Re: A Comment from User Space

From: Crispin Cowan (crispinat_private)
Date: Mon Apr 23 2001 - 23:33:24 PDT

  • Next message: Crispin Cowan: "Re: A Comment from User Space"

    David Wagner wrote:
    
    > Crispin Cowan  wrote:
    > >On the "needs a new system call" issue:  what do people think of proposing
    > >that a block of syscall numbers be allocated to LSM?
    >
    > Good question.  Well, I must admit my first reaction is to be skeptical.
    > First question: What is it needed for?
    
    SubDomain adds only one system call, but it needs to be fast.  We use it for
    fine-grained security context switching (man page for change_hat attached).
    This allows small security domains to be associated with sub-components of a
    monolithic UNIX process.  The canonical example is to have a PERL script being
    interpreted by mod_perl within an Apache process to run with different
    permissions than the Apache process itself.  So if Apache wants to execute
    foo.pl in some security context "foo_perm", it executes the following sequence:
    
         secret_token = random();
         change_hat("foo_perm", secret_token);
         mod_perl("/usr/bin/foo.pl");
         change_hat(NULL, secret_token);
    
    The stuff with secret_token is to prevent the foo.pl script from busting out of
    the foo_perm security context by simply calling change_hat.  Spiffy invention
    by Greg KH.
    
    
    > The canonical way to add new ways to interact with the OS is usually not
    > to add a new syscall, but rather to add an entry in /proc or somesuch.
    > (or at worst add an ioctl() -- ugh!)  What cases isn't this good enough for?
    
    Because this is directly in the way of executing server-side scriptlets (which
    is using mod_perl precisely because exec is too slow) it needs to be very
    fast.  Are these other methods as fast as a syscall?
    
    At the extreme other end of the spectrum, SELinux adds 50 new or modified
    system calls  http://www.nsa.gov/selinux/docs.html   The modified ones are just
    targets for hooking.  The new ones presumably are there for a reason, and
    LSM needs some kind of facility to support adding new system calls.  Mostly
    IMHO we can do this by using the "reload the syscall table" hack, but to make
    the ABI consistent, we should attempt to reserve a block of syscall numbers.
    Two problems:
    
       * guessing the number needed
       * getting Linus to buy this argument :-)
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    
    
    
    
    
    CHANGE_HAT(2)                                       CHANGE_HAT(2)
    
    
    NNAAMMEE
           change_hat  -  change  to  or  from  a  subdomain within a
           codomain profile
    
    SSYYNNOOPPSSIISS
           ##iinncclluuddee <<uunniissttdd..hh>>
    
           iinntt cchhaannggee__hhaatt ((cchhaarr **_s_u_b_d_o_m_a_i_n,, uu3322 _m_a_g_i_c___t_o_k_e_n));;
    
    DDEESSCCRRIIPPTTIIOONN
           A profile applying to a fixed executable program is called
           a  "codomain"  (a  pun on "code" and "domain"), where as a
           profile applying only to a portion of the execution behav­
           ior  of  a  program is called a "subdomain".  If a program
           wants to change its  currently  running  codomain  profile
           into a subdomain profile, it calls the cchhaannggee__hhaatt function
           to do so. It passes in a pointer to the _s_u_b_d_o_m_a_i_n which it
           wants  to  change  into,  and  a  32bit  _m_a_g_i_c___t_o_k_e_n_.  The
           _m_a_g_i_c___t_o_k_e_n is used to return out of the  subdomain  at  a
           later time.
    
           If  a program wants to return out of the current subdomain
           to the original  codomain,  it  calls  cchhaannggee__hhaatt  with  a
           pointer  to  NULL  as  the  _s_u_b_d_o_m_a_i_n  ,  and the original
           _m_a_g_i_c___t_o_k_e_n value. If the _m_a_g_i_c___t_o_k_e_n does not  match  the
           original  _m_a_g_i_c___t_o_k_e_n passed into the kernel when the pro­
           gram entered the subdomain, the change back to the  origi­
           nal codomain will not happen, and the current task will be
           killed.  If the _m_a_g_i_c___t_o_k_e_n matches  the  original  token,
           then  the  profile  will  be  changed back to the original
           codomain.
    
    RREETTUURRNN VVAALLUUEE
           On success zero is returned. On error, -1 is returned, and
           _e_r_r_n_o is set appropriately.
    
    EERRRROORRSS
           EENNOOMMEEMM Insufficient kernel memory was available.
    
           EEAACCCCEESS The  _m_a_g_i_c___t_o_k_e_n  passed  in  was 0, which is not a
                  valid value for the _m_a_g_i_c___t_o_k_e_n , or the  specified
                  _s_u_b_d_o_m_a_i_n  does not exist in this codomain profile.
    
           EEFFAAUULLTT An internal error occured.
    
    EEXXAAMMPPLLEE
    
    
    
    
    
    
    
    
    
    
    
                               13 Sep 2000                          1
    
    
    
    
    
    CHANGE_HAT(2)                                       CHANGE_HAT(2)
    
    
                  void foo (void)
                  {
                          int magic_token;
    
                          /* get a random magic token value from our huge entropy pool */
                          magic_token = random_function();
    
                          /* change into the subdomain while we do stuff we don't trust */
                          sys_change_hat ("stuff_we_dont_trust", magic_token);
    
                          /* Go do stuff we don't trust -- this is all done in *this*
                           * process space, no separate fork()/exec()'s are done. */
                          interpret_perl_stuff(stuff_from_user);
    
                          /* now change back to our original codomain *//
                          sys_change_hat (NULL, magic_token);
                  }
    
    
    
    
    CCOONNFFOORRMMIINNGG TTOO
           Nothing :) This is an Immunix addition to the  Linux  ker­
           nel.
    
    BBUUGGSS
           None known.
    
    SSEEEE AALLSSOO
           ssuubbddoommaaiinn..ccoonnff(5) ssuubbddoommaaiinn__ppaarrsseerr(8)
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               13 Sep 2000                          2
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 23:36:12 PDT