On Thu, 5 Sep 2002, Russell Coker wrote: > In my tutorial yesterday a Robert Dorn <selinuxat_private> > discovered a bug in the way SE Linux/LSM operates. > > If you login to a virtual console as an unpriviledged user you can use > "loadkeys" to change the keyboard mapping for everything apart from the SAK > sequence. > > But it would be better if we could just catch such remappings in SE policy, in > 99% of all machines there is no cause for the user to remap the keyboard. This issue is mentioned in the BUGS section of the loadkeys(1) man page, although it doesn't appear to be entirely accurate. If I understand correctly, the relevant kernel code is the handling of the KDSKBENT ioctl in drivers/char/vt.c. The base kernel code appears to permit the use of this ioctl as long as the process is the owner of the tty or the process has CAP_SYS_TTY_CONFIG (2.5) or the process is root (2.4, legacy superuser check). The base kernel code further limits the ability to remap the SAK by requiring CAP_SYS_ADMIN. LSM hooks capable() and SELinux performs a parallel check for each capability check, but that doesn't affect the code path when no capability is checked (any non-SAK remapping by the owner or root in 2.4, any non-SAK remapping by the owner of the tty in 2.5). LSM does provide a hook in sys_ioctl could be used to control this operation based on the file and command (but not the argument, as it is a userspace pointer in this case). At present, SELinux only implements specific permission checks for a small set of ioctls that are generic operations or ext[23]-specific. All other ioctls merely cause a check of the generic 'ioctl' permission to the file. We could implement an additional check for this particular ioctl in the SELinux ioctl hook function, either using an existing capability or defining a new permission for this purpose. More generally, you would really want to perform an audit of all ioctls relevant to your kernel configuration. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 06:38:47 PDT