Stephen Smalley wrote: >On Tue, 2004-10-12 at 19:57, Crispin Cowan wrote: > > >>"untrusted" does not mean what you think it means :) In this case, >>substitute "clueless" or "careless" in place of "untrusted". The purpose >>is a pathology-preventer to prevent sloppy users from accidentally >>executing Trojan code inserted by a malicious user. >> >> >Hmmm...that doesn't seem consistent with the original Phrack TPE >article, the Stephanie TPE page, or the Linux TPE kernel module page >(pre-LSM). They all describe a threat model that includes preventing >malicious users from downloading exploit code and running it on the >machine. > > /me thinks about it some more Ok, I see how it could provide that property. >In any event, given that LSM does provide hooks for mmap and mprotect, >it hardly seems unreasonable for the TPE LSM to apply execute checking >there as well to avoid trivial bypass, and possibly to make use of the >LSM bprm_secureexec hook to prevent use of sensitive LD_* variables by >the untrusted user. That still won't address the interpreter problem, >which should be noted in the documentation. The Phrack article and the >Stephanie TPE implementation took different approaches to trying to >solve that problem, nothing very satisfying. > > That also makes sense to me. But I'm not the one doing the work :) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
This archive was generated by hypermail 2.1.3 : Wed Oct 13 2004 - 09:42:11 PDT