Re: sys_setpriority error

From: Chris Wright (chrisat_private)
Date: Thu May 31 2001 - 11:00:24 PDT

  • Next message: Chris Wright: "Re: sys_setpriority error"

    * Stephen Smalley (sdsat_private) wrote:
    > > The dummy functions don't really provide much in the way of security.  They
    > > fall some where between DAC and everybody is root.  Stephen Smalley has
    > > suggested re-evaluating the dummy code and adding root checks to align with
    > > DAC.  I am inclined to fix this in dummy_setnice rather than
    > > sys_setpriority.
    > This doesn't fix the setpriority problem, as others have mentioned.
    > However, it does need to be addressed in the dummy code.  I also had to
    > address this issue in the SELinux module code so that a LSM kernel with
    > the SELinux module provides both the traditional root checks and the
    > SELinux checks.  See the root checks in the task_has_capability() function
    > in the attached file.  This function is called by each of the hooks that 
    > corresponds to a capability check (with a few exceptions due to confusion
    > over whether the hook is supposed to be "authoritative" or "override").
    > Likewise, each of the dummy hooks that corresponds to a capability check
    > should call a function to perform these root checks so that a kernel
    > built without any security modules provides reasonable behavior.
    I've made the change already to the dummy_capable() hook to check super
    user.  I'll work on upgrading the rest of the capable derviative dummy hooks
    to use this check.
    > Also, the dummy code either needs to implement traditional setuid/setgid
    > program handling in the compute_creds hook (as in both the capabilities
    > plug and the SELinux module), or we need to restore the base kernel
    > compute_creds function with that processing (in which case it would
    > call the hook, and the current hook calls would be restored to
    > calling the base kernel function), as I've previously suggested.
    > As the LSM patch currently exists, setuid/setgid program execution
    > doesn't work when no modules are enabled.
    This is a known issue.  I'm inclined to implement a dummy version only
    because I don't have a good idea of how to make a meaningful separation in
    compute_creds so that it can be left in the kernel.  
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 11:03:31 PDT