El jue, 10-11-2005 a las 00:04 -0800, Chris Wright escribió:
> 4) Passing capability could mean elimination of capable() call from
> relevant ioctl code. Tempting, but this obfuscates the security check.
> But keeping it means it's likely called twice.
You're right. During development we found an issue which was already
being worked out by upstream, it was related to one capability, also
with a check "hard coded" in a SELinux hook (security/selinux/hooks.c).
We decided to leave the capable() callbacks, hence double-making the
capability checking (in hook call and inside the proper _ioctl()
function). Need to decide what one needs to get removed.
Keep in mind that we should make the capability checking code in the
hook, available to *any* interfaces, and not making it SELinux dependent
due to the problems that would take place when an user doesn't compile
SELinux support in the kernel. That's the problem, we can't remove the
capable() check until we ensure that we can check the capability without
depending on SELinux-specific code. Thus, it would need to get in
fs/ioctl_perm.c. I'm not really sure about the right way.
+ if (cap >= 0) {
+ rc = task_has_capability(current, cap);
+ if (rc)
+ return rc;
+ }
Cheers and many thanks for the comments,
PS: I apologize of the patch line-wrapping. I can't GPG-sign a message
with a patch, as it changes to 'multipart' and gets all the weird
formatting. I'll upload the patch(es) soon to selinux.tuxedo-es.org.
Thanks to Stephen for pointing this out!
--
Lorenzo Hernández García-Hierro <lorenzo@private>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
This archive was generated by hypermail 2.1.3 : Thu Nov 10 2005 - 06:50:04 PST