On Fri, 10 Aug 2001, Crispin Cowan wrote: > David Wagner wrote: > > > Greg KH wrote: > > >Ah, but Stephans program should first validate that the kernel is > > >running SELinux by some other method than the syscall [...] > > > > Are there race conditions here? What if someone does a > > 'rmmod selinux; insmod subdomain' between the time when > > you check for the presence of SELinux and use the syscall? > > Isn't that isomorphic to the problem of "what if the bad guy got control > of the machine before my module loaded?" To me, anyone who can do > "rmmod" is either a trusted administrator, or has already broken > security so hopelessly that it's not worth arguing about. Well, there's the issue of properly executing applications when the module changes (minimally.) RMMOD/INSMOD arguably have to be trusted, but a sleeper application CAN bridge the rmmod/insmod. That's why I keep insisting the module has to check every call... but, (again), it is up to the MODULE, not the interface or kernel, to check this, imho. > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:25:48 PDT