Sorry all. I thought I had replied to Stephen's earlier note but it only went to Serge. I will definitely start looking into the mmap hook for the bypass problem. Any other opinions as far as the rest of the module on a whole? Thanks, Niki On Wed, 13 Oct 2004 09:39:55 -0700, Crispin Cowan <crispin@private> wrote: > Stephen Smalley wrote: > > >On Tue, 2004-10-12 at 19:57, Crispin Cowan wrote: > > > > > >>"untrusted" does not mean what you think it means :) In this case, > >>substitute "clueless" or "careless" in place of "untrusted". The purpose > >>is a pathology-preventer to prevent sloppy users from accidentally > >>executing Trojan code inserted by a malicious user. > >> > >> > >Hmmm...that doesn't seem consistent with the original Phrack TPE > >article, the Stephanie TPE page, or the Linux TPE kernel module page > >(pre-LSM). They all describe a threat model that includes preventing > >malicious users from downloading exploit code and running it on the > >machine. > > > > > /me thinks about it some more > > Ok, I see how it could provide that property. > > >In any event, given that LSM does provide hooks for mmap and mprotect, > >it hardly seems unreasonable for the TPE LSM to apply execute checking > >there as well to avoid trivial bypass, and possibly to make use of the > >LSM bprm_secureexec hook to prevent use of sensitive LD_* variables by > >the untrusted user. That still won't address the interpreter problem, > >which should be noted in the documentation. The Phrack article and the > >Stephanie TPE implementation took different approaches to trying to > >solve that problem, nothing very satisfying. > > > > > That also makes sense to me. But I'm not the one doing the work :) > > > > Crispin > > -- > Crispin Cowan, Ph.D. http://immunix.com/~crispin/ > CTO, Immunix http://immunix.com > >
This archive was generated by hypermail 2.1.3 : Wed Oct 13 2004 - 10:45:24 PDT