Serge Hallyn wrote:
> Attached are two alternative patches, both intended to improve upon
> the current settime hook. (Note, these are competing patches, not
> based upon each other (yet))
>
> The first (settime.patch) simply catches stime(2), both in
> kernel/time.c and in irix_stime(). It also removes redundant
> capable(CAP_SYS_TIME) checks, and implements dummy_settime and
> cap_settime as calls to capable(CAP_SYS_TIME). The CAP_SYS_TIME
> capability is still checked for setting the real time clock, and
> doing
> clock speedup/slowdown for ntpd.
I vote for the less invasive approach. Pushing the hooks all the way
to the arch-specific code is essentially protecting the kernel from
itself. If an attacker could coax a module to set the system time
while a security module would disallow it, the module has a security
vulnerability, and it's not LSM's job to address security
vulnerabilities in the kernel itself. I think we have to assume that
anything in the kernel is implicitely trusted and must implement its
own security policy enforcement. LSM hooks are there to keep userland
events from violating the system security policy, and so the hooks
should exist at the established kernel interface for userland
requests.
Mike
.___________________________________________________________________.
Michael A. Halcrow <mike@private>
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D
GPL: A Bill of Rights for the Digital Age
This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 08:09:02 PST