On Mon, 6 Aug 2001, James Morris wrote: > > Also, after further investigation of option #3 from my last post, it looks > like it will be a very messy job to hook all accesses to low-level network > objects at some level underneath both ioctl() and rtnetlink. I haven't > come up with a good solution for this yet. > After looking at this issue in some detail and coding up a prototype for netdevices, I'm now certain that it will be very difficult to add consistent fine-grained access controls for these low-level network objects. Because of the TOCTTOU ioctl issue, we'd end up with hooks scattered at many layers in the stack (down into the hardware drivers for some netdevice ioctls such as SIOCETHTOOL), which is quite invasive. We then need similarly-grained hooks for rtnetlink messages and various /proc access points, which is technicaly possible, but increasingly invasive and looking like a potential maintenance nightmare. The latter is especially not good for a security project. Also, I'm not sure how generally useful it would to provide more granularity than CAP_NET_ADMIN for these kinds of objects. Stehpen, can selinux make do with just this level of granularity? Are there any other projects which might need more? I'd like to propose that we kill the ioctl() calls in netdev_ops, and use the existing CAP_NET_ADMIN checks for controlling access to: netdevices, routing tables, neighbour operations (e.g. ARP) and packet schedulers/classifiers. - James -- James Morris <jmorrisat_private> _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 23:28:32 PDT