* Serge E. Hallyn (hallyn@private) wrote: > > > In fact, my experiments show the opposite to be true. Adding a > > > security_task_lookup() call in proc_pid_lookup() causes > > > ls /proc/1 to improperly succeed once it has properly for some other > > > process. The task_to_inode + inode_permission check always worked. > > > > Ah, yeah. You're getting bit by a cached lookup. I expect ls -d would > > pass that check (it'll need inode_getattr support). > > Correct on both counts - "ls -d" was incorrectly allowed, and is correctly > denied when I add a inode_getattr check. So as you also mentioned, properly > hiding the existence of these processes would require: > > inode_permission > inode_getattr > inode_getxattr > sb_statfs This last one is really hopeless. The lookup will succeed (if cached), but then the superblock is culled from the dentry, and that's all that's passed down. Doubt you'd want to disable statfs /proc, so statfs probes can find entries. > and maybe some others. Do we want to provide a simpler, one-step way of > achieving this? Perhaps through a macro, or doubling up task_lookup with > those other checks (yuck)? Or just documentation? We can't double these things up, so we'll just have to use existing hooks with task_to_inode where apropriate. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Tue Aug 17 2004 - 09:56:29 PDT