Re: A Comment from User Space

crispinat_private

David Wagner wrote:

> Crispin Cowan  wrote:
> >On the "needs a new system call" issue:  what do people think of proposing
> >that a block of syscall numbers be allocated to LSM?
>
> Good question.  Well, I must admit my first reaction is to be skeptical.
> First question: What is it needed for?

SubDomain adds only one system call, but it needs to be fast.  We use it for
fine-grained security context switching (man page for change_hat attached).
This allows small security domains to be associated with sub-components of a
monolithic UNIX process.  The canonical example is to have a PERL script being
interpreted by mod_perl within an Apache process to run with different
permissions than the Apache process itself.  So if Apache wants to execute
foo.pl in some security context "foo_perm", it executes the following sequence:

     secret_token = random();
     change_hat("foo_perm", secret_token);
     mod_perl("/usr/bin/foo.pl");
     change_hat(NULL, secret_token);

The stuff with secret_token is to prevent the foo.pl script from busting out of
the foo_perm security context by simply calling change_hat.  Spiffy invention
by Greg KH.

> The canonical way to add new ways to interact with the OS is usually not
> to add a new syscall, but rather to add an entry in /proc or somesuch.
> (or at worst add an ioctl() -- ugh!)  What cases isn't this good enough for?

Because this is directly in the way of executing server-side scriptlets (which
is using mod_perl precisely because exec is too slow) it needs to be very
fast.  Are these other methods as fast as a syscall?

At the extreme other end of the spectrum, SELinux adds 50 new or modified
system calls  http://www.nsa.gov/selinux/docs.html   The modified ones are just
targets for hooking.  The new ones presumably are there for a reason, and
LSM needs some kind of facility to support adding new system calls.  Mostly
IMHO we can do this by using the "reload the syscall table" hack, but to make
the ABI consistent, we should attempt to reserve a block of syscall numbers.
Two problems:

   * guessing the number needed
   * getting Linus to buy this argument :-)

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org

CHANGE_HAT(2)                                       CHANGE_HAT(2)

NNAAMMEE
       change_hat  -  change  to  or  from  a  subdomain within a
       codomain profile

SSYYNNOOPPSSIISS
       ##iinncclluuddee <<uunniissttdd..hh>>

       iinntt cchhaannggee__hhaatt ((cchhaarr **_s_u_b_d_o_m_a_i_n,, uu3322 _m_a_g_i_c___t_o_k_e_n));;

DDEESSCCRRIIPPTTIIOONN
       A profile applying to a fixed executable program is called
       a  "codomain"  (a  pun on "code" and "domain"), where as a
       profile applying only to a portion of the execution behav
       ior  of  a  program is called a "subdomain".  If a program
       wants to change its  currently  running  codomain  profile
       into a subdomain profile, it calls the cchhaannggee__hhaatt function
       to do so. It passes in a pointer to the _s_u_b_d_o_m_a_i_n which it
       wants  to  change  into,  and  a  32bit  _m_a_g_i_c___t_o_k_e_n_.  The
       _m_a_g_i_c___t_o_k_e_n is used to return out of the  subdomain  at  a
       later time.

       If  a program wants to return out of the current subdomain
       to the original  codomain,  it  calls  cchhaannggee__hhaatt  with  a
       pointer  to  NULL  as  the  _s_u_b_d_o_m_a_i_n  ,  and the original
       _m_a_g_i_c___t_o_k_e_n value. If the _m_a_g_i_c___t_o_k_e_n does not  match  the
       original  _m_a_g_i_c___t_o_k_e_n passed into the kernel when the pro
       gram entered the subdomain, the change back to the  origi
       nal codomain will not happen, and the current task will be
       killed.  If the _m_a_g_i_c___t_o_k_e_n matches  the  original  token,
       then  the  profile  will  be  changed back to the original
       codomain.

RREETTUURRNN VVAALLUUEE
       On success zero is returned. On error, -1 is returned, and
       _e_r_r_n_o is set appropriately.

EERRRROORRSS
       EENNOOMMEEMM Insufficient kernel memory was available.

       EEAACCCCEESS The  _m_a_g_i_c___t_o_k_e_n  passed  in  was 0, which is not a
              valid value for the _m_a_g_i_c___t_o_k_e_n , or the  specified
              _s_u_b_d_o_m_a_i_n  does not exist in this codomain profile.

       EEFFAAUULLTT An internal error occured.

EEXXAAMMPPLLEE

                           13 Sep 2000                          1

CHANGE_HAT(2)                                       CHANGE_HAT(2)

              void foo (void)
              {
                      int magic_token;

                      /* get a random magic token value from our huge entropy pool */
                      magic_token = random_function();

                      /* change into the subdomain while we do stuff we don't trust */
                      sys_change_hat ("stuff_we_dont_trust", magic_token);

                      /* Go do stuff we don't trust -- this is all done in *this*
                       * process space, no separate fork()/exec()'s are done. */
                      interpret_perl_stuff(stuff_from_user);

                      /* now change back to our original codomain *//
                      sys_change_hat (NULL, magic_token);
              }

CCOONNFFOORRMMIINNGG TTOO
       Nothing :) This is an Immunix addition to the  Linux  ker
       nel.

BBUUGGSS
       None known.

SSEEEE AALLSSOO
       ssuubbddoommaaiinn..ccoonnff(5) ssuubbddoommaaiinn__ppaarrsseerr(8)

                           13 Sep 2000                          2

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module