On Fri, 29 Oct 2004 10:47:14 EDT, Colin Walters said:
> Something like this:
>
> constrain lnk_file read ( t2 != tmpfile or u1 == u2 );
>
> We'd just need a new attribute 'tmpfile' to mark all types like tmp_t
> and derived ones such as user_tmp_t. You still need to give each
> individual user their own SELinux identity, but they can still be
> user_t.
Hmm... so let's see.. the second part says "you can always follow your own symlinks",
which is a desirable. And the first (if I'm dereferencing t2 correctly) is
saying "the symlink can't be a tmpfile". And since any symlink found under
a tmp_t directory should be some derived type of *_tmp_t, the attacker can't
hijack you with the first part unless he's already gotten relabel_(from/to),
at which point it's Game Over anyhow... Yeah.. that addresses my issue. ;)
Now if we can get
constrain fifo_file {read write} { t2 != tmpfile or u1 == u2 };
working (and a similar for unix-domain sockets), I can at least in principle
heave my LSM code over the side when running on an LSM system (Stephen Smalley
addressed in principle what's needed for my hardlink concerns). This one *is*
a bit more complicated, as we'd need to deal with programs that legitimately
drop a fifo or socket into /tmp for the benefit of programs in multiple domains
(but I think most of them already have policy in place - xdm_t:fifo_file for
example).
Congrats guys... We're almost there! :)
This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 13:34:01 PDT