Re: bug in SE Linux / LSM

• Previous message: Russell Coker: "bug in SE Linux / LSM"
• In reply to: Russell Coker: "bug in SE Linux / LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 5 Sep 2002, Russell Coker wrote:

> In my tutorial yesterday a Robert Dorn <selinuxat_private>
> discovered a bug in the way SE Linux/LSM operates.
>
> If you login to a virtual console as an unpriviledged user you can use
> "loadkeys" to change the keyboard mapping for everything apart from the SAK
> sequence.
>
> But it would be better if we could just catch such remappings in SE policy, in
> 99% of all machines there is no cause for the user to remap the keyboard.

This issue is mentioned in the BUGS section of the loadkeys(1) man page,
although it doesn't appear to be entirely accurate.  If I understand
correctly, the relevant kernel code is the handling of the KDSKBENT ioctl
in drivers/char/vt.c.  The base kernel code appears to permit the use of
this ioctl as long as the process is the owner of the tty or the process
has CAP_SYS_TTY_CONFIG (2.5) or the process is root (2.4, legacy
superuser check).  The base kernel code further limits the ability to
remap the SAK by requiring CAP_SYS_ADMIN.

LSM hooks capable() and SELinux performs a parallel check for each
capability check, but that doesn't affect the code path when no capability
is checked (any non-SAK remapping by the owner or root in 2.4, any non-SAK
remapping by the owner of the tty in 2.5).  LSM does provide a hook in
sys_ioctl could be used to control this operation based on the file and
command (but not the argument, as it is a userspace pointer in this case).
At present, SELinux only implements specific permission checks for a small
set of ioctls that are generic operations or ext[23]-specific.  All other
ioctls merely cause a check of the generic 'ioctl' permission to the file.

We could implement an additional check for this particular ioctl in the
SELinux ioctl hook function, either using an existing capability or
defining a new permission for this purpose.  More generally, you would
really want to perform an audit of all ioctls relevant to your kernel
configuration.

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wheeler: "bug in SELinux"
• Previous message: Russell Coker: "bug in SE Linux / LSM"
• In reply to: Russell Coker: "bug in SE Linux / LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 06:38:47 PDT