I have an LSM that dissallows the following capabilities: CAP_SYS_MODULE CAP_SYS_RAWIO CAP_NET_ADMIN This breaks SuSE 8.x distro's when the administrator requests a halt or reboot, due to the fact that these capabilities must be allowed during the shutdown sequence. It is not acceptable to disable or unload the module. I must be able to add logic to address the special case where the user runs /sbin/shutdown, /sbin/halt, or /sbin/reboot, or performs an action that equates to a legal reboot or halt request by the administrator. This must be done in such a way that an attacker cannot take advantage of this exception to perform unauthorized operations, as protected by the aforementioned capabilities. Hard-coding a check to see if ``/sbin/XXX'' has been executed is unacceptable, since the administrator could move shutdown, halt, or reboot to another location on the filesystem, or worse, an attacker could overwrite these files with trojan versions. I have considered making any request when ( current->pid == 1 ) to be allowed by default, but this does not solve the problem (init does not execute any of the shutdown scripts). I have tried examining current->pgrp and current->session, but they also vary between calls during the shutdown process. What, if any, vendor support might be required to work with my module? What might be the best approach to allowing the shutdown scripts to execute, without compromising the security afforded by my module? Thanks, Mike -- ------------------------------------------- | --------------------- Michael Halcrow | mikeat_private Developer, IBM Linux Technology Center | | The wonderful thing about a dancing bear is | not how well he dances, but that he dances | at all. | ------------------------------------------- | --------------------- GnuPG Keyprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 10:39:33 PDT