On Tue, 2004-10-12 at 19:57, Crispin Cowan wrote: > "untrusted" does not mean what you think it means :) In this case, > substitute "clueless" or "careless" in place of "untrusted". The purpose > is a pathology-preventer to prevent sloppy users from accidentally > executing Trojan code inserted by a malicious user. Hmmm...that doesn't seem consistent with the original Phrack TPE article, the Stephanie TPE page, or the Linux TPE kernel module page (pre-LSM). They all describe a threat model that includes preventing malicious users from downloading exploit code and running it on the machine. In any event, given that LSM does provide hooks for mmap and mprotect, it hardly seems unreasonable for the TPE LSM to apply execute checking there as well to avoid trivial bypass, and possibly to make use of the LSM bprm_secureexec hook to prevent use of sensitive LD_* variables by the untrusted user. That still won't address the interpreter problem, which should be noted in the documentation. The Phrack article and the Stephanie TPE implementation took different approaches to trying to solve that problem, nothing very satisfying. -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2.1.3 : Wed Oct 13 2004 - 05:53:08 PDT