Re: Names vs. Inodes

From: Greg KH (gregat_private)
Date: Sat Jul 21 2001 - 09:33:16 PDT

  • Next message: James Morris: "[PATCH] IP hooks"

    On Fri, Jul 20, 2001 at 10:46:43PM -0700, Crispin Cowan wrote:
    > 
    > SubDomain only allows the creation of hard & soft links by confined processes if such
    > permission is specified.  But the links may exist anyway, and the permission may be
    > granted.
    
    But since SubDomain is running in a "controlled" environment (you know
    the whole layout of the file system, as you created the distro in the
    first place) is this a real problem?
    
    > > So the inode that is passed to permission() should only have a dentry
    > > list containing 1 dentry.  Reconstruct the path from that dentry, and
    > > bob's your uncle.
    > 
    > I also thought of this.  It's appealing, and in the common case, it will work.
    > Unfortunately, it leaves a DoS hole (observation due to Chris).  Someone with an
    > unconfined, or appropriately loosely confined, process can create thousands of hard
    > links to a file they don't own.  The result is that the SubDomain module spends a gross
    > amount of time inside the kernel reconstructing each of many alias paths to a file that
    > a confined process is trying to access.
    > 
    > If it was just a mild performance issue, I wouldn't worry about it.  But this is a big
    > DoS issue.
    
    But yesterday you said in regards to my worry of "hostile" processes
    calling mount:
    
    On Thu, Jul 19, 2001 at 10:15:33PM -0700, Crispin Cowan wrote:
    > 
    > SubDomain does not allow confined programs to call mount or umount.  SubDomain's
    > threat model is only concerned with confined processes and principals external to
    > the machine.  Unconfined processes don't matter, because there either shouldn't be
    > any, or they are there for a reason and are trusted.
    > 
    
    Shouldn't that same statement work for processes calling link?
    Since you trust the system enough to not worry about mount, what is the
    difference?  You can prevent loosely confined processes from creating
    lots of linked files.  And you said you don't care about unconfined
    processes, as they are trusted (if there at all.)
    
    And secondly, have you tried measuring the performance if this happens?
    How long does it really take to do the reconstruction for thousands of
    dentrys?
    
    Shouldn't you just stop the dentry path reconstruction on the first
    failed dentry?  That would prevent you from having to go through all of
    them.  Also a simple "hey, I'm reconstructing the 10th dentry for this
    inode, something is not right here" check should prevent you from taking
    up lots of kernel time.
    
    thanks,
    
    greg k-h
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sat Jul 21 2001 - 09:34:33 PDT