From: David Howells <dhowells@redhat.com>
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: dhowells@redhat.com, eparis@redhat.com,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Oleg Nesterov <oleg@redhat.com>,
casey@schaufler-ca.com
Subject: Re: [PATCH 0/9] Open loaders and interpreters with new creds during exec
Date: Sat, 30 Apr 2011 11:48:57 +0100 [thread overview]
Message-ID: <21766.1304160537@redhat.com> (raw)
In-Reply-To: <20110428200218.GB9186@hallyn.com>
Serge Hallyn <serge.hallyn@canonical.com> wrote:
> Did you mean to add
>
> chmod u+s /tmp/ls
>
> to the recipe above? If not, then I don't understand your point and think
> current behavior is right.
>
> If so, then I think what you say makes sense.
I did post a correction saying I'd forgotten to add that line.
> > (2) Conversely, if the loader is not executable by the uid to which an SUID
> > executable switches, should that execution succeed?
>
> The crux of the matter, then, is: do we consider the interpreter to be
> executed by the caller, or the new task?
I guess that's a good way of stating the case. I looked on it like this: The
interpreter, whether specified by a binary (eg. ELF's PT_INTERP) or a script
(eg. #!/bin/sh), is not specified by the user that called execve(), but is
rather built into the executable; indeed, the user may not be able to read the
executable and see what these details are (ie. they may only have execute
permission).
Of course, this may not apply to scripts, since we don't normally allow those
to effect SUID/SGID transitions. Should set-security-label transitions be
ignored on scripts too (which I think was one of the points Casey was taking
about)? Should the script interpreter simply reset the credentials to those
of the current user?
> I think what you're suggestion makes sense. I'd like to get input
> from someone like Roland or Oleg, though. Furthermore, while it
> seems to make sense, that does not mean that it'll be safe in a real
> system. Have you run LTP and some real workloads like WAS or
> Oracle to make sure there were no regressions?
I've run the SELinux test suite. That requires an extra rule or two to allow
its executables to access their loaders.
I'll look at running LTP too. I'm not sure what 'WAS' is[1], and I don't have
access to Oracle.
> (With that out of the way, I'll start looking at the patches under
> the assumption that the semantics are correct.)
Thanks!
David
[1] Things named 'WAS' are a bit tricky to Google for...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-04-30 10:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-21 14:30 [PATCH 0/9] Open loaders and interpreters with new creds during exec David Howells
2011-04-21 14:30 ` [PATCH 1/9] TOMOYO: Fix tomoyo_dentry_open() to use the right creds David Howells
2011-04-21 14:30 ` [PATCH 2/9] TOMOYO: Derive the new domain for an exec'd process in tomoyo_bprm_set_creds() David Howells
2011-04-21 14:30 ` [PATCH 3/9] LSM: Permit commit_creds() to take a const pointer David Howells
2011-04-21 14:30 ` [PATCH 4/9] LSM: Make the linux_binfmt creds pointer const and pass creds to bprm_set_creds David Howells
2011-04-21 14:30 ` [PATCH 5/9] LSM: Install the new credentials earlier in the exec procedure David Howells
2011-04-21 14:31 ` [PATCH 6/9] LSM: Pass linux_binprm pointer to kernel_read() so creds are available David Howells
2011-04-21 14:31 ` [PATCH 7/9] LSM: Allow an LSM to indicate that it wants bprm->file reopening with new creds David Howells
2011-04-21 14:31 ` [PATCH 8/9] LSM: Pass linux_binprm pointer to open_exec() so creds are available David Howells
[not found] ` <201104220225.p3M2PjJR020777@www262.sakura.ne.jp>
2011-04-28 15:27 ` David Howells
2011-04-21 14:31 ` [PATCH 9/9] LSM: Use derived creds for accessing an executable's interpreter and binary loader David Howells
2011-04-21 16:12 ` [PATCH 0/9] Open loaders and interpreters with new creds during exec Stephen Smalley
2011-04-21 16:30 ` Daniel J Walsh
2011-04-21 17:32 ` Casey Schaufler
2011-04-21 18:13 ` David Howells
2011-04-21 18:53 ` David Howells
[not found] ` <20110428200218.GB9186@hallyn.com>
2011-04-30 10:48 ` David Howells [this message]
2011-05-02 13:28 ` Stephen Smalley
2011-05-04 12:12 ` David Howells
2011-05-04 13:15 ` David Howells
[not found] ` <20110504144558.GC917@mail.hallyn.com>
2011-05-04 16:27 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21766.1304160537@redhat.com \
--to=dhowells@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.