, 3:21 pm)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Eric W. Biederman, (Wed Feb 7, 6:57 pm)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Thu Feb 8, 8:01 am)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Thu Feb 8, 8:07 am)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Eric W. Biederman, (Thu Feb 8, 10:53 am)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Stephen Smalley, (Thu Feb 8, 11:13 am)

Re: [PATCH 2/2] sysctl: Restore the selinux path based lab ..., Eric W. Biederman, (Thu Feb 8, 3:17 pm)

[PATCH 0/5] sysctl cleanup selinux fixes, Eric W. Biederman, (Thu Feb 8, 3:51 pm)

[PATCH 1/5] sysctl: Remove declaration of nonexistent sys ..., Eric W. Biederman, (Thu Feb 8, 3:53 pm)

[PATCH 2/5] sysctl: Set the parent field in the root sysct ..., Eric W. Biederman, (Thu Feb 8, 3:54 pm)

[PATCH 3/5] sysctl: Fix the selinux_sysctl_get_sid, Eric W. Biederman, (Thu Feb 8, 3:55 pm)

[PATCH 4/5] selinux: Enhance selinux to always ignore priv ..., Eric W. Biederman, (Thu Feb 8, 4:02 pm)

[PATCH 5/5] sysctl: Hide the sysctl proc inodes from selinux., Eric W. Biederman, (Thu Feb 8, 4:04 pm)

Re: [PATCH 0/5] sysctl cleanup selinux fixes, Andrew Morton, (Fri Feb 9, 4:05 am)

Re: [PATCH 3/5] sysctl: Fix the selinux_sysctl_get_sid, Stephen Smalley, (Fri Feb 9, 5:24 am)

Re: [PATCH 4/5] selinux: Enhance selinux to always ignore ..., Stephen Smalley, (Fri Feb 9, 5:26 am)

Re: [PATCH 0/5] sysctl cleanup selinux fixes, Eric W. Biederman, (Fri Feb 9, 11:09 am)


linux-kernel:
Mel Gorman	Re: [PATCH 1/4] vmstat: remove zone->lock from walk_zones_in_node
Guenter Roeck	Re: [lm-sensors] Location for thermal drivers
David Woodhouse	Re: RFC: Moving firmware blobs out of the kernel.
Siddha, Suresh B	Re: [PATCH 2.6.21 review I] [11/25] x86: default to physical mode on hotplug CPU k...
Peter Zijlstra	Re: [patch 4/6] mm: merge populate and nopage into fault (fixes nonlinear)
git-commits-head:
Linux Kernel Mailing List	[MIPS] Fix potential latency problem due to non-atomic cpu_wait.
Linux Kernel Mailing List	USB: rename USB_SPEED_VARIABLE to USB_SPEED_WIRELESS
Linux Kernel Mailing List	lib/vsprintf.c: fix bug omitting minus sign of numbers (module_param)
Linux Kernel Mailing List	[Bluetooth] Initiate authentication during connection establishment
Linux Kernel Mailing List	[POWERPC] 4xx: Add ppc40x_defconfig
linux-netdev:
MERCEDES	Your mail id has won 950,000.00 in the MERCEDES Benz Online Promo.for claims send:
David Miller	Re: [PATCH] xen/netfront: do not mark packets of length < MSS as GSO
David Miller	Re: skb_segment() questions
Shan Wei	[RFC PATCH net-next 2/5]IPv6:netfilter: Send an ICMPv6 "Fragment Reassembly Timeou...
Stanislaw Gruszka	[PATCH 1/4] bnx2x: use smp_mb() to keep ordering of read write operations
git:
Nicolas Sebrecht	git-svn died of signal 11 (was "3 failures on test t9100 (svn)")
Junio C Hamano	Re: [PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
Martin Langhoff	Re: [PATCH] GIT commit statistics.
Alexandre Julliard	[PATCH] gitweb: Put back shortlog instead of graphiclog in the project list.
Josh Triplett	[PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
openbsd-misc:
Taisto Qvist XX	Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics wi...
Nico Meijer	Re: gOS Develop Kit with VIA pc-1 Processor Platform VIA C7-D
Andreas Bihlmaier	Re: jetway board sensors (Fintek F71805F)
admin	Drive a 2009 car from R799p/m
Antti Harri	Re: how to create a sha256 hash