Re: Core dump

Re: Core dump

[Michael Sinz]

Peter Waltenberg wrote:
> 
> Whats to stop someone creating a process (or a nodename) with an inspired
> (tm) name, and trashing or overwriting system files ?
> 
>      %P      The Process ID (current->pid)
>         %U      The UID of the process (current->uid)
>         %N      The command name of the process (current->comm)
>         %H      The nodename of the system (system_utsname.nodename)
>         %%      A "%"
> 
> The flexibility is nice, but can you PROVE it doesn't have holes like that
> ?

Actually - yes.

First, I can not prevent some system admin from making the core pattern
a bad pattern.  For example, a pattern of /usr/bin/%N would be a bad thing (tm)

However, as long as the system admin (who is the person who can set the pattern)
does not do that, the code prevents a rouge name (hostname or command name)
from causing problems.

(I prevent the use of "/" in either the hostname or command name, for example)

I have tried most everything I could think of.  And, since the host name is
usually not setable by non-root, it makes it even less likely.

In fact, with a pattern like /corefiles/%H-%N-%P.core, there is even less
likelyhood that a coredump can cause problems since I can make the /corefiles
partition its own location and thus coredumps will not write to the key
filesystem.

BTW - both FreeBSD and OpenBSD have a simular format (I took my insperation
from FreeBSD, which I always liked better since the default there is %N.core)

> Just about everything we've had with variable logfile names has had holes
> like that. Samba is one of the more recent examples.

The key is to filter certain characters.  Mostly the '/' in any of the
variables.

However, there is always the problem of someone with root access making
a bad setting in the sysctl.  But then, if they have root, they don't
need to set some sysctl in order to cause damage.

-- 
Michael Sinz ---- Worldgate Communications ---- msinz@wgate.com
A master's secrets are only as good as
	the master's ability to explain them to others.

core dump

[Stefanos Harhalakis]

I had this issue today:

# semodule -i logging.pp 
Segmentation fault (core dumped)

I traced this a bit and it seems that this is because of libsepol. 
The core dump is the result of lines 602:603 of link.c:

(gdb) bt
#0  0xb7f732fd in sens_copy_callback (key=0x848c2a0 "s15", datum=0x848c290, data=0xbfde3854) at link.c:602
#1  0xb7f6f8a1 in hashtab_map (h=0x846cbf0, apply=0xb7f731d1 <sens_copy_callback>, args=0xbfde3854) at hashtab.c:214
#2  0xb7f75528 in copy_identifiers (state=0xbfde3854, src_symtab=0x843cc74, dest_decl=0x0) at link.c:1323
#3  0xb7f77c72 in link_modules (handle=0x804c710, b=0x80525b8, mods=0x863ce18, len=19, verbose=0) at link.c:2178
#4  0xb7f7a2c9 in sepol_link_packages (handle=0x804c710, base=0x8053060, modules=0x80543c8, num_modules=19, verbose=0) at module.c:302

Where:

(gdb) l
597                                 state->cur_mod_name);
598                             return -SEPOL_LINK_NOTSUP;
599                     }
600             }
601     
602             state->cur->map[SYM_LEVELS][level->level->sens - 1] =
603                 base_level->level->sens;
604     
605             return 0;
606     }

Because of:

(gdb) p base_level
$1 = (level_datum_t *) 0x0

The last 'if' checks for !base_level, but inside the 'if' block, only 
!scope and scope->scope==SCOPE_DECL are checked.

This core dump is caused by:

(gdb) p scope->scope
$2 = 1

Which is noted as:

/* Required for this decl */
#define SCOPE_REQ  1

in libsepol/include/sepol/policydb/policydb.h

Hope this helps...

<<V13>>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: core dump

[Stephen Smalley]

On Tue, 2007-02-06 at 04:12 +0200, Stefanos Harhalakis wrote:
> I had this issue today:
> 
> # semodule -i logging.pp 
> Segmentation fault (core dumped)
> 
> I traced this a bit and it seems that this is because of libsepol. 
> The core dump is the result of lines 602:603 of link.c:
> 
> (gdb) bt
> #0  0xb7f732fd in sens_copy_callback (key=0x848c2a0 "s15", datum=0x848c290, data=0xbfde3854) at link.c:602
> #1  0xb7f6f8a1 in hashtab_map (h=0x846cbf0, apply=0xb7f731d1 <sens_copy_callback>, args=0xbfde3854) at hashtab.c:214
> #2  0xb7f75528 in copy_identifiers (state=0xbfde3854, src_symtab=0x843cc74, dest_decl=0x0) at link.c:1323
> #3  0xb7f77c72 in link_modules (handle=0x804c710, b=0x80525b8, mods=0x863ce18, len=19, verbose=0) at link.c:2178
> #4  0xb7f7a2c9 in sepol_link_packages (handle=0x804c710, base=0x8053060, modules=0x80543c8, num_modules=19, verbose=0) at module.c:302
> 
> Where:
> 
> (gdb) l
> 597                                 state->cur_mod_name);
> 598                             return -SEPOL_LINK_NOTSUP;
> 599                     }
> 600             }
> 601     
> 602             state->cur->map[SYM_LEVELS][level->level->sens - 1] =
> 603                 base_level->level->sens;
> 604     
> 605             return 0;
> 606     }
> 
> Because of:
> 
> (gdb) p base_level
> $1 = (level_datum_t *) 0x0
> 
> The last 'if' checks for !base_level, but inside the 'if' block, only 
> !scope and scope->scope==SCOPE_DECL are checked.
> 
> This core dump is caused by:
> 
> (gdb) p scope->scope
> $2 = 1
> 
> Which is noted as:
> 
> /* Required for this decl */
> #define SCOPE_REQ  1
> 
> in libsepol/include/sepol/policydb/policydb.h
> 
> Hope this helps...

Looks like your logging.pp policy module has a requires on sensitivity
s15 but your base module doesn't declare it.  Naturally, that should
show up as an unfulfilled requirement rather than a seg fault.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.