From: David Howells <dhowells@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: viro@ftp.linux.org.uk, dhowells@redhat.com,
selinux@tycho.nsa.gov,
LSM List <linux-security-module@vger.kernel.org>
Subject: SELinux security and passed file descriptors
Date: Thu, 30 Aug 2007 16:12:14 +0100 [thread overview]
Message-ID: <10698.1188486734@redhat.com> (raw)
Hi Stephen,
Imagine you have two processes, say A and B, running with different security
contexts. If A opens a file and passed the file descriptor to B (sends it
over an AF_UNIX socket perhaps), then what security context should be assumed
when B operates on the file descriptor? A's security, or B's?
I would have thought it should be A's security, since A opened the file. This
is usually the case for UID/GID/mode information (which are resident on the
file struct) and other FS-specific access contexts (in the in-kernel AFS's
case, this includes the kerberos ticket A used to access the file, and I
believe the same is true in NFS's case).
However, having just been looking through security/selinux/hooks.c, this isn't
always the case with SELinux. For ioctls, for example, B's security context
will be used. The same goes for reading and writing.
This is surely incorrect. This can mean A can pass a file that it can read
and write to B that B can't then read or write because it doesn't have access,
even though it ought to be able to because *A* can.
At least, that's how I interpret the code.
If I'm right, and this is incorrect behaviour, then I have most of a patch
that I'm working on to pass the appropriate credentials around.
David
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2007-08-30 15:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-30 15:12 David Howells [this message]
2007-08-30 15:19 ` SELinux security and passed file descriptors Stephen Smalley
2007-08-31 14:32 ` David Howells
2007-08-31 15:01 ` Stephen Smalley
2007-08-31 15:39 ` Casey Schaufler
2007-08-31 15:46 ` Mikel L. Matthews
2007-08-31 15:39 ` James Antill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10698.1188486734@redhat.com \
--to=dhowells@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.