Re: [PATCH] LSM hooks for audit

From: Stephen Smalley (sds@private)
Date: Wed Sep 15 2004 - 12:39:03 PDT


On Wed, 2004-09-15 at 15:31, Serge E. Hallyn wrote:
> > Sorry, I wasn't thinking in my initial response.  These operations are
> > exported via netlink, which is async, right?  Hence, permission checks
> 
> I was wondering about that.  Based on the original code I assumed that
> it was synchronous.
> 
> Taking a second look at net/netlink, I guess not.
> 
> Is there any reason why we can't find the task belonging to
> NETLINK_CREDS(skb)->pid and send that along to the security_* hooks?

Race conditions.  Untrusted sender fires off a netlink message to set
some value, then immediately exec's a privilege-changing program so that
when the receiver evaluates the task's credentials, the task is running
privileged.  I think you either have to do all of your mediation at
netlink_send time (as in the SELinux code) or get a security field into
netlink_skb_parms (but then you have lifecycle management issues, which
seems difficult to separate from having a general security field in the
sk_buff itself).


-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Wed Sep 15 2004 - 12:42:29 PDT