Greg KH wrote: > On Thu, Jul 19, 2001 at 12:19:14PM -0700, Crispin Cowan wrote: > > However, we're doing the *dual* of that. SubDomain doesn't protect files, it > > confines processes, rather similar to chroot. In SubDomain, you specify the > > names of all the files that a give program may access. When that program > > executes, it is instantiated as a process confined by a profile that prescribes > > the set of named files the process can access. > > > > Every time the process calls open, SubDomain resolves the call into a name, and > > checks to see if the name is on the "allowed" list. If it's not on the list, > > the access is denied. > > Ah, but most SubDomain profiles contain: > /tmp/* rw > > Which allows them to read and write to the /tmp directory. > > So I, as a malicious user do the following: > umount /tmp > mount /dev/sda3 /tmp > > where /dev/sda3 is the /etc partition. SubDomain does not allow confined programs to call mount or umount. SubDomain's threat model is only concerned with confined processes and principals external to the machine. Unconfined processes don't matter, because there either shouldn't be any, or they are there for a reason and are trusted. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:17:26 PDT