From: "José Bollo" <jobol@nonadev.net>
To: Casey Schaufler <casey@schaufler-ca.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Cc: paul@paul-moore.com, james.l.morris@oracle.com,
linux-security-module@vger.kernel.org,
john.johansen@canonical.com
Subject: Re: [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr nodes to proc
Date: Tue, 20 Dec 2016 22:22:30 +0100 [thread overview]
Message-ID: <1482268950.25787.3.camel@nonadev.net> (raw)
In-Reply-To: <34661049-44ab-5eb1-0c25-b71a2cec90e3@schaufler-ca.com>
Le mardi 20 décembre 2016 à 12:03 -0800, Casey Schaufler a écrit :
> On 12/20/2016 11:35 AM, Stephen Smalley wrote:
> > On Tue, 2016-12-20 at 11:07 -0800, Casey Schaufler wrote:
> > > On 12/20/2016 10:28 AM, Stephen Smalley wrote:
> > > > On Tue, 2016-12-20 at 10:17 -0800, Casey Schaufler wrote:
> > > > > On 12/20/2016 8:50 AM, Stephen Smalley wrote:
> > > > > > On Tue, 2016-12-20 at 17:39 +0100, José Bollo wrote:
> > > > > > > Le mardi 20 décembre 2016 à 11:14 -0500, Stephen Smalley
> > > > > > > a
> > > > > > > écrit
> > > > > > > :
> > > > > > > >
> > > > > > > > Looking at your PTAGS implementation, I feel it is only
> > > > > > > > fair to
> > > > > > > > warn
> > > > > > > > you that your usage of /proc/pid/attr is insecure,
> > > > > > > > regardless
> > > > > > > > of
> > > > > > > > whether you use task security blobs or cred security
> > > > > > > > blobs.
> > > > > > >
> > > > > > > Fair?!
> > > > > > >
> > > > > > > > Getting the attributes of another process via /proc/pid
> > > > > > > > files
> > > > > > > > is
> > > > > > > > inherently racy, as the process may exit and another
> > > > > > > > process
> > > > > > > > with
> > > > > > > > different attributes may be created with the same pid
> > > > > > > > (and
> > > > > > > > no,
> > > > > > > > this
> > > > > > > > is not theoretical; it has been demonstrated).
> > > > > > >
> > > > > > > I know. And I'm surprized that you dont do anything to
> > > > > > > change
> > > > > > > that.
> > > > > >
> > > > > > There is a reason why SO_PEERSEC and SCM_SECURITY
> > > > > > exist. Again,
> > > > > > learn
> > > > > > from the upstream security modules rather than re-inventing
> > > > > > them,
> > > > > > badly.
> > > > >
> > > > > SO_PEERSEC and SCM_SECURITY are spiffy for processes that are
> > > > > sending each other messages, but they identify the attributes
> > > > > associated with the message, not the process. Neither SELinux
> > > > > nor Smack get the information to send off of the process, it
> > > > > comes from the socket structure.
> > > >
> > > > Yes, but in the SELinux case at least, the socket is labeled
> > > > with
> > > > the
> > > > label of the creating process (except in the rare case of using
> > > > setsockcreatecon(3), which can only be used by suitably
> > > > authorized
> > > > processes).
> > >
> > > Yes, it's the same with Smack. When it's not the label
> > > of the process it's the label the system wants the peer
> > > to think it is.
> > >
> > > > So in general it serves quite well as a means of obtaining
> > > > the peer label, which can then be used in access control (and
> > > > this
> > > > is
> > > > in fact being used in a variety of applications in Linux and
> > > > Android).
> > >
> > > But only between processes that are in direct, explicit
> > > communication.
> > > There is no denying that these mechanisms work. They just aren't
> > > applicable to Jose's use.
> >
> > If you say so (although it is unclear to me why or what exactly his
> > use
> > case is), but regardless, there is also no denying that getting and
> > setting another process' attributes via /proc/pid files is
> > inherently
> > racy.
