From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to handle glibc-triggered behavior?
Date: Thu, 10 Dec 2015 16:49:09 +0100 [thread overview]
Message-ID: <20151210154907.GF22216@x250> (raw)
In-Reply-To: <56699DE4.7070109@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Dec 10, 2015 at 10:44:36AM -0500, Christopher J. PeBenito wrote:
> On 12/10/2015 10:13 AM, Dominick Grift wrote:
> > On Thu, Dec 10, 2015 at 04:10:58PM +0100, Dominick Grift wrote:
> >> On Thu, Dec 10, 2015 at 03:59:33PM +0100, Laurent Bigonville
> >> wrote:
> >>> Hey,
> >>>
> >>> Le 21/12/14 13:15, Sven Vermeulen a ?crit :
> >>>> glibc's malloc implementation, in multithreaded applications,
> >>>> might read /proc/sys/vm/overcommit_memory to check if the
> >>>> heap can be shrunk or not (when the allocated memory is part
> >>>> of the non-main arena). That means that read access to
> >>>> sysctl_vm_t becomes a wide request.
> >>>>
> >>>> Not granting privileges might result in different memory
> >>>> behavior, where the system administrator might have
> >>>> tuned/tweaked memory allocations on Linux, but malloc()
> >>>> ignoring this due to SELinux denying access to the settings.
> >>>>
> >>>> I'm wondering how to properly tackle this. Granting this on a
> >>>> per-domain level is probably not manageable, but granting
> >>>> this for all domains (through the "domain" attribute) might
> >>>> be overshooting.
> >>>>
> >>>> Are there specific risks that I should take into account when
> >>>> granting read access to sysctl_vm_t?
> >
> >> Is there no sysctl_vm_overcommit_t type for this in refpolicy
> >
> >> My concern is with associating this with "domain". I would like
> >> to associate as little rules as possible with type attribute for
> >> aforementioned reasons. (e.g. domain is mandatory attribute to
> >> associate with your process type you do not want to be in a
> >> position where you are forced to associate permissions with your
> >> type that you do not need)
> >
> >> What I would do, and what i do to some degree already in dssp,
> >> is
> >
> >> i would create various lower level client type attribute for
> >> various interpreters and glibs for example.
> >
> >> For example:
> >
> >> corecmd_shell_client_type will be associated with any process
> >> that executes a shell via corecmd_exec_shell()
> >
> >> rules like:
> >
> >> allow corecmd_shell_client_type self:fifo_file
> >> rw_fifo_file_perms;
> >> kernel_read_system_state(corecmd_shell_client_type)
> >
> >> will be associated.
> >
> >> So as soon as you call corecmd_shell_client_type, your process
> >> will already have rules common to executing a shell
> >
> > I meant:
> >
> > So as soon as you call corecmd_exec_shell(), your process will
> > already have rules common to executing a shell
>
> I suspect this is not a good choice. The concept for this access is
> multithreaded glibc-linked programs. Are there any multithreaded shells?
I must not have been clear since I believe you misunderstood my point
This is not about one this or another. It is about associating common
permissions.
So proc_vm_overcommit may be common to multithreaded glibc apps, but
kernel_read_system_state for example is common to shells.
So i am looking to this from the perspective of common rules (for
whatever reason they may be common)
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWaZ7vAAoJENAR6kfG5xmcFv4L/1O7PJiIslAbT9yV8MEwAOn8
atxv4AHvdF5B5H+L0AVjqng11RUJssKMC+MQROUvwFk+CS6GmrGlI7USO+tSCmwl
Z3nK+y+3RyGItz3iOgC1JzaJWspRm4uv5bCRO+CsOQVLxGolxBs2yfFDRda2OHD4
Hxeij1IYa4BvLOMy+pOALk4BIsOOXBI4MJEPoigSB/Qt5WVprqm/WVk8doiSeqcb
QTl6uS3sENz7f2cIQiI2GOAelxDfeDAL1c+zDHOuPB0QAkCJ1rjasIPKwCfYnDrI
+vD/H2zKIa3ODHtKm6z3xHDqkiXdEHz1WW79otm2BreHEnpwkWoMFG2UPwKPmAUZ
jNQwg76Rz3MuJl5WuuZWyhi13DmzCiGLZiF5G6fFzVAbEVi953oFw4cYkQDfSd7D
k58gDO3mi4mJlB/6Nc6znu4Zj2JakusKdTZrDaMSoEnYGgBlV5tgXFrKn+JRMN9o
En8ZENdVVQ7SNeSi0m5EoVVWHEBlHFXekFiHyK/jxA==
=BHiO
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-12-10 15:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-21 12:15 [refpolicy] How to handle glibc-triggered behavior? Sven Vermeulen
2015-01-12 14:03 ` Christopher J. PeBenito
2015-04-03 13:47 ` Miroslav Grepl
2015-04-03 15:44 ` Dominick Grift
2015-12-10 14:59 ` Laurent Bigonville
2015-12-10 15:11 ` Dominick Grift
2015-12-10 15:13 ` Dominick Grift
2015-12-10 15:44 ` Christopher J. PeBenito
2015-12-10 15:49 ` Dominick Grift [this message]
2015-12-10 15:51 ` Dominick Grift
2015-12-10 15:20 ` Dominick Grift
2015-12-10 15:29 ` Dominick Grift
2015-12-10 15:40 ` Dominick Grift
2015-12-10 15:53 ` Christopher J. PeBenito
2015-12-10 15:56 ` Dominick Grift
2015-12-10 16:00 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151210154907.GF22216@x250 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.