On Tue, 2004-06-29 at 14:10, Valdis.Kletnieks@private wrote:
> The point was that not every security requirement can be handled by SELinux.
> For instance, consider the now-venerable symlink/hardlink/fifo hardening that
> dates all the way back to Solar Designer's OpenWall patch for the 2.0.39
> kernel (and probably further).... the current LSM version I have is:
>
> int vtkit_follow_link (struct dentry *dentry, struct nameidata *nd)
> {
> struct inode *i_target = dentry->d_inode;
> struct inode *i_parent = dentry->d_parent->d_inode;
>
> if (security_safe_symlink &&
> (i_parent->i_mode & S_ISVTX) && (i_parent->i_mode & S_IWOTH) &&
> (i_parent->i_uid != i_target->i_uid) &&
> (current->fsuid != i_target->i_uid)) {
> printk(KERN_NOTICE "vtkit - rejecting symlink UID %d (dir UID %d) follow b
> y PID %d (uid=%d, comm=%s)\n",
> i_target->i_uid, i_parent->i_uid, current->pid, current->uid, curr
> ent->comm);
> return -EPERM;
> }
> return 0;
> }
>
> Kind of hard to do in SELinux, as we don't *care* where i_target and i_parent
> are in the file system.
The parallel in SELinux is not allowing a domain to read symlinks with
untrustworthy types.
> Feel free to devise your own example if you don't like this one. ;)
I won't argue that SELinux is suited for every security requirement, but
it can cover a wide spectrum.
--
Stephen Smalley <sds@private>
National Security Agency
This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 11:17:05 PDT