>
> You're right. How can we fix that? I have seen a gazillion cases
> where system security would be much simpler and easier to enforce
> and develop if we could (safely) ensure that the process under
> /proc/pid wouldn't change on you without you knowing.
Yes, fully agreed. It summarizes well my mind. There is here a good job
to be done. I can imagine solution to this problem. And what Stephen
thinks as a law is just a bug.
> > He even acknowledged as much. So we are left with a "security"
> > module whose only purpose is to support getting and setting process
> > tags for security enforcement purposes, and yet does so in a known-
> > insecure manner. Again, this is why I keep suggesting that he
> > needs to
> > reconsider his approach, not merely figure out how to implement
> > per-
> > task security blobs.
>
> Whether or not Jose moves forward with PTAGS we have identified
> an issue with the current cred based hooks for AppArmor, TOMOYO
> and at least one other proposed module. Regardless of the issues
> of /proc/pid there is work to be done.
next prev parent reply other threads:[~2016-12-20 21:22 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 17:41 [PATCH 1/2] selinux: clean up cred usage and simplify Stephen Smalley
2016-12-16 17:41 ` [PATCH 2/2] proc, security: move restriction on writing /proc/pid/attr nodes to proc Stephen Smalley
2016-12-16 18:38 ` [PATCH 2/2] proc,security: " Casey Schaufler
2016-12-16 19:06 ` John Johansen
2016-12-16 22:06 ` Paul Moore
2016-12-16 22:13 ` Casey Schaufler
2016-12-20 1:30 ` Paul Moore
2016-12-20 1:51 ` Casey Schaufler
2016-12-20 10:36 ` José Bollo
2016-12-20 11:13 ` [PATCH 2/2] proc, security: " Tetsuo Handa
2016-12-20 12:14 ` [PATCH 2/2] proc,security: " José Bollo
2016-12-19 9:44 ` José Bollo
2016-12-19 14:33 ` Stephen Smalley
2016-12-19 15:00 ` José Bollo
2016-12-19 15:41 ` José Bollo
2016-12-19 15:52 ` Stephen Smalley
2016-12-19 16:32 ` Casey Schaufler
2016-12-19 17:09 ` Stephen Smalley
2016-12-19 18:00 ` Casey Schaufler
2016-12-19 18:18 ` José Bollo
2016-12-19 18:12 ` José Bollo
2016-12-19 20:36 ` John Johansen
2016-12-19 21:25 ` Casey Schaufler
2016-12-19 21:46 ` [PATCH 2/2] proc, security: move restriction on writing/proc/pid/attr " Tetsuo Handa
2016-12-19 21:50 ` [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr " Stephen Smalley
2016-12-19 22:31 ` Casey Schaufler
2016-12-19 22:45 ` John Johansen
2016-12-19 22:49 ` Casey Schaufler
2016-12-20 1:27 ` Paul Moore
2016-12-20 1:23 ` Paul Moore
2016-12-20 1:59 ` Casey Schaufler
2016-12-20 14:40 ` José Bollo
2016-12-20 16:21 ` Casey Schaufler
2016-12-20 16:14 ` Stephen Smalley
2016-12-20 16:39 ` José Bollo
2016-12-20 16:50 ` Stephen Smalley
2016-12-20 18:17 ` Casey Schaufler
2016-12-20 18:28 ` Stephen Smalley
2016-12-20 19:07 ` Casey Schaufler
2016-12-20 19:35 ` Stephen Smalley
2016-12-20 20:03 ` Casey Schaufler
2016-12-20 21:22 ` José Bollo [this message]
2016-12-20 21:35 ` Stephen Smalley
2016-12-20 21:38 ` John Johansen
2016-12-21 2:37 ` Paul Moore
2016-12-21 7:04 ` José Bollo
2016-12-21 15:15 ` Paul Moore
2016-12-16 22:02 ` [PATCH 1/2] selinux: clean up cred usage and simplify Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482268950.25787.3.camel@nonadev.net \
--to=jobol@nonadev.net \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.