Re: new security_settime patch

From: Michael Halcrow (mike@private)
Date: Thu Dec 11 2003 - 08:04:35 PST

  • Next message: Serue Hallyen: "2.4 security_initcall fix"

    Serge Hallyn wrote:
    > Attached are two alternative patches, both intended to improve upon
    > the current settime hook.  (Note, these are competing patches, not
    > based upon each other (yet))
    > 
    > The first (settime.patch) simply catches stime(2), both in
    > kernel/time.c and in irix_stime().  It also removes redundant
    > capable(CAP_SYS_TIME) checks, and implements dummy_settime and
    > cap_settime as calls to capable(CAP_SYS_TIME).  The CAP_SYS_TIME
    > capability is still checked for setting the real time clock, and
    > doing
    > clock speedup/slowdown for ntpd.
    
    I vote for the less invasive approach.  Pushing the hooks all the way
    to the arch-specific code is essentially protecting the kernel from
    itself.  If an attacker could coax a module to set the system time
    while a security module would disallow it, the module has a security
    vulnerability, and it's not LSM's job to address security
    vulnerabilities in the kernel itself.  I think we have to assume that
    anything in the kernel is implicitely trusted and must implement its
    own security policy enforcement.  LSM hooks are there to keep userland
    events from violating the system security policy, and so the hooks
    should exist at the established kernel interface for userland
    requests.
    
    Mike
    
    .___________________________________________________________________.
                    Michael A. Halcrow <mike@private>                
           Security Software Engineer, IBM Linux Technology Center       
    GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D  2371 2D3C FDDA 3EB6 601D
    
    GPL: A Bill of Rights for the Digital Age 
    
    
    



    This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 08:09:02 PST