Re: Secure reboot

• Previous message: Seth Arnold: "Re: Secure reboot"
• In reply to: Seth Arnold: "Re: Secure reboot"
• Next in thread: Crispin Cowan: "Re: Secure reboot"
• Reply: Crispin Cowan: "Re: Secure reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 18, 2003 at 11:16:36AM -0700, Seth Arnold wrote:
> On Mon, Aug 18, 2003 at 12:41:42PM -0700, Michael Halcrow wrote:
> > I have an LSM that dissallows the following capabilities:
> > 
> > CAP_SYS_MODULE
> > CAP_SYS_RAWIO
> > CAP_NET_ADMIN
> 
> > It is not acceptable to disable or unload the module.  I must be able
> > to add logic to address the special case where the user runs
> > /sbin/shutdown, /sbin/halt, or /sbin/reboot, or performs an action
> > that equates to a legal reboot or halt request by the administrator.
> 
> I guess I don't understand your security goals.

Perhaps I should have made myself more clear on this.  I want to
implement BSD Secure Levels as an LSM.

I want my policies to be enforced whenever I am in a secure level
greater than or equal to 1, except when an atomic shutdown operation
is taking place.  That is, once the security has been relaxed to allow
shutdown-related operations, an attacker cannot stop or otherwise
hijack the shutdown process to obtain unauthorized control.

> On one hand, you don't want /sbin/shutdown to function.
> On the other hand, you do want /sbin/shutdown to function.

I want something like this:

static int seclvl_capable( struct task_struct *tsk, int cap ) {

  if( /* a shutdown is taking place */ ) {
    return 0;
  }

  if( ( seclvl >= 1 ) && ( cap & CAP_SYS_MODULE ) ) {
    return -EPERM;
  }

...

}

I am looking for the best way to implement ``/* a shutdown is taking
place */''.

> What method of bypassing your capability checks are you interested in
> providing? Something like SELinux's newrole(8) to allow a "shutdown
> role"? Something like LIDS's "lids free session"? Or SubDomain's
> "unconfined process"? Or something like systrace's syscall mediation? Or
> something like LOMac's dynamic watermarking (e.g., any process that has
> communicated with the network is now no longer able to shutdown the
> machine).
> 
> It depends on whatever it is you wish to accomplish. :)

I personally prefer SELinux's approach, but I do not think that the
requirements for this project will allow me to use it.  :-(

Mike

-- 
------------------------------------------- | ---------------------
Michael Halcrow                             | mike@halcrow.us     
Developer, IBM Linux Technology Center      |                      
                                            |
The wonderful thing about a dancing bear is |
not how well he dances, but that he dances  |
at all.                                     |
------------------------------------------- | ---------------------
GnuPG Keyprint:  05B5 08A8 713A 64C1 D35D  2371 2D3C FDDA 3EB6 601D

• application/pgp-signature attachment: stored

• Next message: Crispin Cowan: "Re: Secure reboot"
• Previous message: Seth Arnold: "Re: Secure reboot"
• In reply to: Seth Arnold: "Re: Secure reboot"
• Next in thread: Crispin Cowan: "Re: Secure reboot"
• Reply: Crispin Cowan: "Re: Secure reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:45:16 PDT