Re: bug in SE Linux / LSM

From: Stephen Smalley (sdsat_private)
Date: Thu Sep 05 2002 - 06:36:38 PDT

  • Next message: David Wheeler: "bug in SELinux"

    On Thu, 5 Sep 2002, Russell Coker wrote:
    
    > In my tutorial yesterday a Robert Dorn <selinuxat_private>
    > discovered a bug in the way SE Linux/LSM operates.
    >
    > If you login to a virtual console as an unpriviledged user you can use
    > "loadkeys" to change the keyboard mapping for everything apart from the SAK
    > sequence.
    >
    > But it would be better if we could just catch such remappings in SE policy, in
    > 99% of all machines there is no cause for the user to remap the keyboard.
    
    This issue is mentioned in the BUGS section of the loadkeys(1) man page,
    although it doesn't appear to be entirely accurate.  If I understand
    correctly, the relevant kernel code is the handling of the KDSKBENT ioctl
    in drivers/char/vt.c.  The base kernel code appears to permit the use of
    this ioctl as long as the process is the owner of the tty or the process
    has CAP_SYS_TTY_CONFIG (2.5) or the process is root (2.4, legacy
    superuser check).  The base kernel code further limits the ability to
    remap the SAK by requiring CAP_SYS_ADMIN.
    
    LSM hooks capable() and SELinux performs a parallel check for each
    capability check, but that doesn't affect the code path when no capability
    is checked (any non-SAK remapping by the owner or root in 2.4, any non-SAK
    remapping by the owner of the tty in 2.5).  LSM does provide a hook in
    sys_ioctl could be used to control this operation based on the file and
    command (but not the argument, as it is a userspace pointer in this case).
    At present, SELinux only implements specific permission checks for a small
    set of ioctls that are generic operations or ext[23]-specific.  All other
    ioctls merely cause a check of the generic 'ioctl' permission to the file.
    
    We could implement an additional check for this particular ioctl in the
    SELinux ioctl hook function, either using an existing capability or
    defining a new permission for this purpose.  More generally, you would
    really want to perform an audit of all ioctls relevant to your kernel
    configuration.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 06:38:47 PDT