Re: TPE diff against 2.6.8 with 2.6.9-rc3 patches

From: Crispin Cowan (crispin@private)
Date: Wed Oct 13 2004 - 09:39:55 PDT

Stephen Smalley wrote:

>On Tue, 2004-10-12 at 19:57, Crispin Cowan wrote:
>>"untrusted" does not mean what you think it means :) In this case, 
>>substitute "clueless" or "careless" in place of "untrusted". The purpose 
>>is a pathology-preventer to prevent sloppy users from accidentally 
>>executing Trojan code inserted by a malicious user.
>Hmmm...that doesn't seem consistent with the original Phrack TPE
>article, the Stephanie TPE page, or the Linux TPE kernel module page
>(pre-LSM).  They all describe a threat model that includes preventing
>malicious users from downloading exploit code and running it on the
/me thinks about it some more

Ok, I see how it could provide that property.

>In any event, given that LSM does provide hooks for mmap and mprotect,
>it hardly seems unreasonable for the TPE LSM to apply execute checking
>there as well to avoid trivial bypass, and possibly to make use of the
>LSM bprm_secureexec hook to prevent use of sensitive LD_* variables by
>the untrusted user.  That still won't address the interpreter problem,
>which should be noted in the documentation.  The Phrack article and the
>Stephanie TPE implementation took different approaches to trying to
>solve that problem, nothing very satisfying.
That also makes sense to me. But I'm not the one doing the work :)


Crispin Cowan, Ph.D.
CTO, Immunix

This archive was generated by hypermail 2.1.3 : Wed Oct 13 2004 - 09:42:11 PDT