Capability tests in netlink and oom_kill

• Previous message: Crispin Cowan: "Bounces to cern.ch [Fwd: Message non delivered through CERN Mail Gateway]"
• Next in thread: James Morris: "Re: Capability tests in netlink and oom_kill"
• Reply: James Morris: "Re: Capability tests in netlink and oom_kill"
• Reply: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are some locations remaining in the base kernel that perform direct
tests on capability bits.  I think that these tests always succeed when
the capabilities module is not enabled (since the initial task has all
capabilities, every task inherits from its parent by default in do_fork,
and the execve capabilities processing is in the module), so we need to 
replace these tests with hook calls to avoid granting processes  
unauthorized privileges.

The first case occurs in the netlink socket code.  When a task sends a
message on a netlink socket, netlink_sendmsg (net/netlink/af_netlink.c)
saves the effective capability set of the current task in an eff_cap field
of a netlink_skb_parms struct stored in the sk_buff's control buffer.
When the message is received, if the corresponding operation requires
privilege, rtnetlink_rcv_msg (net/core/rtnetlink.c) calls cap_raised on
this saved capability set to see if the sending task had CAP_NET_ADMIN.
netlink_receive_user_skb (net/ipv4/netfilter/ip_queue.c) performs a
similar test.  Since LSM adds a lsm_security field to the sk_buff
struct itself, it seems that we could save our security information
using that field rather than adding a field to netlink_skb_parms,
and replace the hardcoded tests with hook calls in rtnetlink_rcv_msg and
netlink_receive_user_skb to perform any desired checking based on the
saved security information.  The current hooks for allocating and
maintaining the sk_buff lsm_security field are probably sufficient for
tagging the sk_buff itself.

The second case occurs in the code to kill a process when the system
is out of memory (mm/oom_kill.c).  The badness function tries to
avoid killing privileged processes by reducing the badness value
when the process has CAP_SYS_ADMIN, CAP_SYS_RAWIO or has the superuser
identity.  The oom_kill_task function sends a SIGTERM rather than
a SIGKILL if the process has CAP_SYS_RAWIO.  We could replace
these hardcoded tests with hook calls in badness and oom_kill_task.

Comments?

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: FreeBSD hooks"
• Previous message: Crispin Cowan: "Bounces to cern.ch [Fwd: Message non delivered through CERN Mail Gateway]"
• Next in thread: James Morris: "Re: Capability tests in netlink and oom_kill"
• Reply: James Morris: "Re: Capability tests in netlink and oom_kill"
• Reply: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 06:22:59 PDT